WHAT IS TEAMVIEWER VIRUS UPDATEThe malware starts by showing a window that masquerades as an update for the Accessibility service. This malware consists of two parts – the main application, and a DEX file that is received as a payload from the remote C&C server. Though this malware belongs to the Cerberus Banker family, as we said previously, this campaign has MRAT capabilities and can steal users’ information such as call logs, SMS, credentials, and installed applications. Technical Analysis: Malware Capabilities: We explore the technical aspect of the malware in the ‘Technical Analysis’ section. From this stage onward, we refer to those samples as ‘the main module’ of the malware. We took a closer look at those two samples, and it became very clear that their abilities were almost identical. These capabilities include logging all keystrokes on the device (credentials included), stealing Google Authenticator data and any SMS received (2FA included), and commanding the device remotely via TeamViewer. But this new variant is equipped with more than the average banker – it has Mobile Remote Access Trojan (MRAT) capabilities. The On-device Network Protection’s verdict on the C&C is ‘Malicious / Infecting Website.’ Under the right policy, with On-device Network Protection, all communications with the C&C could have been blocked.Īfter some initial research, we concluded that this malware is a new variant of the Cerberus Banking Trojan for Android, a known Malware-as-a-Service (Maas) that allows anyone to rent its services to build your own payload, and configure, command and control its devices. It listens on port 8888, and there is no hostname, just a Russian IP address. We started collecting data on the attack itself. WHAT IS TEAMVIEWER VIRUS INSTALLAfter gaining access to the customer’s MDM, the attacker utilized the MDM’s ability to install applications remotely to install malware on more than 75% of the company’s devices. This suggests a targeted attack against the company. Later, the customer confirmed that their MDM was indeed breached.įigure 1 : Two spikes showing a large number of new malicious applications were installed. Two possibilities came to mind immediately – the first is a malware with lateral movement capabilities, and the second is that the customer’s MDM was breached. As all the malicious applications were installed in a very short window of time, we assume that there is some automation involved. On February 18, 2020, we detected two malicious applications installed on a large number of the customer’s devices. The protected device owners did not have access to corporate resources, while the owners of non-protected did – along with an installed malware that allowed the threat actor to control the device remotely. In this case, we can divide the company’s devices into two categories – those with SandBlast Mobile, and those without. If that platform is breached, so is the entire mobile network. MDM’s most prominent feature, arguably the reason for its existence, is also its Achilles’ heel – a single, central control for the entire mobile network. Securing a mobile device means protecting it from malware threats and attacks. Managing a mobile device means installing applications, configuring settings, and applying policies on multiple devices at once. This incident underscores the importance of distinguishing between managing and securing mobile devices. Cisco’s TALOS has reported in the past a campaign using actor-owned MDM to control victim’s devices, and this campaign takes it to the next level – compromising a corporate-owned MDM and spreading malware to more than 75% of the corporate’s devices via the compromised MDM. Malicious actors keep upgrading their tactics and techniques, becoming more and more complex. This is the first time we have a reported incident of lateral movement inside a corporate network that utilizes the MDM server as a means of spreading. Once installed, this Cerberus variant can collect large amounts of sensitive data, including user credentials, and send it to a remote command and control (C&C) server. This malware has already infected over 75% of the company’s devices. Research by: Aviran Hazum, Bogdan Melnykov, Chana Efrati, Danil Golubenko, Israel Wernik, Liav Kuperman, Ohad Mana Overview:Ĭheck Point researchers discovered a new Cerberus variant which is targeting a multinational conglomerate, and is distributed by the company’s Mobile Device Manager (MDM) server. First seen in the wild – Malware uses Corporate MDM as attack vector
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |