“This threat actor was able to leave most parts of the attack under the radar by separating the attack into several small files, most of which had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection,” the researchers said.

Purple Fox Infection

The malicious Telegram installer is a compiled AutoIt freeware script called Telegram Desktop.exe, which creates a new folder named TextInputh under C:\Users\Username\AppData\Local\Temp\ and drops a legitimate Telegram installer and a malware downloader file TextInputh.exe. The TextInputh.exe file acts as a downloader of additional payloads for the next attack stage that installs Purple Fox Rootkit without being detected.

Usually, rootkits allow remote hackers to access the operating system on the infected machine illicitly. Threat actors could monitor and steal sensitive information leveraging rootkits.

The information gathered by Purple Fox include:  

• Hostname
• CPU – by retrieving a value of HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ~MHz registry key
• Memory status
• Drive Type
• Processor Type

Also Read: How to Spot Malicious or Fake Apps

“We found a large number of malicious installers delivering the same Purple Fox rootkit version using the same attack chain. It seems like some were delivered via email, while others we assume were downloaded from phishing websites. The beauty of this attack is that every stage is separated to a different file which are useless without the entire file set. This helps the attacker protect his files from AV detection,” researchers added.

New Malware Variants on the Rise

Despite several security measures, threat actors managed to spread various malware variants. A recent analysis uncovered an info-stealing malware dubbed Redline targeting web browsers like Opera, Chrome, and Edge to harvest login credentials. According to a report from AhnLab ASEC, the Redline malware campaign targets users who enable the auto-login feature on their browsers.  Active since 2020, when Redline Stealer first appeared on the Russian darknet forum, the malware is peddling for $150-$200, allowing bad actors to leverage it. Read More Here…

The post Hackers Spread Purple Fox Rootkit via Fake Telegram App appeared first on CISO MAG | Cyber Security Magazine.

“Based on the malware and the manner in which it was posted, we believe that is was not part of a coordinated campaign and was simply targeting new or naive users of the channel. The sample of Echelon that we analyzed targets credentials, crypto wallets, and has some fingerprinting capabilities,” SafeGuard said.

The Incident

Researchers at SafeGuard revealed that the attackers exploited the Telegram handle “Smokes Night” to propagate the malware Echelon and steal credentials from user accounts and crypto wallets.

“This was an isolated, one-off incident meant to target new unsuspecting users of the channel. The handle “Smokes Night” was only used once on the channel, and the only post it made was to post Echelon. The post did not appear to be a response to any of the surrounding messages in the channel. We did not see anyone respond to “Smokes Night” or complain about the file, though this does not prove that users of the channel did not get infected,” shared SafeGuard.

Malware Brief

Explaining the malware, the researchers explained that the analysis of the malicious executable actor shows that it contains some anti-analysis features. It has two anti-debugging functions, which immediately terminate the process if a debugger or other malware analysis tools are detected. Additionally, the sample is obfuscated using ConfuserEx v1.0.0.

Also Read: Hackers Steal Cryptocurrency Worth $150 Mn From BitMart Exchange

SafeGuard divulged, “After de-obfuscating the .NET code, we found that the sample performs several crypto wallet and credential-stealing functions, as well as domain detection and computer fingerprinting. The malware will also attempt to take a screenshot of the victim machine.”

Exploited Platforms:

• Discord
• Edge
• FileZilla
• NordVPN
• OpenVPN
• Outlook
• Pidgin
• ProtonVPN
• Psi(Jabber)
• Telegram
• TotalCommander

Aimed Digital Currency Wallets:

• Armory
• AtomicWallet
• BitcoinCore
• ByteCoin
• DashCore
• Electrum
• Exodus
• Ethereum
• Jaxx
• LitecoinCore
• Monero
• Zcash

Threat actors continue to prey on the digital platform and leverage every opportunity to cause disruption and assuage their financial greed. Cryptocurrency is now like a trademark to these attacks. Be it the platform or as a medium of ransom exchange, digital currency is a haven for cybercriminals.

Akshat Jain, CTO of Cyware, opines, “Cryptocurrencies continue to provide a safe haven for cybercriminals and ransomware groups looking to evade being traced. Because these coins are largely anonymous, cybercriminals are heavily relying on these currencies to carry out attacks. As per the data shared earlier this year by the National Cybersecurity Coordinator, India, ​​“by the end of 2021, ransomware is expected to attack a company every 11 seconds and cause damages of up to $20 billion.” The illicit use of cryptocurrency, both to evade sanctions and to obfuscate involvement in criminal activity, will continue to increase in 2022, with ransomware and crypto-jacking being the two most prominent ways that criminals can directly receive cryptocurrency payments from their victims.”

Cryptocurrency exchanges and hot wallets continue to become a primary target for threat actors.  Another victim who joined the bandwagon of crypto hacks was the cryptocurrency trading platform BitMart.

The post Echelon Malware Posted on Cryptocurrency Trading Telegram Channel Targets Crypto Wallets appeared first on CISO MAG | Cyber Security Magazine.

WhatsApp India Privacy Policy Row

WhatsApp has been previously asked to reconsider its privacy policy changes by the Indian government. In January this year, the Indian government deemed the new privacy policy changes as “discriminatory” because the same policy in the European Union (EU), was made optional to its users owing to the GDPR regulations. Since India still does not have a formal data privacy law in the country (it is currently in the works and will be introduced in the parliament’s coming session), MeitY had requested WhatsApp to withdraw the policy and respect the “right to privacy” and consent of Indian users. However, WhatsApp did not completely dissolve the enforcement of the new privacy policy which was supposed to come into effect on February 8, 2021; instead, it just deferred it by three months to May 15.

In April, the MeitY filed an affidavit in the Delhi high court stating WhatsApp’s privacy policy violated the Information Technology Rules of 2011 on five counts. They were:

1. It fails to specify the types of sensitive user data being collected.
2. It fails to notify users of such collection.
3. It does not let them review or amend the information.
4. It does not allow the withdrawal of consent later.
5. It fails to provide any guarantee against non-disclosure to third parties.

In response to the Affidavit, WhatsApp told the Delhi high court that it was conforming with the current Indian IT laws and rules in place and respected users’ privacy for which it has already taken steps such as end-to-end chat data encryption. Additionally, to make its point clearer, it presented another affidavit which names other popular applications in the country like Zomato, Ola, BigBasket, Truecaller, and the government’s own COVID tracking app, Aarogya Setu, which have similar privacy policies.

In response to the petition, Justice Sanjeev Sachdeva had earlier told MeitY that, “It is a private app. Don’t join it. It is a voluntary thing, don’t accept it. Use some other app.” Pointing at other apps like Google Maps, Justice Sachdeva added that even others do it and “you would be surprised as to what all you are consenting to.”

Going by this philosophy of “If you want it, you use it,” a few days back, the company again informed the Delhi high court that it has rolled out the policy on May 15 as decided but it was “not forcing users to accept the new updates in the privacy policy.” It clearly stated that it would not delete the accounts of users who have refrained from accepting the changes for now. However, this does not seem to be enough and the ministry has finally given a countdown of seven days before it initiates legal action as deemed appropriate. There is widespread speculation (on social media and in WhatsApp message forwards) that users who do not accept the new privacy policy may not be able to access all the features of WhatsApp. But this is yet to be confirmed.

Related News:

WhatsApp vs Signal vs Telegram: Which is More Viable and Secure?

---

Indian Government Asks WhatsApp to Withdraw its “Discriminatory” Policy

The post Indian Government Gives 7-days to WhatsApp for Privacy Policy Roll Back appeared first on CISO MAG | Cyber Security Magazine.

The vulnerability, if exploited, would have given attackers access to the victims’ personal and group chats, photos, videos, other shared files, contact lists, and much more. In short, it could be a free pass for attackers in your personal space. They could download photos and sensitive data and demand a ransom in exchange for it. Attackers could also use the victims’ identity to further spread the attack and take over their friends’ accounts.

Related News:

WhatsApp vs Signal vs Telegram: Which is More Viable and Secure?

How the Vulnerability Worked

The vulnerability was first discovered by researchers from Check Point. They explained that the exploitation of the vulnerability began when the attacker sent a specially crafted image file to the victim containing a malicious code. The file could be modified to target the victim with a specific image or content that could interest the user in opening the attachment.

In WhatsApp, the exploitation of the vulnerability starts when the user clicks to open the image. The malicious code gets executed and allows the attacker free access into the victims’ local storage, where the data is stored. In Telegram, however, the user is required to click twice and open a new tab, for the attacker to access local storage. This leads the attacker to gain full access to the user’s account and data. The most dangerous part about this vulnerability is that it could have allowed the attacker to use victims’ contacts and potentially start an account takeover attack affecting both WhatsApp and Telegram.

It is Now Fixed!

Check Point researchers responsibly disclosed the vulnerability to both WhatsApp and Telegram’s security teams on March 7, 2020. Both companies verified and acknowledged the issue before developing a fix for all their web clients. Researchers recommended that WhatsApp and Telegram web users – who want to ensure if they are using the latest version – are advised to update and restart their browser. The fix gets auto-applied.

The post This Vulnerability made WhatsApp and Telegram Account Takeover Possible: Check Point appeared first on CISO MAG | Cyber Security Magazine.

What were the WhatsApp Privacy Policy Changes?

WhatsApp’s updated Privacy Policy mandated users to share their data with its parent company Facebook. It included sharing the metadata of users’ chat with business accounts of other Facebook companies. Moreover, WhatsApp did not allow users to opt-out of such a drastic change in the privacy policy.

Related News:

WhatsApp vs Signal vs Telegram: Which is More Viable and Secure?

Why is the Indian Government Opposing?

According to a report from a national news channel NDTV, experts in the government familiar with the matter cited concerns over WhatsApp’s data collection and sharing with the other parent and sister companies. They said, “It would create a honeypot of information about users with a Facebook group, which can invariably create security risks and vulnerabilities for all users.”

Withdraw “Discriminatory” Policy For Indian Users: Government To #WhatsApp

NDTV’s Roobina Mongia reports

Read more: https://t.co/KfIxwzIwIy pic.twitter.com/z0wI0gI5sa

— NDTV (@ndtv) January 19, 2021

Secondly, the Ministry of Electronics and Information Technology (MeitY) is baffled by the double standards of WhatsApp. In the European Union (EU), WhatsApp has given an opt-out option to its users; however, the Indian user base, which the company states are the biggest in the world, does not get one. MeitY strongly condemned this “discriminatory treatment” and termed it “disrespectful” towards Indian citizens. In a stern voice, MeitY reminded WhatsApp “that it has a sovereign right to protect the interests of Indian citizens and it shall not compromise on that at any cost.”

After a brief study of the updated policy, the Indian government is now seeking clarity and conformance on privacy and data security concerns. It has sent a list of 14 questions asking about the disclosure of the exact categories of data that WhatsApp collects from its users in India, the permissions and user consent sought by the app, and how each of these sets of data will be used by the company post collection.

Petition in Delhi High Court Against WhatsApp’s Policy

Meanwhile, a lawyer has filed a petition against WhatsApp’s new privacy policy, which was heard in the Delhi High Court on Monday, January 18. The petitioner argued that the updated privacy policy violates users’ right to privacy under the Indian Constitution and must not come into effect. However, Kapil Sibal and Mukul Rohatgi, senior advocates and defendants of WhatsApp and Facebook,  found this argument baseless. They told the High Court that none of the private or group chats were being accessed or stored by WhatsApp, and very much remained encrypted. They further argued that it was only the business chats on WhatsApp that were getting affected.

In response to the petition, Justice Sanjeev Sachdeva said, “It is a private app. Don’t join it. It is a voluntary thing, don’t accept it. Use some other app.” Pointing at other apps like Google Maps, Justice Sachdeva stated that even others do it and “you would be surprised as to what all you are consenting to.” However, the High Court wanted more time to analyze the amount of data being shared and the data that was being leaked as per the petitioner. Thus, the matter will be listed on January 25 for further address.

Related News:

After Juspay, ClickIndia, ChqBook and WedMeGood Allegedly Suffer Data Breaches

The post Indian Government Asks WhatsApp to Withdraw its “Discriminatory” Policy appeared first on CISO MAG | Cyber Security Magazine.

Experts, including privacy pundits and governments, have raised concerns with WhatsApp’s stubbornness towards the new privacy policy.

WhatsApp vs Signal vs Telegram

It is a known fact that “one person’s loss is another person’s gain,” and this seems to be completely true in the current scenario. WhatsApp has nearly 200 million users that span across the globe. However, its latest move has forced most of them to rethink whether sharing data with Facebook is necessary. Confused and perplexed, users are seeking alternatives for WhatsApp. Given the number of options available on Android’s Google Play and Apple’s App Store, the competition is tough. But this race has two frontrunners fighting it out for the top spot: Signal and Telegram.

Let us have a look at the best possible alternatives for a secured messaging application.

Here’s a comparison between WhatsApp, Telegram and Signal pic.twitter.com/E1cpZSWGDF

— Mike Butcher (@mikebutcher) January 7, 2021

The Winner: Experts Recommend Signal

Currently touted as the best WhatsApp alternative, Signal has been ordained by the experts for its polished security features. It is run by a non-profit led by Moxie Marlinspike, an American cryptographer and the current CEO of the company. The app was developed by the Signal Foundation and Signal Messenger, whose co-founder, Brian Acton, also happens to be the former WhatsApp co-founder.

 Security Features 

• Developed by Marlinspike, Signal has end-to-end (e2e) encryption based on the Signal protocol. Thus, no third-party or even Signal’s developers can read its users’ messages.
• It has an open-source protocol, which means there is transparency.
• It does not support third-party backups like storing in Google Drive or iCloud storage. All data is stored locally on the device itself. Your chat history is lost if you lose and/or change your device.

You can make an app used by many millions of people that has no data…Cool chart by @forbes & @UKZak https://t.co/gWFqyIeoZ3 pic.twitter.com/Unngddaq5M

— Signal (@signalapp) January 5, 2021

Signal also supports other basic security features like screen lock, fingerprint unlock, and an incognito keyboard option that does not store your typed words in the auto-suggest.

 Our Verdict 

Signal has been recommended by privacy experts, known personalities like Elon Musk and, by well-known whistleblower Edward Snowden, mainly because of three reasons:

1. End-to-end encryption.
2. No third-party and cloud storage of backups.
3. Complete user privacy. As per the privacy header of Signal in the App store, it does not collect any user data.

Use Signal

— Elon Musk (@elonmusk) January 7, 2021

Telegram – An Older Yet Unique War Horse

Telegram is another app that has been around for quite some time now. Learning from WhatsApp’s mistakes, it has bettered itself over time and has slowly gained popularity providing certain features that even WhatsApp lacks. With Telegram, users can send large files up to 1.5GB, add up to 200,000 users in a single group, and so on.

 Security Features 

• Telegram also has end-to-end (e2e) encryption, but it is available only for “Secret Chats” and all types of Calls (voice, video, and group).
• Instead of e2e encryption, it has distributed cross-jurisdictional encrypted cloud storage, which the Telegram CEO, Pavel Durov says, “is much more protected.”
• Chat Backups are synced only with Telegram Cloud.

Although it has a host of security features, there is a downside to Telegram. It collects users’ data, including name, phone number, contacts, and user ID. It is tagged under PII and could be a problem in case of a future breach.

 Our Verdict 

Telegram is popular among the masses mainly because of its ability to accommodate 200,000 users in a single group at a given time. Apart from that, it surprisingly provides e2e encryption for one-on-one and group video calls, which is a rarity. However, it does collect users’ PII, and thus, if you are ready for a trade-off in exchange for the additional feature that it provides, nothing like it.

Closing Notes

Amid the chaos surrounding the WhatsApp data privacy policy and data sharing with Facebook, the former has issued another notification on Twitter to clear the air.

We want to address some rumors and be 100% clear we continue to protect your private messages with end-to-end encryption. pic.twitter.com/6qDnzQ98MP

— WhatsApp (@WhatsApp) January 12, 2021

The issuance clearly states that neither WhatsApp nor Facebook can “see your private messages or hear your calls,” but how true could this be? Would users be convinced?  Will this be a start to the end of WhatsApp? Or will the tech giant pull through this crisis and emerge yet again? All we can do is sit back and wait; maybe better answers are waiting to be found. If not, then as experts suggested, we always have something to fall back on: Signal and Telegram.

Related News:

WhatsApp Discloses Six Bugs in its First Security Advisory

WhatsApp rolls out Biometric Security Lock for Android Devices

 About the Author 

Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity technologies.

 

The post WhatsApp vs Signal vs Telegram: Which is More Viable and Secure? appeared first on CISO MAG | Cyber Security Magazine.

“The conflict of ideologies between those movements and the Iranian authorities makes them a natural target for such an attack, as they align with the political targeting of the regime,” Check Point said.

Attack Vectors

• Check Point researchers found four variants of Windows info-stealers intended to steal the victim’s personal documents as well as access to their Telegram Desktop and KeePass account information.
• Android backdoor that extracts two-factor authentication codes from SMS messages and records the phone’s voice surroundings.
• Telegram phishing pages, distributed using fake Telegram service accounts.

Malware Analysis

Hackers used multiple malware payloads to obtain data from the targeted devices including:

Information Stealer: Once uploaded on the victim’s device, this malware allows the attackers to make full usage of the victim’s Telegram account. It steals information from the KeePass application, uploads any file it finds, which ends with pre-defined extensions. It also logs clipboard data and takes desktop screenshots.

Module Downloader: This malware downloads and installs several additional modules.

Unique Persistence: This malware implements a persistence mechanism based on Telegram’s internal update procedure.

“The backdoor’s functionality and the emphasis on stealing sensitive documents and accessing KeePass and Telegram accounts shows that the attackers were interested in collecting intelligence about those victims, and learning more about their activities,” Check Point added.

Attacks via Dharma Ransomware

Recently, Group-IB researchers detected attacks on multiple companies across the globe that are carried out by Iranian newbie threat actors for financial gain. These attacks have been actively orchestrated since at least June 2020. The threat actors are using Dharma ransomware along with a set of other publicly available tools to target companies specifically in Russia, Japan, China, and India. Once compromised, the gang typically demands a ransom between 1-5 Bitcoins (BTC). The threat actors seem to be naïve since they did not have a fixed plan about what to do with the compromised networks.

The post Iranian Expats Under Radar of ‘Rampant Kitten’ Cyber Espionage for Six Years appeared first on CISO MAG | Cyber Security Magazine.

Telegram-Based Skimming Attack

According to Malwarebytes, hackers exploited the Telegram app to send stolen payment details from compromised websites. They used the messaging platform to exfiltrate sensitive data by deploying skimmer codes and traditional Trojans.

“The fraudulent data exchange is conducted via Telegram’s API, which posts payment details into a chat channel. That data was previously encrypted to make identification more difficult. For threat actors, this data exfiltration mechanism is efficient and does not require them to keep up infrastructure that could be taken down or blocked by defenders. They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets,” Malwarebytes said.

According to the security researcher AffableKraut — who is the first to disclose the incident in a Twitter thread — the skimmer code checks for web debuggers to evade security detection and looks for sensitive data fields like billing, payment details, credit card number, expiration, and CVV.

Injecting e-skimmers or malicious JavaScript on e-commerce sites to pilfer payment card details is a common technique used by Magecart operators. But this time, they used a new method to exfiltrate data through a message sent to a Telegram channel using an encoded bot ID in the skimmer code.

“Defending against this variant of a skimming attack is a little more tricky since it relies on a legitimate communication service. One could obviously block all connections to Telegram at the network level, but attackers could easily switch to another provider or platform (as they have done before) and still get away with it,” Malwarebytes added.

The post Another Web Skimming Attack! Hackers Use Telegram to Pilfer Card Data appeared first on CISO MAG | Cyber Security Magazine.

According to Kod.ru, the information was exposed via the Telegram app’s built-in contact export feature, which is used for user registration. Most of the exposed data is outdated, with 84% of it collected before mid-2019 and around 60% of it is irrelevant. It is said that 70% of the leaked accounts are related to users in Iran and the remaining 30% were from Russia.

“When checking through the program, the editors of Kod.ru found telephone numbers by nicknames in Telegram, including the numbers of the editors. In addition, the file also contains a unique user identifier in the messenger. At the moment, it is unclear exactly how many users were in the database,” Kod.ru reported.

All Apps are Vulnerable

Telegram stated that built-in contact export feature vulnerability is a primary concern for all contact-based messenger apps, Cointelegraph reported. “Like other phone-based messengers (Facebook Messenger, WhatsApp, Viber), Telegram allows you to see which of your contacts are also using the app. Unfortunately, any contacts-based app faces the challenge of malicious users trying to upload many phone numbers and build databases that match them with user IDs – like this one,” Telegram said in a statement.

Not the First Time

This is not the first time that Telegram’s user data is being exposed. In June 2019, Telegram suffered a DDoS (Distributed Denial of Service attack) attack that affected the users in the U.S., Hong Kong, and in other countries. Telegram took to Twitter to notify its users. “We’re currently experiencing a powerful DDoS attack, Telegram users in the Americas and some users from other countries may experience connection issues,” Telegram said in a Twitter post. Describing the attack Telegram said, A DDoS is a Distributed Denial of Service attack: your servers get GADZILLIONS of garbage requests which stop them from processing legitimate requests. Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you – and each is ordering a whopper.

The post Data Breach Affects Millions of Telegram Users appeared first on CISO MAG | Cyber Security Magazine.