{"id":16960,"date":"2024-09-14T07:00:00","date_gmt":"2024-09-14T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/cybersecurity-highlights-banking-malware-on-telegram-and-5-6-billion-in-crypto-losses\/"},"modified":"2024-09-14T07:00:00","modified_gmt":"2024-09-14T04:00:00","slug":"cybersecurity-highlights-banking-malware-on-telegram-and-5-6-billion-in-crypto-losses","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/cybersecurity-highlights-banking-malware-on-telegram-and-5-6-billion-in-crypto-losses\/","title":{"rendered":"Cybersecurity Highlights: Banking Malware on Telegram and $5.6 Billion in Crypto Losses"},"content":{"rendered":"<p>We have compiled the most significant cybersecurity news of the week.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Banking information-stealing malware tracked on Telegram.<\/li>\n<li>Bitcoin scam losses exceeded $5.6 billion in 2023.<\/li>\n<li>Over 50% of macOS attacks in six months targeted a single crypto stealer.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Banking Information-Stealing Malware Tracked on Telegram<\/strong><\/h2>\n<p>Researchers at Group-IB have identified a new Android malware, Ajina.Banker, which steals financial data under the guise of legitimate banking apps and payment systems.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Group-IB analysts have uncovered a serious <a href=\"https:\/\/twitter.com\/hashtag\/cyberthreat?src=hash&#038;ref_src=twsrc%5Etfw\">#cyberthreat<\/a> involving malicious <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&#038;ref_src=twsrc%5Etfw\">#Android<\/a> apps disguised as payment, banking, &#038; delivery services. Discovered primarily in <a href=\"https:\/\/twitter.com\/hashtag\/CentralAsia?src=hash&#038;ref_src=twsrc%5Etfw\">#CentralAsia<\/a>, this malware\u2014known as <a href=\"https:\/\/twitter.com\/hashtag\/AjinaBanker?src=hash&#038;ref_src=twsrc%5Etfw\">#AjinaBanker<\/a>-has been active since November 2023 &#038; is spreading via <a href=\"https:\/\/twitter.com\/hashtag\/Telegram?src=hash&#038;ref_src=twsrc%5Etfw\">#Telegram<\/a>. <a href=\"https:\/\/t.co\/XZSHn3yurd\">pic.twitter.com\/XZSHn3yurd<\/a><\/p>\n<p>\u2014 Group-IB Threat Intelligence (@GroupIB_TI) <a href=\"https:\/\/twitter.com\/GroupIB_TI\/status\/1834112614898532636?ref_src=twsrc%5Etfw\">September 12, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The threat has been active since November 2023 and spreads through Telegram messages. It uses the messenger to bypass two-factor authentication.<\/p>\n<p>Once on a victim&#8217;s device and granted necessary permissions, Ajina.Banker collects information about SIM cards, installed financial apps, and SMS. The malware also supports phishing pages to gather banking details.<\/p>\n<p>The current campaign targets users in Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan.<\/p>\n<p>Experts note that the stealer is under active development.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Bitcoin Scam Losses Exceeded $5.6 Billion in 2023<\/strong><\/h2>\n<p>In 2023, the FBI <a href=\"https:\/\/www.ic3.gov\/Media\/PDF\/AnnualReport\/2023_IC3CryptocurrencyReport.pdf\">received<\/a> 69,468 complaints about cryptocurrency fraud with total losses exceeding $5.6 billion. Compared to 2022, financial losses increased by 45%.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXdUs4tB-X6vD1cenz8XdEbmk4Cxvty7V07Cbomy_LSEdgyBgMVXg_j1J_ETYorfKyVeh1C-qwp_HJEnFu_lZW5MhB5nW9RVT8WeQd2KaQxwIxe828xFhGQ8OddaVJEsfknoxkPFb_Y8LvDPbEElC39SPdc?key=JCIbjP4Z4Ur0q5mbwuCNXA\" alt=\"Cybersecurity Highlights: Banking Malware on Telegram and $5.6 Billion in Crypto Losses\"\/><figcaption class=\"wp-element-caption\">Source: FBI.<\/figcaption><\/figure>\n<p>The majority of complaints were filed by individuals over 60, with investment schemes being the most common type of crime. Other prevalent scams include:<\/p>\n<ul class=\"wp-block-list\">\n<li>tech support fraud;<\/li>\n<li>personal data breaches;<\/li>\n<li>extortion;<\/li>\n<li>romance scams;<\/li>\n<li>impersonation of government officials.<\/li>\n<\/ul>\n<p>The overwhelming majority of reported losses were incurred by citizens of the USA\u2014$4.8 billion, the Cayman Islands\u2014$196 million, and Mexico\u2014$127 million.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Over 50% of macOS Attacks in Six Months Targeted a Single Crypto Stealer<\/strong><\/h2>\n<p>Researchers at Sophos X-Ops described a new malware, Atomic macOS Stealer (AMOS), which accounted for more than half of all macOS attacks in the past six months.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">We have further advice and information on our protections in our article, which you can read here: <a href=\"https:\/\/t.co\/yLTutuPBxv\">https:\/\/t.co\/yLTutuPBxv<\/a><\/p>\n<p>\u2014 Sophos X-Ops (@SophosXOps) <a href=\"https:\/\/twitter.com\/SophosXOps\/status\/1832081037263872066?ref_src=twsrc%5Etfw\">September 6, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The stealer spreads through phishing, malicious ads, and SEO optimization. It can mimic legitimate applications such as Trello, Arc browser, Slack, Todoist, and Clean My Mac X.<\/p>\n<p>AMOS targets cookies, authentication data, autofill forms, and cryptocurrency wallets, including Electrum, Binance, Exodus, Atomic Wallet, and Coinomi. Some of the collected information is sold to other cybercriminals for further exploitation.\u00a0<\/p>\n<p>The malware emerged in April 2023 and currently costs $3000 per month. Experts believe future attacks may extend to iOS.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Suspected Cybercrime Syndicate Members Arrested in Singapore<\/strong><\/h2>\n<p>On September 9, Singapore police <a href=\"https:\/\/www.police.gov.sg\/Media-Room\/News\/20240910_six_persons_to_be_charged_for_offences_in_relation_to_illegal_cyber_activities\">arrested<\/a> six Chinese nationals and one local resident suspected of conducting malicious attacks as part of a &#8220;global criminal syndicate.&#8221;<\/p>\n<p>During the raid, authorities seized electronic devices with malware management software, including the PlugX backdoor, as well as $1.39 million in cash and cryptocurrencies.\u00a0<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXcS6kiT8qRieXXt973XqB5ji6ooB9q7SCnePHGqoLJi6a-afoUW03JrkPwgYXH8XQuwjMsVo6JFoLLgCcvNot6YV39Aibi_kv5qQI5ozowdauhr-XzQ_dGplbJKTteSjZl07cTc6PZfXU9Uy5tBOm0Yd9w?key=JCIbjP4Z4Ur0q5mbwuCNXA\" alt=\"Cybersecurity Highlights: Banking Malware on Telegram and $5.6 Billion in Crypto Losses\"\/><figcaption class=\"wp-element-caption\">Source: Singapore Police.<\/figcaption><\/figure>\n<p>The investigation is ongoing.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Serious Vulnerability Found in WhatsApp&#8217;s Confidential Feature<\/strong><\/h2>\n<p>The View Once message feature in WhatsApp contains a vulnerability that allows received media files to be saved and distributed. This was <a href=\"https:\/\/medium.com\/@TalBeerySec\/once-and-forever-whatsapps-view-once-functionality-is-broken-302a508390b0\">highlighted<\/a> by developers of the Zengo cryptocurrency wallet.<\/p>\n<p>Although the feature is not supported by web versions of the app, the <span data-descr=\"Application Programming Interface \u2014 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\" class=\"old_tooltip\">API<\/span> server of WhatsApp did not adequately enforce these restrictions for three years. Messages were sent to all recipient devices simultaneously. By setting the &#8220;view once&#8221; flag to false, media files became available for download and forwarding.<\/p>\n<p>Some message versions contain low-quality previews. It was also found that media files are not immediately deleted from the WhatsApp server after being downloaded but are stored there for two weeks.<\/p>\n<p><iframe loading=\"lazy\" width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/GE1z5nnzHvM?si=NX6hCOfYFQtRBd0m\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>Additionally, researchers found code samples on GitHub in the form of a Chrome extension and a modified Android client exploiting the vulnerability.\u00a0<\/p>\n<p>WhatsApp is working on a solution to the problem.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Researchers Use Screen Pixel Noise for Data Leakage<\/strong><\/h2>\n<p>Researchers from Ben-Gurion University <a href=\"https:\/\/arxiv.org\/abs\/2409.04930\">introduced<\/a> a new attack, PIXHELL, which uses noise generated by LCD screen pixels as a channel for leaking information from <a href=\"https:\/\/ru.wikipedia.org\/wiki\/%D0%92%D0%BE%D0%B7%D0%B4%D1%83%D1%88%D0%BD%D1%8B%D0%B9_%D0%B7%D0%B0%D0%B7%D0%BE%D1%80_(%D1%81%D0%B5%D1%82%D0%B8_%D0%BF%D0%B5%D1%80%D0%B5%D0%B4%D0%B0%D1%87%D0%B8_%D0%B4%D0%B0%D0%BD%D0%BD%D1%8B%D1%85)\">air-gapped<\/a> systems.<\/p>\n<p>The spyware generates a <a href=\"https:\/\/ru.wikipedia.org\/wiki\/%D0%91%D0%B8%D1%82%D0%BE%D0%B2%D0%B0%D1%8F_%D0%BA%D0%B0%D1%80%D1%82%D0%B0\">bitmap<\/a>. Through the vibration of coils and capacitors in monitors, it produces acoustic signals in the frequency range of 0 to 22 kHz. These signals can be used to encode and transmit confidential information.\u00a0<\/p>\n<p>Text and binary data can be extracted from air-gapped and sound-isolated computers at a distance of two meters.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Telegram began responding promptly to government requests in the EU.<\/li>\n<li>Nigerian authorities froze $330,000 in bank accounts of bitcoin exchange clients.<\/li>\n<li>Experts reported a $22 million hack of Indodax.<\/li>\n<li>Media: A top manager of several Ukrainian crypto exchanges suspected of embezzling 1 billion hryvnias.<\/li>\n<li>CertiK: Crypto scammers bypass FaceID using deepfakes.<\/li>\n<li>DemHack hackathon organizers opened applications.<\/li>\n<li>Yandex&#8217;s ban on cryptocurrency advertising triggered a wave of scams.<\/li>\n<li>Tether, TRON, and TRM Labs to tackle illegal activities with USDT.<\/li>\n<li>Singapore launched an investigation into Worldcoin account sales. Arrests made.<\/li>\n<li>Leaked Chainalysis video revealed XMR tracking method.<\/li>\n<li>The NBU urged banks to jointly monitor clients&#8217; P2P transfers.<\/li>\n<li>Former Revelo Intel CEO transferred company money to extortionists.<\/li>\n<li>AI music creator accused of $10 million fraud.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>Weekend Reading Suggestions<\/strong><\/h2>\n<p>Learn about Tigran Gambaryan and the implications of his arrest for the crypto market.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have compiled the most significant cybersecurity news of the week. Banking information-stealing malware tracked on Telegram. Bitcoin scam losses exceeded $5.6 billion in 2023. Over 50% of macOS attacks in six months targeted a single crypto stealer. Banking Information-Stealing Malware Tracked on Telegram Researchers at Group-IB have identified a new Android malware, Ajina.Banker, which [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":16959,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-16960","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"22","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/16960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=16960"}],"version-history":[{"count":0,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/16960\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/16959"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=16960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=16960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=16960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}