Gravity RAT , affects mobile devices

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

The malware researchers found the new Android GravityRAT sample in 2019.The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server.The C&C server was also associated with other two malicious apps targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation an proceed to contaminate.

What peculiar about this Gravity RAT , not only infects Windows, now with Android , IOS devices too

MalLocker.B hides in Android Home

Named AndroidOS/MalLocker.B, the ransomware is hidden inside Android apps offered for download on online forums and third-party websites.

Android ransomware can nonetheless abuse accessibility options or use mapping methods to attract and redraw overlay home windows.

The ransomware Microsoft noticed, which it calls AndroidOS/MalLocker.B, has a unique technique. It invokes and manipulates notifications supposed to be used whenever you’re receiving a cellphone name.

The researchers additionally found a machine studying module within the malware samples they analyzed that could possibly be used to routinely dimension and zoom a ransom word primarily based on the scale of a sufferer’s gadget show. Given the variety of Android handsets in use all over the world, such a characteristic can be helpful to attackers for guaranteeing that the ransom word displayed cleanly and legibly. Microsoft discovered, although, that this ML element wasn’t really activated inside the ransomware and should be in testing for future use.

This Ransomware abuses in 2 steps . First abusing the call notification function and secondly push notifications and app switch over function

Microsoft researchers discovered that the ransomware was designed to masks its capabilities and function. Each Android app should embrace a “manifest file,” that comprises names and particulars of its software program elements, like a ship’s manifest that lists all passengers, crew, and cargo. However aberrations in a manifest file are sometimes an indicator of malware, and the ransomware builders managed to depart out code for quite a few components of theirs.

As an alternative, they encrypted that code to make it even more durable to evaluate and hid it in a unique folder, so the ransomware might nonetheless run however would not instantly reveal its malicious intent. The hackers additionally used different methods, together with what Microsoft calls “title mangling,” to mislabel and conceal the malware’s elements

BLESA .. Bluetooth Disguised

The improper BLE reconnection procedure has made billions of Android and iOS devices vulnerable to the new attack dubbed Bluetooth Low Energy Spoofing Attack (BLESA).

Two critical security flaws in the BLE link-layer authentication mechanism expose Bluetooth devices to the BLESA attack.
These weaknesses allow an attacker to impersonate a BLE server device and provide spoofed data to another previously paired device.

Researchers have found that multiple software stacks (more than one billion BLE devices and 16,000 BLE apps) such as BlueZ (Linux-based IoT devices), Fluoride (Android), and the iOS BLE stack could be exploited using the BLESA flaw.
Additionally, researchers found a related implementation vulnerability (CVE-2020-9770) in the Android and iOS BLE stacks that makes these two stacks vulnerable against BLESA.

Earlier this month, another vulnerability dubbed BLURtooth was found in a Cross-Transport Key Derivation (CTKD) component of Bluetooth. By setting up two different sets of authentication keys for both the BLE and Basic Rate/Enhanced Data Rate (BR/EDR) standard, it lets attackers overwrite Bluetooth authentication keys.

In July, researchers reported an authentication bypass in BLE reconnections using two critical design weaknesses in BLE stack implementations in Linux, Android, and iOS. Google and Apple also confirmed the flaw.

Escape route

The BLESA attack targets more often-occurring reconnection processes, therefore it is hard to defend against this attack. Purdue’s team has released a report related to possible improvements in the reconnection procedure. According to them, there is a need to improve the BLE stack implementations and update the BLE specification.

Zoom 2FA goes for all

Zoom has announced that it has added two-factor authentication (2FA) support to all user accounts to make it simpler to secure them against security breaches and identity theft.

With 2FA, Zoom users will have an extra layer added to the authentication process, blocking attackers from take control of their account by guessing their password or using compromised credentials.

Zoom accounts secured using 2FA will require you to enter a one-time code from a mobile authenticator app or received via SMS or phone call, in addition to the account’s password, before allowing you to sign in to the Zoom web portal, desktop client, mobile app, or Zoom Room.

“With Zoom’s 2FA, users have the option to use authentication apps that support Time-Based One-Time Password (TOTP) protocol (such as Google Authenticator, Microsoft Authenticator, and FreeOTP), or have Zoom send a code via SMS or phone call, as the second factor of the account authentication process,” .

“Zoom offers a range of authentication methods such as SAML, OAuth, and/or password-based authentication, which can be individually enabled or disabled for an account.”

Zoom 2FA