CVE-2024-32849 – Trend Micro Maximum Security Vulnerability
May 10, 2024R00TK1T Launches Cyberattacks Worldwide Targeting Several Organizations
May 10, 2024CVE-2024-32849 – Trend Micro Maximum Security Vulnerability
May 10, 2024R00TK1T Launches Cyberattacks Worldwide Targeting Several Organizations
May 10, 2024Severity
High
Analysis Summary
Passwords from infected devices have been observed to be stolen by malicious Android apps that pose as Google, Instagram, Snapchat, WhatsApp, and X (previously Twitter).
Cybersecurity experts said, “This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices.”
It's unclear at this time what the campaign's distribution vector is. However, as soon as the users install the app on their phones, it asks for authorization to access the accessibility services and the device administrator API, which is a deprecated feature that offers system-level device administration capabilities. By gaining access to these rights, the rogue app can take control of the device and perform arbitrary tasks, such as deploying malware and stealing data, all without the victims' awareness.
The malware is made to connect to a command-and-control (C2) server to receive instructions for execution. This allows it to send SMS messages, open phishing pages on the web browser, send contact lists, SMS messages, call logs, and the list of installed apps. It also can toggle the camera flashlight. The login pages of popular services such as Facebook, GitHub, Instagram, LinkedIn, Microsoft, Netflix, PayPal, Proton Mail, Snapchat, Tumblr, X, WordPress, and Yahoo are imitated by phishing URLs.
The news coincides with a warning from researchers about a social engineering campaign that uses WhatsApp as a delivery route to spread a new piece of Android malware by pretending to be a defense-related app. After delivery, the software would install itself pretending to be a Contacts application. The application would launch, ask to be granted access to SMS, Contacts, Storage, and Phone, and then it would close and disappear.
Impact
- Unauthorized Access
- Sensitive Data Theft
Indicators of Compromise
MD5
- b61fdfee6d39a99ed10c8ee0a5222075
- f73d8931883b59deba35be301d4abafd
- 4b8562141c9dfb544b456d9bc4d9f9b5
- 35bc6ba24d91c46b78ddd70fc175fd4c
- db9efbaeed892b82f46666b669f27c90
- b7f5bb46867f6cff8af129d3aa868597
- 52be96c08e19eec22bf030e887b4565e
- ebe4f3e85486bc383b35357f1014fca9
- ce76654ce43cd1f246cd418b72516931
- cb44ee4cbdbbefcad5c20324af7dfd72
SHA-256
- 0cc5cf33350853cdd219d56902e5b97eb699c975a40d24e0e211a1015948a13d
- 37074eb92d3cfe4e2c51f1b96a6adf33ed6093e4caa34aa2fa1b9affe288a509
- 3df7c8074b6b1ab35db387b5cb9ea9c6fc2f23667d1a191787aabfbf2fb23173
- 6eb33f00d5e626bfd54889558c6d031c6cac8f180d3b0e39fbfa2c501b65f564
- 9b366eeeffd6c9b726299bc3cf96b2e673572971555719be9b9e4dcaad895162
- a28e99cb8e79d4c2d19ccfda338d43f74bd1daa214f5add54c298b2bcfaac9c3
- d09f2df6dc6f27a9df6e0e0995b91a5189622b1e53992474b2791bbd679f6987
- d8413287ac20dabcf38bc2b5ecd65a37584d8066a364eede77c715ec63b7e0f1
- ecf941c1cc85ee576f0d4ef761135d3e924dec67bc3f0051a43015924c53bfbb
- f10072b712d1eed0f7e2290b47d39212918f3e1fd4deef00bf42ea3fe9809c41
SHA1
- 31ebb158da8778ac15fa31d5b9ebde614b516536
- 5a310f7d1fe53ad36aa38876006ec768c0050e3a
- 2e41a0204f0224d9ff42a9712e3117262192d691
- 83d921143f51c0d62c4e3b05d616be39e8a7d315
- 5bd3a0dda234501a4efeb8ad25686bb5b771ab23
- 5d6fb12100db4c79e3152642017728bdeed85058
- 1acfd0e715584003b78f66d57c89e054fb3f70c0
- 1e9c5e8e94c4f3a3b95dafb50afa905f92f8759f
- c530bd93a015ca2fa19554c55566f48efe145cbc
- b3dfe780e9f6256d59c750725705cebf1aa90401
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Be vigilant when downloading software and double-check the URL to see if it is legitimate.
- Never download software from untrusted sources.
- Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
- Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Keep your operating system and apps up-to-date with the latest security patches and updates
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
- Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.