FluHorse Malware Targets Android Devices, Steals Sensitive Data and Passwords - 1

FluHorse Malware Targets Android Devices, Steals Sensitive Data and Passwords

  • Written by Ari Denial Cybersecurity & Tech Writer

Check Point Research, a cybersecurity firm, has recently identified a new Android malware strain named “FluHorse,” which is designed to target users in Eastern Asia through the use of malicious apps that mimic legitimate versions.

The “FluHorse” Android malware has been actively targeting various industries in Eastern Asia since May 2022, and it is distributed via email with the aim of stealing sensitive data like banking information, passwords, and 2FA codes. The attack starts with an email sent to high-profile targets, urging them to address a payment-related issue, and leads the victim to a phishing site via a link. Upon downloading the fake app APK, the app can steal sensitive data.

Among the phony apps are ETC, a toll-collection app in Taiwan, and VPBank Neo, a Vietnamese banking app, both of which have more than 1 million downloads from Google Play Store. Additionally, Check Point Research found that the malware campaign also uses a fake transport app with 1,00,000 installs, although it was not named.

The malware campaign uses fake apps that mimic the GUI of legitimate apps but have limited functionality, with only a few windows to capture the victim’s information. Once the malware captures the victim’s data, the fake app displays a “system is busy” message for approximately 10 minutes to make the process appear more realistic while the operators behind the attack attempt to intercept 2FA codes and leverage the stolen data.

The malware was developed in Dart using the Flutter platform, making it challenging to reverse engineer and decompile, and the Flutter runtime for ARM uses its own stack pointer register, adding to the complexity of the analysis.

CheckPoint’s analysis of the malware campaign revealed that the use of a non-standard register for the Flutter runtime on ARM made it difficult to generate accurate pseudocode during the decompiling process.

Despite this challenge, the researchers were able to identify the functions responsible for stealing victims’ data and communicating with the command-and-control (C2) server. CheckPoint also warns that the campaign is ongoing and that new malicious apps and infrastructure are appearing regularly, posing an active threat to Android users.

Facebook Foils New NodeStealer Malware Designed to Steal Information - 2

Facebook Foils New NodeStealer Malware Designed to Steal Information

  • Written by Ari Denial Cybersecurity & Tech Writer

Meta, the parent company of Facebook, has announced that it thwarted a new malware called NodeStealer, which emerged earlier this year and was designed to steal cookies and login credentials from various web browsers. The malware, which was distributed disguised as PDF and XLSX files, was first identified by Meta roughly two weeks after it was deployed and was likely of Vietnamese origin.

Meta took immediate action to neutralize the threat, including contacting appropriate service providers and submitting takedown requests. The company has announced that their efforts to disrupt NodeStealer have been successful, and no new samples of the malware have been observed since February 2023.

NodeStealer is a new malware that is executed through Node.js, written in JavaScript. This characteristic enables the malware to run on Windows, macOS, and Linux, making it highly versatile. Additionally, the malware is highly stealthy, with most AV engines on VirusTotal failing to flag it as malicious.

The malware is distributed as a 46-51MB Windows executable file that is disguised to appear as a PDF or Excel document with a name that piques the recipient’s interest. Once launched, NodeStealer uses Node.js’ auto-launch module to establish persistence on the victim’s machine between reboots. The malware adds a new registry key during launch, enabling it to remain undetected and active on the victim’s machine.

NodeStealer malware steals cookies and account credentials for Facebook, Gmail, and Outlook from various web browsers. It retrieves the base64-encoded decryption key to access encrypted data and abuses Facebook API to extract information about breached accounts while hiding requests behind the victim’s IP address to evade detection.

The malware steals the Facebook account’s ability to run advertising campaigns, promoting misinformation or leading unsuspecting audiences to malware distribution sites. NodeStealer ultimately sends the stolen data to the attacker’s server.

Facebook took down the server of the threat actor responsible for NodeStealer on January ‘2023, after discovering it. The social media giant also released information on DuckTail malware operations and malicious extensions distributed as ChatGPT programs. Facebook has shared IOCs related to these threats on their public GitHub repository.