North American Services Disrupted by Microsoft Azure Outage
August 6, 2024‘Bloody Wolf’ Cyberattacks Target Kazakh Organizations – Active IOCs
August 6, 2024North American Services Disrupted by Microsoft Azure Outage
August 6, 2024‘Bloody Wolf’ Cyberattacks Target Kazakh Organizations – Active IOCs
August 6, 2024Severity
High
Analysis Summary
A new Android banking trojan BlankBot, which targets Turkish users intending to steal financial information, has been found by cybersecurity researchers.
BlankBot is equipped with a variety of malicious functions, such as keylogging, customer injections, screen recording, and WebSocket communication with a control server. BlankBot was found on July 24, 2024, and is reportedly still under active development. The malware uses the capabilities granted by Android's accessibility services to take complete control of the infected devices. Below is a list of some of the malicious APK files that contain BlankBot:
- showcuu.apk (com.whatsapp.w568b)
- app.apk (com.whatsapp.w568bp)
- app.apk (com.whatsapp.w568bp)
- app-release-signed (14).apk (com.whatsapp.chma14)
- app-release.apk (com.abcdef.w568b)
- app-release.apk (com.abcdefg.w568b)
Similar to the previously discovered Mandrake Android malware, BlankBot uses a session-based package installer to get around Android 13's limited settings feature, which prevents side-loaded apps from demanding risky permissions straight away. The bot requests permission from the victim to install apps from unofficial sources. Once this is granted, it downloads the unencrypted Android package kit (APK) file from the application assets directory and installs it.
With the help of a variety of functions, the malware may record screen images, collect keystrokes, and inject overlays in response to commands from a remote server. This allows it to obtain payment information, bank account details, and even the pattern that unlocks the device. BlankBot can acquire information about installed apps and contact lists, remove arbitrary programs, and intercept SMS communications. Additionally, it blocks the user from opening antivirus apps or accessing device settings by utilizing the accessibility services API.
The various code variations found in various applications suggest that BlankBot is a brand-new Android banking trojan that is currently under development. Still, once the malware gets onto an Android device, it can start carrying out malicious tasks. Due to Google Play Protect, which is turned on by default on Android devices with Google Play Services, users of Android are automatically protected against known versions of this malware. Even when apps are downloaded from sources other than Google Play, Google Play Protect alerts users and disables them from using apps that are infected.
The announcement was made at the same time that Google described the different measures it is taking to stop threat actors from using cell-site simulators, such as Stingrays, to send SMS messages straight into Android phones—a fraud tactic known as SMS Blaster fraud. By completely eschewing the carrier network, this message injection technique gets across all sophisticated network-based anti-spam and anti-fraud filters. Through the deployment of a fictitious LTE or 5G network, SMS Blasters can downgrade a user's connection to an antiquated 2G protocol.
One of the mitigating strategies is giving the user the choice to turn off null ciphers, which is a necessary configuration for a False Base Station to inject an SMS payload and to disable 2G at the modem level. Google also announced earlier in May that it is enhancing mobile security by warning users if their connection to the mobile network is not secured and if hackers are exploiting cell-site simulators to track down users or send them SMS-based fraudulent communications.
Impact
- Sensitive Data Theft
- Financial Loss
- Keylogging
- Cyber Espionage
Indicators of Compromise
IP
- 79.133.41.52
- 185.255.92.185
MD5
- f3f710e4bc25df2eb9bd4445f3393b2a
- 550787d4ddaed57cb108b19b3e9a8876
- f60ded14fe45e04f9e10d7c6feda6d25
- d5b824f84baa152f63f963f500ba52d9
- b06d0b2ce11c3f7c8e6717a99476b80e
- c47991ed9f249941d13068c0a4b9e7a7
- ce167bfe38252062a561d29ca3277ad8
- ecb88089d65d5b07d166194b09a876e3
- d29ff55cb960be165cc6f7014e03a921
SHA-256
- 7d5b6bcc9b93aedc540e76059ee27841a96acb9ea74a51545dfef18b0fcf5b57
- 6fc672288e68146930b86c7a3d490f551c8d7a7e8ba3229d64a6280118095bea
- ad9044d9762453e2813be8ab96b9011efb2f42ab72a0cb26d7f98b9bd1d65965
- b4b4b195e14e9fda5a6d890ddb57f93ef81d6d9a976078354450ee45d18c89e3
- 8d6ca64e4c3c19587405e19d53d0e2f4d52b77f927621d4178a3f7c2bf50c2ea
- d163cc15a39fb36391bd67f6eaada6691f0c7bc75fc80282a4a258244163e12a
- 6681b0613fc6d5a3e1132f7499380eb9db52b03ab429f0c2109a641c9a2ea4d3
- 11751c6aa3e5c44c92765876bc9cd46da90f466b9924b9b1993fa1c91157681d
- fc5099e5be818f8268327aaf190cd07b4b4ebb04e9d63eefa5a04ea504f93d62
SHA1
- 9f2eb0ddb098e74402e190f516efec7e1fd76d79
- 60336ee9075559a4874eaf802f70fa36e4d0a524
- d3052e1555e86e41e28de93229b24d53821865c5
- 801fb2428f70d4a3a185cf5b92ac32a17a0304e8
- 3356574b7e4566602fd599a9bd70c96f13b8e2c2
- 860f0e25b649dff70bfeef4bf83fc996e5ac68ff
- 39be1acaaf19087f39e4c859da5cf86e672c8090
- c1979a6bf677a7bb77b431db80188328b04f5cf9
- bf93fb35be6dc4c40d24c6c1b4c74007f2dd897b
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
- Conduct regular security awareness training for users to recognize and avoid phishing emails.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Implement network segmentation to limit lateral movement within the network.
- Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
- Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
- Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
- Regularly back up critical data and ensure that the backup copies are stored securely.