A New Malware Has Been Detected, Distributed via Fake Antivirus Applications: “SharkBot.”
A new Android Banking Trojan has been detected distributed via a fake Anti-Virus application on the Google Play Store. The malware, called SharkBot, was developed to perform money transfers from infected systems by bypassing multi-factor authentication mechanisms (MFA) such as TeaBot, Flubot, and Oscorp malware.
In the analyses carried out by security researchers, it has been observed that SharkBot uses ATS (Automation Transfer Switches) features to perform money transfers from compromised systems. ATS features are used to manipulate the targeted bank’s fraud detection systems by simulating a user’s sequence of actions, such as keystrokes and clicks, for threat actors to perform illegal money transfers. Distribution of malware is done by manipulating Android’s “Direct Reply” feature. If users consent to Accessibility permissions, SharkBot performs malicious activities such as exploiting Phishing attacks to obtain credentials, recording keystrokes, and redirecting the obtained user data to C&C servers. The applications available in the Google Play Store that are responsible for the distribution of the said malware are as follows;
• Antivirus, Super Cleaner
• Atom Clean-Booster, Antivirus
• Alpha Antivirus, Cleaner
• Powerful Cleaner, Antivirus
Finally, to minimize the possibility of infecting user devices with similar malicious software, it is recommended to keep the number of applications installed on the devices to a minimum and pay attention to the permissions requested by the downloaded applications. In addition, it is crucial to prevent IoC findings related to malware from security solutions in use.
A Security Vulnerability Has Been Detected in GitLab That Could Lead to User Data Disclosure
It has detected a security vulnerability in GitLab, an open-source software development platform, that allows a remote threat actor to obtain sensitive information about users such as first name, last name, email, and password. Data breaches using this vulnerability enable threat actors to create a new username list (Combolist) based on GitLab installations and perform Brute Force attacks through this list.
The vulnerability tracked by code CVE-2021-4191 exists due to insufficient authentication checking when processing specific GitLab GraphQL API queries. As a result, a remote threat actor can exploit the vulnerability to gain unauthorized access to sensitive information in the system.
The vulnerability affects all GitLab Community Edition and Enterprise Editions 13.0.0 – 14.8.1 but was fixed in the last released version. In addition, another critical vulnerability tracked as CVE-2022-0735 is fixed with the released updates. Users using vulnerable GitLab versions are advised to apply the released updates immediately.
Avast Releases A Free Decryption Tool For HermeticRansom Ransomware Targeting Ukraine
Avast has released a decryption tool for HermeticRansom Ransomware used in attacks against Ukraine. Security firms aim to help victims who have been targeted by the malware in question recover their files for free.
HermeticRansom is one of three components included in the devastating attacks detailed by security researchers. These components are:
- HermeticWiper: Destroys System Data, Making the System Inoperable.
- HermeticWizard: Allows HermeticWiper Malware to Spread on a Local Network Via WMI and SMB.
- HermeticRansom: A Ransomware Software Written With Go.
Security researchers have discovered a vulnerability in HermoticRansom’s encryption algorithms that could later allow the password to be solved. It is estimated that malware developers have made limited efforts to test Ransomware. This is because the ultimate goal of threat actors is not limited to just performing encryption activities. In this context, HermoticRansom victims can recover their encrypted data with the decryption tool released by Avast. In addition, Avast has published a guide with operating instructions for the published tool.
Path Traversal Security Vulnerability Detected in SolarWinds Serv-U FTP Server
A security vulnerability has been detected in the Serv-U FTP Server file sharing solution developed by SolarWinds, allowing remote threat actors to perform Path Traversal attacks on the vulnerable system.
The vulnerability, tracked as CVE-2021-35250, exists due to a validation error when processing migration sequences. Successfully exploiting a vulnerability could allow access to files on the system.
The high severity vulnerability only affects Serv-U FTP Server version 15.3. SolarWinds has released updates that fix the vulnerability and other issues. Users using the vulnerable version are advised to immediately apply the updates that fix the vulnerability.