MA-936.052023: MyCERT Advisory - Malicious Activities at mydivedeals.shop Website
1.0 Introduction
MyCERT observed cybercriminals had exploited a malicious Android application in a campaign targeting internet users in Malaysia. The campaign is targeting online shoppers and consumers. The target victim will be lured to click links leading to fake sites impersonating “Dive Deals”, an e-commerce and voucher platform quite popular in a neighbouring country, Singapore.
The victim will choose the item to purchase and be instructed to download a malicious Android application to complete the payment process. The threat actor set up the websites to tempt potential victims to domains similar to their impersonating services. The malicious application and websites will capture and steal sensitive credit card information and banking credentials. The malicious APK can also intercept SMSs and steal the secure OTP code during transactions without the victims noticing.
2.0 Impact
Financial loss. Disclosure of credit card information and banking credentials.
3.0 Affected Products
Android mobile devices
4.0 Other related alerts programs and advisories
Below are references to similar campaigns:
- MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
- MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
- MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK
- MA-834.052022: MyCERT Alert - SMSSpy campaign to steal Malaysian banking user credential
- MA-840.062022: MyCERT Alert - Kempen SMSSpy bagi Mencuri Maklumat Peribadi Perbankan Pengguna Internet Malaysia
5.0 Indicators of Compromise
Table 1: List of indicators of compromise used in the campaign:
Indicators | Indicator type |
MyDiveDeals.apk 11a8b8c759f156a658a1f09d26672767e0251a1e411419a9643e377334f1844b | apk, SHA256 |
Table 2: List indicator of compromise – IP addresses
IP | Provider | Details |
172.67[.]150[.]10 104.21[.]63[.]198 | Hostinger | mydivedeals[.]shop Distribution website |
172.67[.]186[.]171 104.21[.]64[.]157 | Hostinger | mydivedeals[.]com Distribution website |
172.67[.]135[.]185 104.21[.]7[.]41 | Hostinger | e12345[.]online C&C server |
104.21[.]42[.]160 172.67[.]163[.]135 | Hostinger | gs996[.]online C&C server |
172.67[.]223[.]99 104.21[.]70[.]119 | Hostinger | ppsss[.]online C&C server |
104.21[.]40[.]16 172.67[.]174[.]128 | Hostinger | mydiveapp[.]online C&C server |
URL: Phone Number +60146461482 +60102756212 +60168512782 +60109126693 +60177273489
| ||
|
6.0 Recommendations
The application can retrieve information from the victim’s phone and be used for other malicious purposes. As CERT, we would highly recommend the followings:
• Verify an application permission and the application author or publisher before installing it.
• Avoid side loading (installing from non-official sources) when you can. If you need to install Android software from a source other than the trusted marketplace, ensure that it comes from a reputable source.
• Do not click on adware or suspicious URL sent through SMS/messaging services.
• Malicious program could be attached to collect users' information.
• Always run a reputable anti-virus on your smartphone/mobile devices, and keep it up to date regularly.
• Update the operating system and applications on smartphone/tablet, including the browser, to avoid any malicious exploits of security holes in out-dates versions.
• Do not root or 'Jailbreak' your phone.
• Contact relevant authorities such as MyCERT of CyberSecurity Malaysia for any inquiries and assistance related to this threat.
Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please get in touch with MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
- MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
https://www.mycert.org.my/portal/advisory?id=MA-790.072020 - MA-690.122017: MyCERT Alert - Fake PDRM Malicious APK
https://www.mycert.org.my/portal/advisory?id=MA-690.122017 - MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
https://www.mycert.org.my/portal/advisory?id=MA-695.012018 - MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK
https://www.mycert.org.my/portal/advisory?id=MA-694.012018 - https://www.virustotal.com/gui/ip-address/139.162.61.96/relations
- https://www.virustotal.com/gui/file/fc9d34436b4711d6f586903d07a99b089ca5aa61f931febd57abba9a7135d98d/relations
- https://twitter.com/esetresearch/status/1526440685460672512?s=24&t=xveoIxTaZLIdhpnzy-YSag
- https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
- https://notes.netbytesec.com/2022/05/scam-and-malicious-apk-targeting.html
- MA-834.052022: MyCERT Alert - SMSSpy campaign to steal Malaysian banking user credential-https://www.mycert.org.my/portal/advisory?id=MA-834.052022
MA-893.112022: MyCERT Alert - Security Best Practices and Guidelines
1.0 Introduction
MyCERT has observed incidents involving data breaches belonging to the public. Sensitive and private personal information, such as names, phone numbers, email and home addresses, are exposed and might be traded on the dark web by cyber criminals. Such data breaches are likely to cause phishing attacks through various methods such as “smishing” and “vishing”. Smishing and vishing are scams where criminals try to get users to click on a fraudulent link through a phone, text message, email, or voicemail.
2.0 Impact
Victims of phishing attacks are usually lured and tricked into clicking and entering confidential and sensitive information such as the OTP or security codes, log in details, passwords and many more. Once the perpetrators gain this information, they will use this information to hijack further the victims' accounts for monetary purposes. This can be done by impersonating the victim or abusing the stolen account for other malicious activities.
3.0 Recommendations
MyCERT anticipates data breaches would contribute to an increase in attempts to scam the general people via the internet. Hence, MyCERT recommends that users remain extra cautious of any calls from unknown numbers and never entertain such calls, unsolicited calls and text messages (including SMS and WhatsApp). Clicking on or responding to any such voice or text-based messages can be dangerous, leading to users losing money or personal data exposure.
3.1 Here are some security best practices and guidelines to help protect users from releasing their personal information to external parties and falling victim to scam activities.
- Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from their customers. If in doubt, users should verify with the company itself to avoid any potential issues.
- Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.
- As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.
- Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.
- Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.
- Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.
- Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.
- Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.
- Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.
- If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.
- For incidents involving monetary loss, the public is advised to report immediately to NSRC within 24 hours. Contact the National Scam Response Center (NSRC) via dialling the hotline number at 997 (Operating Hours: 8 am - 8 pm).
- File a report to Jabatan Data Perlindungan Peribadi, JPDP, if users receive such calls asking for their personal information at:
Jabatan Data Perlindungan Peribadi
Aras 6, Kompleks Kementerian Komunikasi dan Multimedia
Lot 4G9, Persiaran Perdana, Presint 4 Pusat Pentadbiran Kerajaan Persekutuan
62100 Putrajaya, Malaysia.
Telephone: 03-8000 8000
Fax: 03-8911 7959
Email : aduan[at]pdp[dot]gov[dot]my
Generally, MyCERT advises users to follow security best practices and guidelines as measures to safeguard their personal information and from becoming victims of scams.
3.2 MyCERT also advises System Administrators on the following best practices and guidelines to deal with data breach incidents in their organisations:
- Verify reported leaked data with the application & database team.
- Perform a compromise assessment to indicate if the system is being compromised.
- Perform a vulnerability assessment of the affected system.
- Perform updates/patches/bugfix to OS, application, and antivirus/edr.
- Continuously monitor security logs to ensure the system is safe from cyber threats.
- Follow and implement security policies, guidelines and best practices in the organisation.
- Ensure systems, applications and third-party add-ons are updated with the latest upgrades and security patches.
- To block and set rules in the firewall, IDS or IPS of the IOC found.
- If using older versions of operating systems or software, ensure they are upgraded to the latest versions, as older versions may have some vulnerabilities that intruders can manipulate. Aside from that, please make specific web-based applications and network-based appliances are patched accordingly.
- Refer to respective vendors' websites for the latest patches, service packs and upgrades. Otherwise, you may also refer to MyCERT’s website for the latest advisories on software vulnerabilities with pointers to patches, service packs and upgrades.
- Ensure the Anti-virus software deployed on hosts and email gateways is updated with the latest signature files and is enabled to scan all files.
- Ensure systems are configured appropriately to avoid incidents such as information disclosure and directory listing caused by system misconfiguration.
- Ensure systems logging is always enabled, especially for critical systems.
- Perform regular backups of all critical information to limit the impact of data loss or destruction and help expedite recovery. Ideally, the backup must be done daily, on independent media and stored offline at an alternate site.
- Organisations are recommended to apply a defence-in-depth strategy in protecting networks. Firewalls, intrusion prevention systems (IPS), and network and host-based intrusion detection systems (IDS) can prevent malicious activities by blocking and dropping if it does occur and keeping track of most of the generic attacks.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
4.0 References
- https://www.mycert.org.my/portal/advisory?id=MA-790.072020
- https://www.mycert.org.my/portal/advisory?id=MA-690.122017
- https://www.mycert.org.my/portal/advisory?id=MA-695.012018
- https://www.mycert.org.my/portal/advisory?id=MA-694.012018
- https://notes.netbytesec.com/2022/05/scam-and-malicious-apk-targeting.html
- https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
- https://www.trendmicro.com/vinfo/it/security/news/cybercrime-and-digital-threats/best-practices-identifying-and-mitigating-phishing-attacks
MA-892.112022: MyCERT Alert - IOCs and TTPs Associated with APT40
1.0 Introduction
MyCERT observed the APT40—aka BRONZE MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper, has been active since at least 2009. The APT40 has targeted governmental organisations, companies, and universities in a wide range of industries including biomedical, robotics, and maritime research, targeting countries such as Cambodia, Belgium, Germany, Hong Kong, Philippines, Norway, Saudi Arabia, Switzerland, the United States, the United Kingdom and Malaysia.
2.0 General Tactic, Technique and Procedure (TTP)
It always started with a spear-phishing email pretending to be a journalist, an individual from a trade publication, or someone from a relevant military organisation or non-governmental organisation (NGO). Sometimes, the group has leveraged previously compromised email addresses to send spear-phishing emails. APT40 typically utilises short and targeted campaigns.
The motives are usually data theft and exfiltration. The group's operations target government-sponsored projects and take large amounts of information specific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data.
APT40 is associated with malware from 51 different variants. Out of the 51 variants, 37 are non-public. At least 7 of these non-public tools (BADSIGN, FIELDGOAL, FINDLOCK, PHOTO, SCANBOX, SOGU, and WIDETONE) are shared with other suspected China-nexus operators.
Figure 1: APT40 attack lifecycle
3.0 Indicators of Compromise (IoC)
DadJoke Malware was first used in the wild in January 2019 and has undergone constant development. This malware has been used in several active campaigns since January 2019, all targeting government, military, and diplomatic entities in the Southeast Asia region. The latest campaign was conducted on August 29, 2019, and seems to have targeted only a few individuals working for a military organisation.
Kill Chain
- Reconnaissance: The group has leveraged previously compromised email addresses or impersonation of emails to send spear-phishing emails
- Delivery: Send spear-phishing emails with malicious attachments, although Google Drive has been observed. This includes pretending to be a journalist, an individual from a trade publication, or someone from a relevant military or non-governmental organisation (NGO).
- Weaponisation: Microsoft document with enabling macro that extracts malicious exe to download loader.
- Exploitation:
- CVE-2014-6352: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.
- CVE-2017-0199: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.
- Installation:
- Utilises unique “iShape” names benign exe, loader dll, and hidden content
- Facilitates extraction and execution of main payload primarily in memory
- Load order hijacking using benign Windows Defender exe
- Contains an encrypted config block and LZMA compressed as the main payload.
- Command and Control: Beacon + download and execute stage 2. The Beacon is also encrypted and looks like png.
- Actions on Objectives: Data theft and exfiltration. The group's operations target government-sponsored projects and take large amounts of information specific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data.