TimpDoor Malware

 

 

Researchers have uncovered an active phishing campaign which targets Android devices in order to turn them into mobile proxies.

TimpDoor circumvents the security procedures and protections offered by Google’s Play Store. The attackers behind the malware have not sought to host their malicious software in the app repository; instead, the malware spreads via text messages containing a malicious link to the fake app.

The McAfee Mobile Research team says that once installed, the fake app launches a background service which starts a Socks proxy which redirects network traffic from a third-party server without user knowledge.

The campaign has been active since at least the end of March, with US Android users reporting the receipt of strange text messages. The text messages inform potential victims that they have two voice messages to ‘review,’ but in order to do so, they must click a link.

If a user clicks this link, a fraudulent web page is opened. According to McAfee, the page pretends to be a “popular classified advertisement website” and asks the user to install the app.

Once installed, the app appears to be simple voice software — but lacks any true functionality beyond hosting a few fake audio files. If the app is closed, the icon is hidden while the background process begins in creating the proxy, collecting device information along the way.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Timpdoor malware and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2018-12390

 

 

Multiple vulnerabilities have been discovered in Mozilla Firefox. In this critical vulnerability, memory safety bugs present in Firefox 62 and Firefox ESR 60.2 showed evidence of memory corruption that with enough effort could be exploited to run arbitrary code.

Source: Mozilla

How do you protect yourself?

Security vulnerabilities are fixed in Firefox ESR 60.3.

 

FilesLocker Ransomware

 

 

A new ransomware called FilesLocker is being distributed as a Ransomware as a Service, or RaaS, that targets Chinese and English speaking victims.

At the time, it looked like your standard small little C# ransomware with little or no distribution. It turns out, though, that this ransomware is being offered as a RaaS where affiliates can sign up and earn commissions.

The RaaS claims to have numerous features you would expect such as tracking, customization, strong encryption, and the clearing of shadow volume copies.

It includes an embedded public encryption key that is used to encrypt a victim’s files. As the the private encryption key, which is used to decrypt the files, is only known to the ransomware developer there is no way to get files back for free.

When encrypting a victim’s files, it targets specific folders such as the Desktop, Documents, Music, Pictures, etc and appends the .locked extension to encrypted files. When done encrypting, it will open the ransomware screen shown below that provides a bitcoin address to use for payment, a unique victim ID, and an email address for the user to contact.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against FilesLocker Ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware. Avoid clicking unknown links and downloading suspicious attachments.