Chameleon Malware, Ransomware Decryption Tool Dec 18-24, 2023 - F5 SIRT - This Week in Security


Hello Everyone, this week your editor is Dharminder.

I am back again with another edition of This Week in Security, This week I have security news about the FBI’s description tool for BlackCat ransomware victims, Chameleon Android Banking malware which can bypass Biometric authentication and CISA’s 'secure by design alert' to counter threats caused by the default password of systems exposed to the internet . We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

Ok so let's get started to find details of security news.


FBI’s Decryption Tool for the victim’s of BlackCat Ransomware.

The U.S. Justice Department has initiated a disruption campaign against the BlackCat ransomware group (also known as ALPHV or Noberus). This group is responsible for targeting over 1,000 victims globally, including networks supporting U.S. critical infrastructure. The FBI has developed a decryption tool, which has helped 500 affected victims to restore their systems, saving approximately $68 million in ransom payments. The operation ran by FBI has resulted in the seizure of several websites operated by BlackCat. The ransomware group uses  ransomware-as-a-service model, where developers job is to maintain the ransomware code and infrastructure, where as affiliates job is to identify and target high-value victims.

BlackCat utilizes a multiple extortion model, exfiltrating sensitive data before encrypting systems, pressuring victims to pay. The FBI Miami Field Office is leading the investigation, and working with other international law enforcement agencies. Victims of the BlakCat Ransomware are encouraged to contact their local FBI field offices for assistance. Information about the ongoing investigation and technical details for mitigation is available from the FBI. Individuals who have information about BlackCat, its activities, and its affiliates may be eligible for rewards through the Rewards for Justice program by submitting the information via a Tor-based tip line.


Chameleon- Android Banking Malware, capable of bypassing Biometric Authentication

Researchers have identified an updated version of the Android banking malware called Chameleon, which has expanded its targets to include users in the U.K. and Italy. This evolved variant is very well proficient in executing Device Takeover (DTO) through the accessibility service, expanding its reach beyond Australia and Poland. Chameleon abuses permissions to Android's accessibility service for data harvesting and overlay attacks. The malware is now delivered via Zombinder, an off-the-shelf dropper-as-a-service (DaaS) that binds malicious payloads to legitimate apps. The malware masquerades as the Google Chrome web browser with package names like Z72645c414ce232f45.Z35aad4dde2ff09b48 and com.busy.lady. Especially, the enhanced variant can conduct DTO fraud by tricking users into enabling the accessibility service to disrupt biometric operations by transitioning the lock screen authentication mechanism to a PIN.

The emergence of this Chameleon variant reflects the Android ecosystem's sophisticated and adaptive threat landscape, with increased resilience and advanced features. In a broader context, Zimperium revealed that 29 malware families, including 10 new ones, targeted 1,800 banking applications across 61 countries over the past year, with traditional banking applications accounting for 61% of the targets. The U.S., U.K., and Italy are among the top countries targeted, and popular financial services apps like PhonePe, WeChat, Bank of America, and Binance are among the prime targets.


CISA' advisory on Default Password

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to eliminate default passwords on internet-exposed systems due to the severe risks associated with their exploitation by malicious actors. CISA specifically called out Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) for exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S. The agency recommended manufacturers follow secure by design principles, provide unique setup passwords, disable passwords after a preset time period, and implement phishing-resistant multi-factor authentication. The alert also mentioned recent attacks by IRGC-affiliated cyber actors targeting Israeli-made programmable logic controllers with widely known default passwords. Additionally, CISA provided security countermeasures for healthcare and critical infrastructure entities, including enforcing strong passwords, network segregation controls, and consistent patch management. The disclosure coincided with the Israel National Cyber Directorate indicating a Lebanese threat actor connected to the Iranian Ministry of Intelligence for cyber attacks on critical infrastructure in Israel. The U.S. National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and CISA published recommended practices to enhance the safety of open-source software management processes.

Published Dec 26, 2023
Version 1.0

Was this article helpful?

No CommentsBe the first to comment