Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, 16 November 2022, 6:46 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Chinese Threat Actor Runs Massive Phishing Campaign

A new report by UK threat intelligence company Cyjax details a sophisticated, large-scale phishing campaign that trades on the reputation of internationally-trusted brands, targeting businesses in multiple segments including retail, travel, pharmaceuticals and energy. The group, which Cyjax has christened "Fangxiao", has controlled at least 42,000 domains since 2019, driving victims to them via links send through WhatsApp. The link takes them to a landing domain impersonating any of over 400 well-known and trusted brands including Emirates, Unilver, Singaporean shopping site Shopee, Coca-Cola and others.

A complex redirection chain brings the victim to an online survey page with a timer to add urgency; once the victim has completed the survey, the site appears to "validate" their answers and incites them to play a simple animated game, which they will "win" after two or three clicks. But to claim their prize, they must share the phishing campaign via WhatsApp, to five groups or 20 friends. At the end of this process, the page delivers any of many dodgy advertisements, affiliate scams, micropayment scams or the Triada Android malware. In short, it's a cesspit.

Cyjax has extensively documented the various redirection chains, but many are so convoluted and complex, and so constantly changing, that there is no certainty how any particular victim might be exploited. Fangxiao hides itself quite well, protecting its infrastructure behind Cloudflare and rapidly cycling the domain names it uses - over 300 new unique domains appeared in just one day in October. Cyjax's report gives a lot of detail, and IOC's can also be downloaded.

Witten, Alana and Emily Dennison, Fangxiao: a Chinese threat actor, technical report, 14 November 2022. Available online at https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/.

VMware Warns of BatLoader

VMware's Carbon Black Managed Detection and Response (MDR) analysts have tracked increasing usage of a malware loader called Batloader. This new loader shares many similarities with the earlier Zloader, which is thought to be derived from the Zeus banking trojan of almost two decades ago - it is also distributed using malicious advertisements which lure victims to download signed Windows installer (.msi) files, which are disguised as installers for legitimate software such as Zoom, TeamView, Discord and others. Although much larger, Batloader seems to be an enhancement of Zloader.

Once the installer is running, Batloader uses a PowerShell inline script to download and run a chain of batch files and PowerShell scripts, as well as the necessary tools such as nircmd.exe (a command-line utility which gains admin privileges), Gpg4win (which it uses to decrypt payloads) and Nsudo.exe (used to launch programs with elevated privileges). Towards the end of the chain, Batloader adds registry entries which restrict user access on the infected machine, in order to block remediation attempts, and sometimes installs some remote management and monitoring software which the attackers will use as a backdoor.

Various final payloads can be dropped, including a banking trojan from the Ursnif/Gozi family, the Arkei/Vidar infostealer and, in some cases, a Cobalt Strike stager. Throughout all these stages, Batloader is very stealthy and persistent, and would prove difficult to remove from an infected system. Some IOC's, such as an IP address, indicate that the actor running this campaign may be Conti or one of its affiliates.

Hardin, Bethany, Lavine Oluoch and Tatiana Volbrecht, BATLOADER: The Evasive Downloader Malware, blog post, 14 November 2022. Available online at https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html.

BEC Scammer Hushpuppi Goes Down

In the "score one for the good guys" department: business email compromise scammer Ramon Olorunwa Abbas - much better known by his nickname of "Ray Hushpuppi", a.k.a. "The Billionaire Gucci Master!!!" - has been sentenced in a United States District Court to 135 months (11 years and 3 months) in a federal penitentiary, although the sentence probably includes over two years already served since his arrest in Dubai and extradition to the US.

An entertaining article in Sophos' Naked Security blog highlights the Nigerian scammer's colourful lifestyle, with pictures from his Instagram account where he shows off gangsta-style bling and private jet travel. The article becomes seriously informative, however, when it turns to extracts from Hushpuppi's correspondence with his co-conspirators, giving insights into how these whalers work around the fraud prevention measures put in place by banks.

Their process involves using money mules (themselves victim/beneficiaries of work-from-home scams) to open accounts in person at a branch, thereby passing "know your customer checks" - but in many cases the new accounts are quickly linked to criminal activities, forcing the scammers to move on. They also discuss the fact that fraudulent transfers within a country are subject to less scrutiny than overseast transfers, and therefore less likely to be blocked. However, the blocks are at least partially effective; while Abbas admitted to conspiring to launder over $US300 million, much of it did not, ultimately, end up in his - probably gold-encrusted - fingers.

Naked Security writer, "Gucci Master" business email scammer Hushpuppi gets 11 years, blog post, 14 November 2022. Available online at https://nakedsecurity.sophos.com/2022/11/14/gucci-master-business-email-scammer-hushpuppi-gets-11-years/.

Google's Android Location Tracking Burns Them Again

Australian readers will doubtless remember the action brought against Google LLC and Google Australia Pty Ltd by the Australian Competition and Consumer Commission in the Federal Court, alleging that Google had breached Australian consumer law by representing to some Android users that the setting titled "Location History" was the only Google account setting that affected whether the company collected, kept and used personal location information. In fact, the "We & App Activity" setting, which defaulted to on, also enabled Google to collect that information, and in August the Federal Court ordered Google LLC to pay $A60 million for making misleading representations.

A group of 40 State attorneys general in the US brought a similar action, and have announced that, in an out of court settlement, Google will pay these states a total of $US391.5 million. The US investigation - and probably the Australian action, too - was triggered by a 2018 Associated Press article which revealed that Google "records your movements even when you explicitly tell it not to", and detailed the two Google account settings described above. The attorneys general found that Google had violated state consumer protection laws by misleading consumers since at least 2014.

The settlement requires Google to be more transparent with consumers, and requires the company to show additional information when they turn a location-related account setting on or off, make the key information about location tracking unavoidable for users (i.e. not hidden), and give users detailed information about the type of location data collects and how it is used at an enhanced "Location Technologies" web page.

Media Team, Google LLC to pay $60 million for misleading representations, media release, 12 August 2022. Available online at https://www.accc.gov.au/media-release/google-llc-to-pay-60-million-for-misleading-representations.

AG Press, 40 Attorneys General Announce Historic Google Settlement over Location Tracking Practices, press release, 14 November 2022. Available online at https://www.michigan.gov/ag/news/press-releases/2022/11/14/40-attorneys-general-announce-historic-google-settlement-over-location-tracking-practices.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: