Media File Manipulation Received Via WhatsApp and Telegram

  • NIC-CERT/2019-07/187
  • Date: 2019-07-19

1. Media File Manipulation Received Via WhatsApp & Telegram

Just like man-in-the-disk attacks, a malicious app installed on a recipient's device can intercept and manipulate media files, such as private photos, documents, or videos, sent between users through the device's external storage—all without the recipients' knowledge and in real-time.

WhatsApp and Telegram allow users to choose if they want to save all incoming multimedia files on internal or external storage of their device.

Reference: https://thehackernews.com/2019/07/media-files-whatsapp-telegram.html

2. New Linux Malware Stealing Sensitive Data

This malware impersonates the Gnome extension and possibly distributed by Russian based threat group. EvilGnome delivers a self-extracting archive shell script created with makeself, a small shell script that generates a self-extractable compressed tar archive from a directory.

References:https://thehackernews.com/2019/07/linux-gnome-spyware.html

3. Android Apps Capture Loudspeaker Data Without Any Permission

Spearphone: A Speech Privacy Exploit via Accelerometer-Sensed Reverberations from Smartphone Loudspeakers." This attack can be triggered when the victim either places a phone or video call on the speaker mode, or attempts to listen to a media file, or interacts with the smartphone assistant.

Reference: https://arxiv.org/pdf/1907.05972.pdf

4. 93% of porn sites leak data to a third-party

93% of pages leak user data to a third-party; the pages that leak data do so to an average of seven domains; 79% have a third-party cookie (often used for tracking); of the pages with cookies, there is an average of nine cookies; and only 17% of sites are encrypted, allowing network adversaries to potentially intercept login and password details. Source codes and privacy policy of websites are checked and it has been found that a lot of user tracking going on that's not disclosed to users.

Reference: https://www.zdnet.com/article/93-of-porn-sites-leak-data-to-a-third-party/

5. Proyecto RAT Targetting Financial Institutions & Government Organizations

This is a new campaign targeting financial institutions and governmental organizations with a customized version of a remote access tool called “Proyecto RAT”. The infection starts with a customized email sent to the target with attachment containing shorten links that direct victims to file-sharing services, the delivery file is a macro-enabled MHTML file. The macrocode is responsible for downloading and executing the first stage payload Imminent Monitor RAT.

It monitors all the network activities and includes information for executing the second-stage payload which is Proyecto RAT

Reference: https://gbhackers.com/proyecto-rat-uses-email-service/