Tag: Trojan

Security, Tech

Googles Banking on More Than Apps

Consider following on social media!

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

Gina: Why does it seem like I never have any money?
Z-Daddy: Inflation. Politics and inflation will cause that.
Photo by Andrea Piacquadio, please support by following @pexel.com

You know, it seems like everyone wants to be like Capital One and find out what’s in your wallet, and with the recent threat on the Google Play Store, they may have found just that.

Trojans are clearly not a new problem seeing as though they’ve been around since it seemed like stuffing a wooden horse full of sweaty men ready to murder was a good idea, but as of late they have been on the rise, and this is especially when it comes to applications for Android devices. Yes, Android community, again in danger you are.

In an effort to sort this banking madness out, we’re going to look at what kind of attack this is, who used it, its functions and effects upon release, and what are some ways you can protect your bank account from decreasing due to the threat actor inflation.

You ever get that feeling like your wallet is getting fisted?
Photo by Pixabay, please support by following @pexel.com

The Attack

The Google Play Store is getting hit with banking trojans but the latest one is racking up some numbers under its belt. Banking trojans for those who may not be familiar are malware that tries to steal your credentials to gain access to your financial institution.

This one has been around since 2021 and has gone by other names such as TeaBot and Toddler but its current name is Anatsa. What makes Anatsa interesting is that it was spotted hiding among utility apps like PDF (Portable Document Format) readers and QR (Quick Response) code scanners.

The use of these allows for credentials to be siphoned from its users. Anatsa is proving to be a large threat by targeting over 400 financial institutions across the world, making it the most prolific banking malware to date.

The best never get caught, kid. Never meet your heroes.
Photo by Connor Danylenko, please support by following @pexel.com

Who Can It Be Now

As with all good threat actors who use malicious software and evade detection, no one person or group has been appointed for using the Anatsa malware.

But it has been noted that threat actors are hiding the malware among applications for people to download in hopes of collecting their information.

This was pointed out by ThreatFabric which is a firm that provides expertise and security tools to mitigate fraud to banks.

Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?

From the sewers to the main street and now into your wallet. We’re all floating to the big time Georgie.
Photo by Wilson Vitorino, please support by following @pexel.com

The Sinking Feeling

Anatsa can perform overlay attacks—this is the act of having what looks like a legitimate window (i.e., a fake Google webpage) when really it is tricking the user to give sensitive information, stealing credentials as well as logging activities, it does this by abusing the permissions to Android’s accessibility services API (Application programming interfaces).

In the latest activity, it has seen the dropper apps (trojan apps) after being installed, perform a pull request from GitHub page that is pointing to another GitHub URL (Uniform Resource Locator) housing the malicious payload. This aims to trick the victim by posing itself as application add-ons.

This is thought to be done by using sketchy advertisements. Another thing that the droppers make use of is the restricted “REQUEST_INSTALL_PACKAGES” permission. This is commonly exploited by most rogue apps hosted on the Google Play Store.

If you find you have any of the apps listed below, then you may have been infected.

  • All Document Reader & Editor (com.mikjaki.documentspdfreader.xlsx.csv.ppt.docs)
  • All Document Reader and Viewer (com.muchlensoka.pdfcreator)
  • PDF Reader – Edit & View PDF (lsstudio.pdfreder.powerfultool.allinonepdf.goodpdftools)
  • PDF Reader & Editor (com.proderstarler.pdfsignature) / (moh.filemanagerrespdf)

These five apps have been updated since the first publication, this is most likely in a sneaky attempt to cargo the malicious functionality after passing the app review process during the first submission.

Google Play Store dropper apps have grossed over 30,000 installations to date which indicates there is an official storefront app for distribution of Anatsa. There is a list of countries that are of interest to Anatsa based on the number of financial applications that have been targeted.

This latest campaign shows the threat landscape that banks and financial institutions face in today’s digital world is shaping to be a bit of a problem. Imagine what would happen if we switched to an all-digital currency.

Oh god, I have to edit and raffle through apps too. I HATE THE INTERNET!
Photo by energepic.com, please support by following @pexel.com

The Prevention

The interesting problem is since transactions are being made from the same device, it’s proving to be very challenging for anti-fraud systems to find. Some ways that may help in securing your information are reading comments, reviews, and fishing through past user reviews before opting to download and install.

Be mindful that when it comes to downloading from third parties who require downloading from an unknown source you are to exercise extreme caution and scan before choosing to complete the installation.

Running scans and digging through comments can be a bit of a hassle but trying to quickly recover from having people leave with everything in your wallet could be more of a hassle.

Tish: Okay, so Scriptingthewhy is somewhat informative.
Dave: It’s more than you knew yesterday, I’d say they’re pretty informative.
Photo by Edmond Dantes, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Do you feel like there is something I may have missed on Anatsa Trojan? Script a comment below.

Programming, Security, Tech

TLC was Right About Your Boss

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

women sat in bed taking note.
I probably should check to see if there’s anything new on Scriptingthewhy before I login for work.
Photo by Ivan Samkov, please support by following @pexel.com

Here you are sitting in front of your computer, and you’re thinking to yourself;” You know today is the perfect day to go on some un-named sites.” That was a joke, no one ever thinks that. In fact, most people rarely think to stray away from their daily norms.

You get up out of bed, grab a cup of coffee, say hi to the cohabitator or fellow inhabitants, and then move on to go about your day online. This may be the case if you work from home, but for the rest of the world, it’s sitting in morning traffic and questioning the meaning of life while simulating The Belko Experiment in our heads.

Well, have you ever had that feeling after spending some time online, you logged out and called it a day but when logging out you feel like something is a little off. That feeling could be that random download that you didn’t care to stop but in case you thought that couldn’t be the case, let me explain how.

man sitting holding a book at desk smiling.
Sarah’s working from home today? Oh yeah, it is Double-Cheeked up Thursday.
Photo by Andrea Piacquadio, please support by following @pexel.com

R.A.T Vs Rat

What is this file that is taking residence on your computer? Well, look no further than you may have a rat in your midst. No, not the cute rodent that most people find disgusting because their cousins are often found running the subways of New York.

A side thing to note; they are actually clean animals; they just don’t get a fair shake. Us silly humans, we’re always fearing what we don’t understand. You may have a Remote Access Trojan (R.A.T), this is a type of malware that finds its way into your computer and can perform surveillance and can gain unauthorized access to your personal computer (PC).

RATs can behave in the manner of keylogger applications by automatically collecting information on keystrokes, usernames and passwords, browser history, and emails are a few things to mention.

They differ from keyloggers however, in the sense that RATs give the attacker the capability to gain access to unauthorized remote access to your PC. So if you could imagine, your boss who has a crush on you and is really good with computers, and since you may be working from home, somehow they take control of your computer, flip on the webcam and there you have it. You may not want to be walking around in your lounge clothes double-cheeked up when you’re supposed to be in work attire is all I’m saying.

Another lovely surprise is a backdoor is left open for the attacker to come and go as they please without you ever noticing. This can lead to changing the behavior of the machine, browsing, and copying files, and using your internet connection to perform some good old illegal activities.

man using binoculars to see.
This was the webcam before the internet. Yup, Sarah is working from home today. #IWantAPoundCake
Photo by Andrea Piacquadio, please support by following @pexel.com

Hacking Motives

You may be thinking to yourself saying “This is nuts! Who would do such a thing?” Aside from your crushing hard-on-you creep boss, hackers – who could be anyone, they don’t look any particular way – would resort to using this tactic to get information for a wide array of reasons.

Scenarios could be collecting your information either selling it or using it as blackmail or performing some type of extortion with it, installing more malicious malware, or doing a combination of all the above.

What are some motives that would cause one to do this? Well in most cases it has to deal with people wanting money, it kind of makes the world go round you know. And in other cases, in the words of Bag-Head (I know that’s not his name but I’m calling him that anyway) from the movie The Strangers, it’s because you were home. This is said because there are some instances where an attack takes place simply because it was able to.

businessman sat at laptop thinking to himself.
Sarah is inspiring me to get a mail-order bride. $200? I don’t know, that’s a bit expensive.
Photo by Sora Shimazaki, please support by following @pexel.com

Phishing for Mail-Order

Thinking to yourself now, “How do I stop something like this from happening to me?” Don’t know what age you are while reading this, but I grew up in the era when your parents would inform you, they were going to be leaving soon and you are going to be in charge of the house, firmly said “If someone is at the door and it’s not us, don’t open the door.”

That very saying still holds true, spear-phishing is one technique used in this attack. Any emails, website links, and redirected to download files or software received from unknown parties should be reported and removed immediately. Using anti-virus and anti-malware will aid in making sure the RAT isn’t able to work properly and assist in halting the collection of any information.

If a computer is infected and is linked to other computers, you should assume that all personal information has been compromised and immediately change login information from a clean computer. Following this credit cards and all financial activities should be monitored in the following months to catch any shady activity.

If you’re at work and find this has happened, get in contact with the system administrator and inform them of the potential threat. A well-known fact is that companies get hit due to complacency when checking emails. Yes, while a mail-order bride doesn’t sound like a bad idea, that potential risk to have your identity stolen or worst having the company’s PC corrupted could see you in line with hitting an iceberg.

two people talking in a modern workspace.
Ben: So… that link you sent me. I purchased a mail-order bride. We’re good with that, right?
Sarah: I never sent you a link. Wait, you bought what now!?
Photo by Sora Shimazaki, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Have you ever experienced a RAT attack? Script a comment about it below.

Programming, Security, Tech

Super Mario 3: The Spicy Meatball Edition

Consider following on social media!

Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!

This might be the new mushroom kingdom if things don’t get better with Mario.
Photo by Russell Butcher, please support by following @pexel.com

All might not be so one up in the mushroom kingdom. Gamers who love playing as the tubby loveable plumber hopping in and out of pipes might want to opt for playing his other games until the sewage clears.

In a nutshell, if you have downloaded Super Mario 3: Mario Forever then the game isn’t the only thing that might be running on your computer. We’re going to look at what kind of attack this is, who used it, the functionality and effects upon its release, and what are some ways you can prevent this from being your computer’s last one up.

Subscribe today to Scriptingthewhy or Mario will beat you with a spicy meatball!
Photo by Pixabay, please support by following @pexel.com

The Attack

One-upping everyone to speed who is unfamiliar with the loveable plumber, his brother Luigi, the Princess Peach, and everyone in the mushroom kingdom, Mario is a popular platformer game that was released in 1985 on the home console Nintendo Entertainment System or widely known as NES under the title “Super Mario Bros.”

The objective of the game was to rescue the chronically kidnapped Princess Peach from the overgrown-I-don’t-know-how-this-relationship-would-work-because-his-a-lizard-and-she’s-a-human King Bowser. Just know a long story short there are some questionable motives on all parties, but Mario goes on a massive trip to rescue her time and time again. And one of those times was the Super Mario 3: Mario Forever game.

For those who may not know, Mario Forever is a fan-made game that was released in 2003 with the old-school NES side-scrolling and art style with an updated look and some new features.

Within the Super Mario game, trojan malware has been released for unsuspecting gamers with the intent to do some mining. And before you make the joke, it’s not mining with Minecraft. Minecraft has its own problems to dig through.

We may have to take a closer look when downloading files.
Photo by cottonbro studio, please support by following @pexel.com

Who Can It Be Now

Digging through research, threat actors were discovered by Cyble—a cyber threat intelligence and research company, that has spotted threat actors distributing a slightly different sample of Super Mario 3 installer.

It has been known that threat actors frequently hide malware in-game installers and since Mario is a highly popular gaming franchise this makes the perfect attack vector for threat actors.

Just when you thought Mario couldn’t plunge himself deeper into your wallet. Thanks a lot Nintendo.

Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?

Derek: Z-Daddy, you mean like the malware piggy backs like this?
Z-Daddy: That Derek but in this version there’s two spicy meatballs.
Photo by Pexels User, please support by following @pexel.com

The Sinking Feeling

Appearances of Mario Forever, the trojan edition, have been thought to be seen circulating on gaming forums, and social media outlets, and appearing high up on search results. In this attack, there are three portions.

The first installs the Mario game and the other two secretly creep into the victim’s AppData directory during the installation. Once this process is complete, the installer fires up the XMR and the SupremeBot mining client. All the information about the victim’s machine is collected and sent to a mining server to begin the mining process.

A quick thing to note, XMR which is better known as Monero, is a mining program used by cybercriminals for crypto-jacking. In short, it makes use of the CPU (Central Processing Unit) to mine for Monero coins, the irony. The file for Monero will appear as “java.exe”. While this happens, SupremeBot, which will appear as a file named “atom.exe”, creates a copy of itself and places it in a hidden folder of the game’s installation directory.

Afterward, hiding under the name of a legitimate process, a scheduled task is created to run the copy every 15 minutes indefinitely. The first process is stopped, and the original file is deleted, this is done to avoid detection. Once that is completed, the malware sets up a connection with the C2 (Command and Control) server, here is where the collected data is transmitted, information about the client is registered, and the configuration for mining Monero is run.

SupremeBot then receives the payload from the C2 server in the form of a file named ‘wime.exe.’ This final file is called Umbral Stealer (UmS)—an information stealer programmed in C# designed to steal from infected Windows devices. All the information stored in web browsers such as, but not limited to, stored passwords, cookies, session tokens, crypto wallets, credentials, and authentication tokens for Discord, Minecraft, Roblox, and Telegram.

UmS can also create screenshots of the desktop, gain control of the webcam, and other media devices and collect local data before exiting to the C2 server. If that wasn’t enough, UmS can bypass the Windows Defender if tamper protection isn’t enabled.

If not enabled, UmS will add itself to Defender’s exclusion list, this means if it wasn’t on the welcome list before, it is now. UmS will also configure Windows host files to hinder communication with antivirus products rendering them ineffective. Just when you thought having a little security couldn’t get any smaller.

So, do I… squat to get into the pipe or…what? How do I protect Mario anyway?
Photo by cottonbro studio, please support by following @pexel.com

The Prevention

Any gamer will tell you that it’s hard to keep Mario completely safe while traversing Mushroom World on his never-ending quest to rescue Princess Peach. Many know it takes a couple of hits to cost Mario a life, but it only takes one for your computer.

A few ways to defend are downloading from official sources as third-party sources could have malware. It is best to frequently scan any downloads before running them on your computer.

Always make sure your antivirus software is up to date. If you feel as though you may have downloaded an infected version of Mario Forever, then you should scan your computer and remove anything detected.

If found, you should prioritize what is most important and change all passwords to any logins such as personal, banking, emails, and financial immediately. Keep your information safe and let Mario be the one running around in a panic.

Yea, I’ll just wait until this whole thing blows over. I’ll help Mario with his mushroom addiction later.
Photo by Anurag Sharma, please support by following @pexel.com

Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.

Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.

Do you feel like there is something I may have missed on Monero, SupremeBot, or Umbral Stealer? Script a comment below.