IT NEWS

Last week on Malwarebytes Labs:

• GoldPickaxe Trojan steals your face!
• Microsoft Exchange vulnerability actively exploited
• Massive utility scam campaign spreads via online ads
• Facebook Marketplace users’ stolen data offered for sale
• How ransomware changed in 2023
• Malwarebytes crushes malware all the time
• Update now! Microsoft fixes two zero-days on February Patch Tuesday
• TheTruthSpy stalkerware, still insecure, still leaking data
• Remote Monitoring & Management software used in phishing attacks
• Patch now! Roundcube mail servers are being actively exploited
• Warzone RAT infrastructure seized
• Ransomware review: February 2024
• If only you had to worry about malware, with Jason Haddix: Lock and Code S05E04
• AI-generated voices in robocalls are illegal, rules FCC

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Well, the GoldPickaxe Trojan does not literally steal your face, but it does steal an image of your face in order to be able to identify as you.

Researchers have found a family of Trojans, attributed to a financially motivated Chinese group, which come in versions for iOS and Android.

Cybercriminals try to trick victims into scanning their faces along with identification documents. The victims are approached through phishing and smishing messages claiming to be from local governments or other trusted sources. They ask the target to install a fake government service app.

At this stage there is a crossroads where Android and iOS infections are different. While Android users go straight to the malicious app, due to measures taken by Apple the criminals ask the iOS users to install a disguised Mobile Device Management (MDM) profile. MDM allows a controller to remotely configure devices by sending profiles and commands to the device. As such MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and obtain the information they need.

The criminals then request that the victim take a photo of an official ID and scan their face with the app. Additionally, the criminals request the target’s phone number in order to get more details about them, particularly their bank accounts.

Once the criminals have a scan of the face they can use artificial intelligence (AI) to perform face-swaps. Face swapping is a technique that allows you to replace faces in images with others.

With the face swap and the photo of the ID the criminals can identify themselves as the victim to the victim’s bank and withdraw funds from their account. Many financial organizations use facial recognition for transaction verification and login authentication. Although the researchers found no evidence that bank fraud was the goal of the cybercriminals, their story was confirmed by warnings from the Thai police.

Although this group is mainly active in Asia, more precisely in Thailand, it makes sense to expect such a successful method to be copied.

Malwarebytes and ThreatDown solutions detect the GoldPickaxe Trojan as Android/Trojan.Agent.prn1.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

As it turns out, there was another actively exploited vulnerability included in Microsoft’s patch Tuesday updates for February.

When Microsoft said in its update guide for CVE-2024-21410 that the vulnerability was likely to be exploited by attackers, they weren’t kidding. Soon after they changed the status to “Exploitation Detected”.

Today, I was alerted to the fact after spotting a warning by the German Federal Office for Information Security (BSI) about the same vulnerability, Something the BSI does not do lightly.

The Exchange vulnerability is listed in the Common Vulnerabilities and Exposures (CVE) database as CVE-2024-21410, an elevation of privilege vulnerability with a CVSS score of 9.8 out of 10.

Microsoft’s description of the vulnerability is a bit more revealing:

“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.”

In a Windows network, NTLM (New Technology LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. An attacker being able to impersonate a legitimate user could prove to be catastrophic.

Microsoft Exchange Servers, and mail servers in general, are central communication nodes in every organization and as such they are attractive targets for cybercriminals. Being able to perform a pass-the-hash attack would provide an attacker with a paved way into the heart of the network.

As part of the update, Microsoft has enabled Extended Protection for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14). Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook).

If you are running Exchange Server 2019 CU13 or earlier and you have previously run the script that enables NTLM credentials Relay Protections then you are protected from this vulnerability. However, Microsoft strongly suggests installing the latest cumulative update.

Last year, Microsoft introduced Extended Protection support as an optional feature for Exchange Server 2016 CU23.

If you are unsure whether your organization has configured Extended Protection, you can use the latest version of the Exchange Server Health Checker script. The script will provide you with an overview of the Extended Protection status of your server.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

For many households, energy costs represent a significant part of their overall budget. And when customers want to discuss their bills or look for ways to save money, scammers are just a phone call away.

Enter the utility scam, where crooks pretend to be your utility company so they can threaten and extort as much money from you as they can.

This scam has been going on for years and usually starts with an unexpected phone call and, in some cases, a visit to your door. Obviously the phone call side of the scam is much more scalable and means the scam can be done from overseas.

However, criminals know that victims are more likely to be tricked if they were the ones who initiated the call. In a recent investigation, we discovered a prolific campaign of fraudulent ads shown to users via Google searches. To give an idea of scale, the number of ads we found exceeds what we have found in previous malvertising cases.

This blog post has two purposes: the first one is to draw awareness to this problem by showing how it works. Secondly, we’ve collected and shared as many ads and fake sites as we could in the hope that action will be taken, with hopefully some cost for the scammers.

Fraudulent utility scam ads

The scam begins when a user searches for keywords related to their energy bill. The ads are shown to mobile devices only, which makes sense given how often people use their phones. Also, the ads are geolocated, so that they are relevant to the user’s location.

We found 28 advertisers with over 300 ads, most of them registered by individuals from Pakistan. We have also seen legitimate but hacked advertiser accounts belonging to US entities that were abused. We didn’t investigate further into the whereabouts and identities of the scammers, but we should note that Pakistan is a possible location.

In most cases, tapping on the ad will not open a new website, but instead will prompt you to dial a phone number. This is exactly what the crooks want as many people will have no idea that an ad approved by Google could possibly be fraudulent.

The utility scam often works by threatening and scaring victims into making poor decisions. An unpaid bill, or an offer that is too good to be true and must be accepted immediately are some of their tactics. Once you’ve made that phone call, you’re already in their hands and very close to losing a significant amount of money.

The scammers may even redirect you to their website to “prove” that they are legitimate. Those sites are often credible enough for a victim to feel like they are doing the right thing, but that couldn’t be further from the truth.

Large scamming infrastructure

The crooks have registered dozens of different domains names and built templates that appear related to energy or utility savings. The sites are quite simple and consist of one main page with some customer-centric text and one or multiple phone numbers.

We can usually deduce they are fraudulent by looking up their registration date as well as connecting them with search ads.

However, that might not be enough to have them suspended without going through the whole process of calling the scammers, recording the interaction and showing that evidence. This type of investigation requires time and resources to be done properly. Perhaps one of the many scambaiters out there will look into it in the future.

In the meantime, we have tracked and reported as many domains as we could to the relevant registrars in the hope that some may take action and suspend them.

Keep your identity and money safe from scammers

This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. You can tell it’s an ad as it will be labelled “Sponsored” or “Ad”.

Here are some additional tips:

• Watch out for a sense of urgency. Scammers will often threaten to cut your power immediately. This and similar scare tactics are meant to pressure you into making hasty decisions. Take the time to look things up or speak to a friend before you do anything.
• Never disclose personal details over the phone without being absolutely certain you are talking to the right person. If in doubt, hang up the phone and look for the official phone number from your energy company, perhaps from a past bill. Do not trust any phone number that appears on an online ad.
• Beware requests for money transfers or prepaid cards. These are a huge sign you are dealing with criminals. Again, take your time to think it over even if just for a few hours. Scammers tend to be so impatient they will make all sorts of claims to act right now, which should be a dead giveaway.
• Contact your bank immediately if you think you’ve been scammed and wired money,. Change all your passwords and add a notice with your utility company that someone may attempt to impersonate you.
• Report the scam to the proper authorities, which may be the FTC.

Malwarebytes protection

Malwarebytes is working with its partners to go after these scammers. We also provide protection if you are using our iOS app via the ad blocking feature which will disable search ads and other ads that may be targeting you.

Indicators of Compromise

Google advertiser accounts

Phone numbers

Scammer domains

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Personal data belonging to Facebook Marketplace users has been published online, according to BleepingComputer.

A cybercriminal was allegedly able to steal a partial database after hacking the systems of a Meta contractor.

The leak consists of around 200,000 records that contain names, phone numbers, email addresses, Facebook IDs, and Facebook profile information of the affected Facebook Marketplace users. BleepingComputer was able to verify the some of the data.

Marketplace was introduced by Facebook in 2016 and quickly became a popular platform to sell items to local buyers. It’s often preferred over other marketplaces because you can find or sell items locally that would be too expensive to ship, but you can easily pick up yourself.

Smaller businesses also use it as well to get their ecommerce side of the business started. Statistics say that every month, on average 40% of Facebook users are Marketplace users, and an estimated 485 million or 16% of active users log in to Facebook for the sole purpose of shopping on Facebook Marketplace.

Depending on the buyer of the leaked data, both the email addresses and the phone numbers could be used in phishing attacks. Phishing is the art of sending an email with the aim of getting users to open a malicious file or click on a link to then steal credentials. The combination of email addresses and phone numbers could also be used in SIM swapping attacks.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but one of the most common methods involves tricking the target’s phone carrier into porting the phone number to a new SIM which is under the control of the attacker. Having control over or access to the victim’s email combined with the knowledge of the associated phone number makes a SIM swap relatively easy.

Protect yourself from a SIM card swap attack

• Don’t reply to calls, emails, or text messages that request personal information. Should you get a request for your account or personal information, contact the company asking for it by using a phone number or website that you know is real.
• Limit the personal information you share online.
• Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
• Use Multi-Factor Authentication (MFA), especially on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.

Digital Footprint scan

If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

About a month ago, The PC Security Channel (TPSC) ran a test to check out the detection capabilities of Malwarebytes. They tested Malwarebytes by executing a repository of 2015 “malicious” files to see how many Malwarebytes would detect.

This YouTube video shows how a script executes the files and Malwarebytes blocks and immediately quarantines the majority of them.

Malwarebytes missed 34 out of those 2015 files, giving us a score of 98.31%. Many vendors would have been proud of that, but being who we are, we wanted to do better. So we asked whether we could have a look at the files we missed, and TPSC was kind enough to offer us that chance.

Two of the missed files were identified as PUPs. PUP is short for Potentially Unwanted Programs. The emphasis here is on Potentially because they live in the grey area of what people might consider to be acceptable. Some PUPs simply don’t meet our detection criteria.

Anyway, back to the review of the malicious files we missed. As you can see in the sheet below (click to expand), after a full review we were left with four malicious files that we missed and the two PUP-related files.

After circling back to TPSC, they graciously agreed with our assessment of the non-malicious files. That brings Malwarebytes’ score up to 99.8 % which is a lot more like what we are used to score in such tests. The four malicious files have all been added to our detections.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits. The gang’s novel approach challenged a bottleneck that makes it hard to scale ransomware attacks, and other gangs may try to replicate its approach in 2024.

Big game ransomware attacks are devastating but relatively rare compared to other forms of cyberattack. There were about 4,500 known ransomware attacks in 2023, although the true figure is probably twice that. These attacks extorted more than $1 billion in ransoms in 2023, according to blockchain data platform Chainalysis.

The potential riches are enormous and there’s no other form of cybercrime that’s so lucrative, so why aren’t we seeing more attacks? It doesn’t seem to be a lack of targets, in fact the evidence suggests that the gangs are picky about who they attack. The most likely reason is that each attack takes a lot of work. Broadly speaking, an attack requires a team of people that: Breaks in to an internet-connected computer, researches the target to see if they’re worth the effort of an attack, explores their network, elevates their privileges until they’re an all-conquering administrator, steals and stores terabytes of data, attacks security software and backups, positions ransomware, runs it, and then conducts negotiations.

Doing all of this efficiently requires people, tools, infrastructure, expertise, and experience, and that seems to make it a difficult business model to scale up. The number of known ransomware attacks a year is increasing steadily, by tens of percentage points rather than exploding by thousands. This suggests that most of the people who are drawn to this life of crime are probably already doing it, and there isn’t a vast pool of untapped criminal talent waiting in the wings.

Before 2023, cybercrime’s best answer to this scalability problem was Ransomware-as-a-Service (RaaS), which splits the work between vendors that provide the malware and infrastructure, and affiliates that carry out the attacks.

CL0P found another way. It weaponised zero-day vulnerabilities in file transfer software, notably GoAnywhere MFT and MOVEit Transfer, and created automated attacks that plundered data from them. Hundreds of unsuspecting victims were attacked in a pair of short, sharp campaigns lasting a few days, leaving Cl0P as the third most active gang of the year, beating ransomware groups that were active in every month of 2023.

It remains to be seen if other gangs can or will follow CL0P’s lead. The repeated use of zero-days signaled a new level of sophistication for a ransomware gang and it may take a while for its rivals to catch up. However, the likes of LockBit—the most prolific group of them all—don’t want for resources so this is probably a matter of time and will, rather than a fundamental barrier.

There is also a question mark about how successful the attacks were. While automation allowed CL0P to increase its reach, it’s reported that a much lower percentage of victims paid a ransom than normal. However, ransomware incident response firm Coveware believes the group managed to compensate by demanding higher ransoms, earning the gang as much as $100 million.

Because of CL0P’s actions, the shape of ransomware in 2024 is in flux and organisations need to be ready. To learn more about how big game ransomware is evolving, the threat of zero-day ransomware, and how to protect against them, read our 2024 State of Malware report.

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday. Among these vulnerabilities are two zero-days that are reportedly being used in the wild.

The two zero-day vulnerabilities have already been added to the Cybersecurity & Infrastructure Security Agency’s catalog of  Known Exploited Vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by March 5, 2024, in order to protect their devices.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in this round of updates are:

CVE-2024-21351 (CVSS score 7.6 out of 10): a Windows SmartScreen security feature bypass vulnerability. The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both. An authorized attacker must send the user a malicious file and convince the user to open it.

CVE-2024-21412 (CVSS score 8.1 out of 10): an Internet Shortcut Files security feature bypass vulnerability. An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.

The bypassed security feature in both cases is the Mark of the Web (MOTW), the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet. When a file is downloaded, Windows adds a ZoneId in the form of an Alternate Data Stream to the file which is responsible for the warning message(s).

Another vulnerability worth keeping an eye on is CVE-2024-21413 (CVSS score 9.8 out of 10): a Microsoft Outlook remote code execution (RCE) vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and to gain high privileges, which include read, write, and delete functionality. Microsoft notes that the Preview Pane is an attack vector. The update guide for this vulnerability lists a number of required updates before protection is achieved.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities in several products:

• Adobe Commerce and Magento
• Adobe Substance 3D Painter
• Adobe Acrobat and Reader
• Adobe FrameMaker Publishing Server
• Adobe Audition 
• Adobe Substance 3D Designer

The Android Security Bulletin for February contains details of security vulnerabilities for patch level 2024-02-05 or later.

Ivanti has urged customers to patch yet another critical vulnerability.

SAP has released its February 2024 Patch Day updates.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

In 2022, we published an article about how photographs of children taken by a stalkerware-type app were found exposed on the internet because of poor cybersecurity practices by the app vendor.

The stalkerware-type app involved, TheTruthSpy, has shown once again that the way in which it handles captured data shows no respect to its customers. And even less for the victims it’s monitoring.

TheTruthSpy markets itself as a tool that can be placed in the hands of employers who want to keep tabs on employees in the workplace, or in the hands of parents who want to look after their kids. But it can just as easily be placed in the hands of stalkers, abusive partners, or someone who just wants to get a leg up in their divorce proceedings.

Stalkerware-type applications like TheTruthSpy typically get installed secretly, by a person with access to the victim’s phone. For that reason, by design, the apps stay hidden from the device owner, while giving the attacker complete access.

Boasting “more than 15 spying features,” it can track a target’s location; reveal their browser history; record their calls; read their SMS messages; spy on their WhatsApp, Facebook, SnapChat and Viber messages; log what they type; and record what they say.

That alone is bad enough, but the app seems to have a persistent problem with security. In 2022, tech publication TechCrunch discovered that TheTruthSpy and other spyware apps share a common Insecure Direct Object Reference (IDOR) vulnerability, CVE-2022-0732. The publications described the bug as “extremely easy to exploit, and grants unfettered remote access to all of the data collected from a victim’s Android device.”

The bug was never fixed, and yesterday, stalkerware researcher maia arson crimew, revealed that it was stumbled upon again by two different hacking groups.

When members of the two hacking groups looked into TruthSpy last december while searching for stalkerware to hack, they independently stumbled upon the same IDOR vulnerability

The good news is that both groups, SiegedSec and ByteMeCrew, said in a Telegram post that they are not publicly releasing the breached data, given its highly sensitive nature. They provided enough data to enable TechCrunch to verify that it is authentic though, by matching IMEI numbers (numbers that uniquely identify phones) and advertising IDs against a list of previous known-to-be compromised devices.

Which means that by installing TheTruthSpy—and a whole fleet of clone apps including Copy9, MxSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy—you are not just spying on someone, you are also potentially exposing their data for anyone to find.

The data reportedly shows that TheTruthSpy continues to actively spy on large clusters of victims across Europe, India, Indonesia, the United States, the United Kingdom and elsewhere.

Sadly, this is no surprise. According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

Removing stalkerware

If you want to know if your phone is or was infected with TheTruthSpy, you can use the lookup tool provided by TechCrunch, which has been updated to include information about the most recent leak.

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.

1. Open Malwarebytes for Android.
2. Open the app’s dashboard
3. Tap Scan now
4. It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

• Uninstall. The threat will be deleted from your device.
• Ignore Always. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
• Ignore Once: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

The Cybersecurity & Infrastructure Security Agency (CISA) has added a vulnerability in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by March 4, 2024, in order to protect their devices against active threats. We urge other Roundcube Webmail users to take this seriously too.

Roundcube is a web-based IMAP email client. Internet Message Access Protocol (IMAP) is used for receiving email. It allows users to access their emails from multiple different devices, and it’s why when you read an email on your laptop it’s marked as “read” on your phone too. Reportedly, there are over 132,000 Roundcube servers accessible over the internet. Most of them situated in the US and China.

The affected versions are Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. An update to patch the vulnerability with version 1.6.3 has been available since September 15, 2023. The current version, 1.6.6 at the time of writing, does not have the vulnerability either.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is:

CVE-2023-43770, which is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information.

XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped before being displayed. Persistent, or stored XSS, is a type of vulnerability which occurs when the untrusted or unverified user input is stored on a target server.

This means that a persistent XSS attack is possible when the attacker exploits a vulnerable website or web application to inject malicious code, and this code is stored on a server so it will later automatically be served to other users who visit the web page.

In this case it appears that attackers can send plain text emails to Roundcube users with XSS links in them, but Roundcube does not sanitize the links, and, of course, stores the email, creating persistence.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.