Infostealers targeting macOS devices have been on the rise for well over a year now, with variants such as Atomic Stealer (Amos), RealStealer (Realst), MetaStealer and others widely distributed in the wild through malicious websites, cracked applications and trojan installers. These past few weeks have seen a new macOS malware family appear that researchers have dubbed ‘Cuckoo Stealer’, drawing attention to its abilities to act both as an infostealer and as spyware.…
Tag: SPYWARE
Summary: The U.S. State Department will announce a new strategy to combat nation-state cyberthreats and promote international cooperation in cyberspace, while also addressing the risks of generative artificial intelligence systems.
Threat Actor: N/A Victim: N/A
Key Point :
The U.S. State Department will engage international partners, build coalitions, and develop new capabilities to aid allies in cyberspace.…Summary: A new malware called “Cuckoo” has been discovered, targeting macOS users by disguising itself as a music converter app like Spotify.
Threat Actor: Cuckoo | Cuckoo Victim: macOS users | macOS users
Key Point :
The malware, disguised as a music converter app, can run on both Intel and ARM-based Apple Mac computers.…Summary: The content highlights the procurement and deployment of powerful foreign commercial spyware and surveillance products in Indonesia, with the country’s national police and cyber agency being among the top recipients or users of this technology.
Threat Actor: Intellexa, Candiru, Q Cyber Technologies (tied to NSO Group) | Intellexa, Candiru, Q Cyber Technologies
Victim: Indonesian authorities (national police and cyber agency) | Indonesian authorities
Key Point:
Powerful and invasive foreign commercial spyware and surveillance products are being procured by or deployed in Indonesia, with the country’s national police and cyber agency among the top recipients or users of the technology.…On April 24, 2024, we found a previously undetected malicious Mach-O binary programmed to behave like a cross between spyware and an infostealer. We have named the malware Cuckoo, after the bird that lays its eggs in the nests of other birds and steals the host’s resources for the gain of its young. …
Summary: The UK’s National Cyber Security Centre (NCSC) has launched a new initiative called Advanced Mobile Solutions (AMS) to enhance cyber-resilience for organizations targeted by nation-state threats on their mobile infrastructure.
Threat Actor: Nation-state threat actors | nation-state threat actors Victim: High-threat organizations | high-threat organizations
Key Point :
The NCSC’s Advanced Mobile Solutions (AMS) risk model aims to protect against the targeting of consumer-grade devices by commercial spyware, which can serve as a gateway for sophisticated threat actors to access corporate systems and data.…On April 11, 2024, BlackBerry released a new blog detailing a new VirusTotal upload of the LightSpy mobile spyware framework. BlackBerry stated that this malware was an iOS implant, yet Huntress researchers discovered that, although the uploaded samples appear novel, they aren’t actually targeting iOS at all.…
A sophisticated cyberattack campaign leveraging Agent Tesla and Taskun malware has been actively targeting the education and government sectors in the U.S. This blog post delves into the intricacies of their deployment methods, the vulnerabilities they exploit, and the broader implications for cybersecurity defenses.
IntroductionRecent investigations have unveiled a coordinated attack that integrates two notorious malware types, Agent Tesla and Taskun.…
Summary: Google blocked millions of Android apps and suspended thousands of developer accounts in an effort to protect users and maintain the security of its official app store.
Threat Actor: Google | Google Victim: Android users | Android users
Key Point :
Google blocked 2.28 million Android apps from being published on Google Play due to policy violations that could compromise user security.…Summary: The US State Department is imposing visa restrictions on individuals involved in the development and sale of commercial spyware, targeting those who have targeted journalists, academics, human rights defenders, dissidents, and US government personnel.
Threat Actor: Commercial spyware developers and sellers.
Victim: Journalists, academics, human rights defenders, dissidents, and US government personnel.…
Threat Actor: GhostR | GhostR Victim: World-Check | World-Check Price: Not mentioned Exfiltrated Data Type: Confidential database containing 5.3 million records
Additional Information:
World-Check is a global database used by organizations for assessing potential risks associated with individuals and entities. The database is owned by LSEG (London Stock Exchange Group).…New research from Recorded Futures Insikt Group focuses on the growing threat of a possible "mobile NotPetya" event. Through zero-click exploits, a self-propagating mobile malware could infiltrate smartphones at scale. The threat has increased sharply in the past few years as spyware companies continually refine zero-click exploits.…
The creators of widespread malware programs often employ various tools that hinder code detection and analysis, and Android malware is no exception. As an example of this, droppers, such as Badpack and Hqwar, designed for stealthily delivering Trojan bankers or spyware to smartphones, are very popular among malicious actors who attack mobile devices.…
Summary
Read More This report details the resurgence of the LightSpy mobile espionage campaign, which focuses on targets in Southern Asia and probably India, potentially indicating a renewed focus on political targets and tensions in the region.
Beyond our findings, the echoes of concern reach further. VirusTotal submissions from India suggest potential victims within its borders, aligning with recent warnings by Apple on detections within the same country.…
Summary: A new campaign conducted by the TA558 hacking group is using steganography to hide malicious code inside images and deliver various malware tools onto targeted systems.
Threat Actor: TA558 | TA558 Victim: Various sectors and countries | SteganoAmor campaign
Key Point :
The TA558 hacking group is using steganography to conceal malicious code inside images and deliver malware tools.…Summary: Cybersecurity researchers have discovered a renewed cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.
Threat Actor: LightSpy | LightSpy Victim: Users in South Asia | South Asia
Key Point :
The LightSpy iOS spyware campaign, dubbed “F_Warehouse,” has a modular framework with extensive spying features.…Summary: Apple has updated its warning system to alert users when they may have been individually targeted by mercenary spyware threats, such as the surveillance tools developed by NSO Group.
Threat Actor: NSO Group | NSO Group Victim: Individuals targeted by mercenary spyware attacks
Key Point :
Apple has revised its documentation to specifically address mercenary spyware threats and highlight their advanced capabilities, including zero-day exploits and complex obfuscation techniques.…
Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.
Starry Addax conducts phishing attacks tricking their targets into installing malicious Android applications we’re calling “FlexStarling.” …
Read More Research by: Antonis Terefos, Raman Ladutska
Part I from the series E-Crime & Punishment
When considering a notoriously famous topic known for quite a long time, it may feel like there is nothing new to add to this area anymore – all paths traced, all words said, all “i”s dotted.…
Threat Actor: Black Shadow (originated from Iran), Russian hacker Victim: Atraf (Israeli LGBTQ dating app) users
Information: – Atraf, a popular Israeli LGBTQ dating app, has suffered a major data breach – The data breach exposed personal information of over half a million users – The group responsible for the attack, Black Shadow, originated from Iran – The data breach occurred after compromising an Israeli hosting service named CyberServe – A user on Breach Forums, apparently of Russian origin, claims to have leaked the Atraf database – The leaked database contains the personal data of over 1.5 million users, but after removing duplicates, the total number of leaked accounts decreases to over half a million (669,672) – The leaked records date back to 2021, suggesting that the data might be legitimate – The leaked information includes full names, nicknames, country, city, age, height, religion, address, phone numbers, IP addresses, date of birth, interests and hobbies, sex and gender, sexual orientation, email addresses, plain text passwords for some users, location coordinates, type of smartphone and operating system, conversations in direct messages (DMs), family details including if they have children or not, and payment card data (excluding card numbers but including CVV codes, expiry dates, and card types) – The leaked data poses a significant threat to the privacy and physical security of affected users – It can result in online harassment and hacking of email accounts – Atraf users are advised to change their passwords immediately for both their email and Atraf account – Caution should be exercised with emails purportedly from Atraf and double-check before clicking any links – Hackread.com…