Paradise Ransomware Spreading Through Unusual Attachments
While Paradise ransomware isn’t new to the scene, the latest methods it is using to spread have been a bit surprising. Though it still transmits over email, it offers up an IQY attachment instead of a typical word document or excel spreadsheet. These attachments can make a quick connection to a malicious URL and begin downloading the actual ransomware payload. What makes these so much more dangerous is that they appear to be a simple text file with no internal malicious code, just commands for retrieving it, so it isn’t typically picked up by most security services.
Malicious Coronavirus Mapping Apps Spreading More than Misinformation
Many malware authors have been capitalizing on the recent coronavirus (COVID-19) epidemic through phishing campaigns and newly renamed ransomware variants. Their latest efforts have produced an app to reportedly “track” the spread of Coronavirus across the globe, but which instead drops malicious payloads on unsuspecting victims’ devices. Some of these apps can lock devices and demand a small ransom to unlock it, while others deliver full ransomware payloads that can encrypt and upload files to a remote server. Fortunately, researchers worked quickly to engineer up a decryption key for unlucky victims.
https://www.helpnetsecurity.com/2020/03/16/fake-covid-19-tracker/
Netfilim Ransomware Uses Old Code but New Tactics
Researchers continue to track the spread of a new ransomware variant known as ‘Netfilim,’ which has been infecting victims at an increasing rate since February. While using code from another ransomware variant, Nemty, it has a quick distribution rate and honors its threat to release all stolen data within a week of encryption. It does differ from Nemty in its payment process, however, relying solely on email communication through a series of seemingly random email accounts rather than directing the victim to a payment site accessible only through a Tor browser, and leaves .NETFILIM as the appended extension for all encrypted files. There is still no known decryption available for this variant.
Whisper App Exposes User Data and Messages
The anonymous messaging app Whisper was just revealed to have an unsecured database containing a large amount of personal customer records. Two independent researchers first discovered the database containing over 900 million records and reaching back nearly eight full years. The pair quickly contacted Whisper, who then locked down the unrestricted access. Though financial and personally identifiable information were not included in the database, the app does track location data based and could be used to narrow down a user’s location. Whisper also requests that users are enter a viewable name, age, and hometown, though none of this data is verified.
TrickBot Sidesteps 2FA on Mobile Banking Apps
The creators of TrickBot have developed a new mobile app called TrickMo, which can silently circumvent the two-factor authentication (2FA) used by several mobile banking apps. The malicious app is used mainly to intercept authentication tokens. Once it’s installed on a victim’s device, it then stores the tokens for later fraudulent purchases. Currently, the TrickMo app is targeting German individuals under variations of the name “Security Control” to disguise its motives. It is even able to make on-screen choices before the user and can set itself as the default SMS app in order to steal additional information.