Xenomorph Malware Spreads to Spanish and American Banks in Latest Campaign

Cybersecurity analysts from ThreatFabric recently discovered a resurgence of Xenomorph malware. The malware relies on deceptive phishing webpages posing as a Chrome update that trick victims into downloading malicious APKs. The latest campaign has seen a geographical expansion, with thousands of Xenomorph downloads recorded in Spain and the United States, reflecting a broader trend among malware families to target new markets across the Atlantic.

Xenomorph first came to the attention of experts in February 2022. This malware is known for using overlays to capture personally identifiable information (PII) such as usernames and passwords. Notably, it features a sophisticated automated transfer system (ATS) engine, enabling a wide range of actions and modules, enhancing its adaptability.

In technical terms, Xenomorph has added new capabilities to its arsenal, including an anti-sleep feature, a “mimic” mode to avoid detection, and the ability to simulate touch actions. The malware’s targets include Spain, Portugal, Italy, Canada, Belgium, numerous US financial institutions, and cryptocurrency wallets.

Another noteworthy development is the observation of Xenomorph being distributed alongside powerful desktop stealers, raising questions about potential connections between threat actors behind these malware variants or the possibility that Xenomorph is now being offered as a Malware-as-a-Service (MaaS) for use in conjunction with other malicious software families.
According to an advisory published by ThreatFabric on Monday, this resurgence underscores the persistent efforts of cyber-criminals to maximize their profits.

“Xenomorph maintains its status as an extremely dangerous Android Banking malware, featuring a very versatile and powerful ATS engine, with multiple modules already created, with the idea of supporting multiple manufacturer’s devices.”

Read: https://www.infosecurity-magazine.com/news/xenomorph-targets-30-us-banks/

Phishing Campaign Continues to Target Luxury Hotels

Cybercriminals are continuing to target the hospitality industry with phishing campaigns, even as the effects of the show-stopping cyber attacks on MGM Grand and Caesars are still being felt. The offensive uses social-engineering tactics — similar to tactics that crippled the resort casinos earlier this month — to spread info-stealing malware.

The campaign, discovered by researchers at Cofense Intelligence, leverages reconnaissance emails and instant messages to bait employees at luxury resorts and hotel chains into a response. According to a Cofense blog post published Sept. 26, once the threat actors receive a response to the initial email, they will then follow up with phishing messages that leverage several methods known to disrupt email security analysis and secure email gateways (SEGs), so that the messages reach intended targets.

These tactics include the use of trusted cloud domains in emails, password-protected archives, and executable files that are so large they can disrupt analysis, according to the report.

“From the reconnaissance email all the way to the malicious payload, this campaign and its infection chain are both highly sophisticated and well-thought-out by the threat actors,” Cofense cyber threat intelligence analyst Dylan Duncan wrote in the post.

This attention to detail is reflected in “the success of these emails reaching intended targets,” with a notable uptick in the campaign through August and into September “at an alarming rate,” he added. Indeed, 85% of the phishing emails observed in the campaign have been sent in the last 60 days, with September showing a higher incidence of messages than August, according to Cofense.

Read: https://www.darkreading.com/cloud/mgm-caesars-incidents-attackers-luxury-hotels

Canada leads new UN declaration to fight online disinformation

Canada’s Foreign Affairs Minister Mélanie Joly has launched a new UN declaration to combat online disinformation, which she says poses a threat to democracy and human rights. The Global Declaration on Information Integrity Online, which has been signed by 27 countries, including some of the world’s leading democracies and technology powers, aims to create global rules and standards for the online information ecosystem.

The signatories of the document have pledged to take measures to ensure the integrity and reliability of information on the internet, such as promoting media literacy, supporting independent journalism, and holding platforms accountable for their content moderation policies. They have also agreed to establish global norms and standards on how to govern the online space based on the principles of democracy, human rights, and the rule of law.

Moreover, the declaration addresses the challenges and opportunities posed by artificial intelligence, such as ChatGPT, which can generate realistic text and images that can be used for good or ill. The document promises to monitor and respond to the impact of AI on the online information environment and to foster cooperation and innovation in this field.

The Global Declaration on Information Integrity Online comes amid growing concerns over the use of disinformation by some actors to manipulate public opinion and interfere in democratic processes. According to Joly, Russian authoritarian regimes have used disinformation to silence dissenting voices and oppress their own citizens by justifying their illegal invasion of Ukraine. She called the declaration a “concrete step towards establishing global norms on disinformation, misinformation, and information integrity.”

Read: https://nationalpost.com/news/politics/canada-un-declaration-online-disinformation

Rumble resists UK pressure to demonetize Russell Brand amid censorship law

Rumble, a video-sharing platform that supports free expression, is facing criticism from the UK media and officials for refusing to demonetize comedian Russell Brand, who was accused of sexual assault by an anonymous source. Brand has denied the allegations and has not been arrested, charged, or convicted of any crime.

The UK Parliament had asked Rumble to cut off Brand’s monetization, following the example of YouTube and other companies that took action against him. However, Rumble’s CEO Chris Pavlovski rejected the request, saying that the allegations against Brand have “nothing to do with content on Rumble’s platform.” The decision has sparked backlash from several media outlets and people who helped craft the UK’s new censorship law, the Online Safety Bill, which will require online platforms to remove harmful or illegal content.

The law will come into effect next month and will cover a wide range of harms, including psychological harm, potential harm, false communications, and material that incites violence or racial hate. Some of Rumble’s critics have called it a “crazy American platform” and a “haven for disinformation and extremism.” They have also accused Rumble of “grandstanding before the press” and ignoring the UK’s authority. However, Rumble’s supporters have praised it for standing up for free speech and providing a platform for alternative voices. They have also questioned the motives of some UK politicians who have ties to pro-censorship groups or companies.

Read: https://reclaimthenet.org/media-online-safety-bill-rumble

Dr. Fauci’s Role in CIA’s COVID-19 Origins Review Questioned by Republican Congressman

Dr. Anthony Fauci, the former director of the National Institute of Allergy and Infectious Diseases, has been accused of interfering with the Central Intelligence Agency’s (CIA) investigation of the origins of COVID-19. A Republican congressman, Brad Wenstrup, who chairs the Select Subcommittee on the Coronavirus Pandemic, has revealed new allegations that Dr. Fauci visited the CIA headquarters without a record and tried to influence the review’s outcome.

According to a letter sent by Chairman Wenstrup to CIA Director William Burns, Dr. Fauci was escorted into the CIA headquarters by a special agent, Brett Rowland, and participated in the analysis of the COVID-19 origins. The letter also claims that Dr. Fauci prompted the drafting of a paper titled “Proximal Origin,” which was used to attempt to disprove the lab leak theory. The paper was published in Nature Medicine in March 2020 and was co-authored by several scientists who had ties to the Wuhan Institute of Virology, where some suspect the virus originated.

Chairman Wenstrup is seeking all documents and communications related to Dr. Fauci’s access to the CIA facilities and employees as it relates to these allegations. He also requests that Special Agent Rowland appear for a transcribed interview to testify about Dr. Fauci’s movements to and from the CIA. Chairman Wenstrup says his goal is to ensure that the scientific investigative process regarding the origins of COVID-19 is fair, impartial, and free of alternative influence. He says he is concerned that federal government officials may have covered up the true origins of COVID-19 and misled the public.

Read: https://oversight.house.gov/release/wenstrup-reveals-new-allegations-that-dr-fauci-potentially-influenced-cia-covid-19-origins-investigation/

The Real Story Behind The #FreedomConvoy

The characterizations (and character assassination) from the MSM around last year’s trucker protest was, and continues to be, cartoon-ish if not defamatory. We even took a fair amount of heat for publicly supporting the truckers and their sole objective of ending the vaccine mandates.

Over the intervening time,  it now looks like most people feel the same way, while the mainstream media and politicians continue to demonize the convoy participants and supporters as “nazis” (ironic, given what just happened in the House of Commons last Friday).

FreedomConvoy organizer B. J. Dichter went on the Triggernometry podcast last week where he revealed the real story behind the Freedom Convoy and the machinations from the press and political class to smear it.

Watch: https://www.youtube.com/watch?v=eEgb42VenIY&t=3227s

Elsewhere online: 


Ontario-backed Canadian tech company faces foreign espionage claims
Read: https://www.thestar.com/business/technology/canadian-tech-company-allegedly-implicated-in-foreign-spying-received-millions-from-ontario-government/article_ddadd556-9836-587d-8b56-e58e9ef8c936.html

Sony Faces Possible Data Breach by Ransomware Group
Read: https://www.securityweek.com/sony-investigating-after-hackers-offer-to-sell-stolen-data/

Chinese APT Rewrites Cisco Firmware to Breach US and Japan Targets
Read: https://www.darkreading.com/threat-intelligence/china-apt-cracks-cisco-firmware-attacks-against-us-japan

DarkBeam Leaks 1.5 Billion Records of Users’ Personal and Financial Data
Read: https://securityaffairs.com/151566/security/darkbeam-data-leak.html

Ransomware Gang Leaks Data of Greater Manchester Police from Third-Party Supplier
Read: https://www.cpomagazine.com/cyber-security/greater-manchester-police-investigating-a-third-party-data-breach-from-a-ransomware-attack/

Previously on #AxisOfEasy