Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 21, 2023Severity Medium Analysis Summary Rhadamanthys is a type of malware known as a stealer, which is designed to steal sensitive information from infected computers. It was […]March 21, 2023Severity High Analysis Summary The Mirai botnet is a type of malware that infects Internet of Things (IoT) devices, such as routers, security cameras, and other […]March 21, 2023Severity High Analysis Summary LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 21, 2023Severity Medium Analysis Summary Rhadamanthys is a type of malware known as a stealer, which is designed to steal sensitive information from infected computers. It was […]March 21, 2023Severity High Analysis Summary The Mirai botnet is a type of malware that infects Internet of Things (IoT) devices, such as routers, security cameras, and other […]March 21, 2023Severity High Analysis Summary LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Active C2 Detected Hosting Ransomware, POS Malware and Others
November 5, 2019Rewterz Threat Advisory – Omron CX-Supervisor Multiple Vulnerabilities
November 6, 2019
Severity
High
Analysis Summary
Another malware campaign is found targeting Android mobile device users. The malicious application, impersonating the InPost brand, turned out to be a banking Trojan recognized as Cerberus.
The distribution of malicious code was based on the sending of SMS messages with information about tracking the shipment via a mobile application, along with a link to download it. One of the basic functions of the bot was stealing login data for selected applications. Malicious software after granting permission to use accessibility services carried out self-improvement of its own rights. The Trojan claimed to include the ability to read the contact list, initiate USSD calls, became the administrator of the device and the default application for handling SMS. The authors intended the Trojan to allow e.g. disabling Google Play Protect, intercepting SMS communication, launching and removing installed applications, opening URLs, displaying fake notifications from banking applications, avoiding analysis through the use of anti-emulation techniques, and in some cases also stealing data using a keylogger.
User must download a file from the link in an SMS and disable the block installation of applications outside the official Google Play store. By using the screen overlay technique (overlay), the malicious tool steals login information for popular applications. Overlays are downloaded from an external server while the Trojan is running – the condition is an application installed on the device, on which criminals have an overlay prepared.
Impact
- Credential Theft
- Privilege Escalation
- Device Takeover
- Keylogging
Indicators of Compromise
Domain Name
badabinglalaland[.]com inpost24[.]tk m[.]in
MD5
a23af10405f5f87532653f79ccad45b9
SH256
8332b45100044db8c4d94b8414b4aa8e9b3c204b5e05c2230a480b41fd6c6a57
SHA1
40e5f130fab9732b3b834f52aac2ae620332aedb
URL
hxxp://inpost24[.]tk/inpost
Remediation
- Block the threat indicators at their respective controls.
- Do not respond to text messages with shipment information containing URLs.
- Make sure that ‘block installation of applications outside the official Google Play store’ option is enabled.