norm. Threat Bulletin: 15th May 2024

Threat bulletin header

Android Malware Campaign: Deceptive Icons and Phishing Threatens User Credentials

A recent report by SonicWall Capture Labs highlights the emergence of malicious Android apps impersonating popular services like Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter), aimed at stealing user credentials. These apps utilise familiar icons to deceive users into installing them, subsequently gaining permissions for device control and data theft. Upon installation, the malware connects to a command-and-control server, enabling various unauthorised actions such as accessing contacts, SMS messages, and call logs, sending SMS messages, opening phishing pages, and toggling the camera flashlight.

The phishing URLs associated with these attacks mimic login pages of well-known platforms, including Facebook, GitHub, LinkedIn, Netflix, PayPal, and more. Additionally, Symantec warns of a social engineering campaign utilising WhatsApp to distribute Android malware disguised as Defense-related applications, further exacerbating the threat landscape.

Furthermore, various malware campaigns have been observed distributing Android banking trojans like Coper, capable of harvesting sensitive information and deploying fake window overlays to trick users into surrendering credentials. Finland’s NCSC-FI reported smishing messages leading to Android malware that steals banking data, employing a technique called telephone-oriented attack delivery (TOAD) to deceive users into installing malicious software under the guise of antivirus protection.

In addition to banking trojans, Android-based malware such as Tambir and Dwphon have been identified, with Dwphon particularly targeting mobile phones by Chinese handset makers, suspected to be part of supply chain attacks. Telemetry data from Kaspersky indicates a significant increase in Android users affected by banking malware, highlighting a shift towards mobile banking Trojans compared to PC banking malware.

The report from SonicWall Capture Labs also further breaks down the functionality and stages of the malware, providing a list of Indicators of Compromise (IOCs) which can be used to identify different stages and instances of the malware process:

  • 0cc5cf33350853cdd219d56902e5b97eb699c975a40d24e0e211a1015948a13d
  • 37074eb92d3cfe4e2c51f1b96a6adf33ed6093e4caa34aa2fa1b9affe288a509
  • 3df7c8074b6b1ab35db387b5cb9ea9c6fc2f23667d1a191787aabfbf2fb23173
  • 6eb33f00d5e626bfd54889558c6d031c6cac8f180d3b0e39fbfa2c501b65f564
  • 9b366eeeffd6c9b726299bc3cf96b2e673572971555719be9b9e4dcaad895162
  • a28e99cb8e79d4c2d19ccfda338d43f74bd1daa214f5add54c298b2bcfaac9c3
  • d09f2df6dc6f27a9df6e0e0995b91a5189622b1e53992474b2791bbd679f6987
  • d8413287ac20dabcf38bc2b5ecd65a37584d8066a364eede77c715ec63b7e0f1
  • ecf941c1cc85ee576f0d4ef761135d3e924dec67bc3f0051a43015924c53bfbb
  • f10072b712d1eed0f7e2290b47d39212918f3e1fd4deef00bf42ea3fe9809c41

Overall, the threat landscape for Android users continues to evolve, with malicious actors utilising sophisticated techniques to infiltrate devices, steal sensitive information, and conduct unauthorised activities, emphasising the importance of robust cyber security measures and user vigilance.

MSSPs are fully equipped to deal with these threats for their customers, here are at norm. our Managed Threat Detection and Response package service provides near real-time security monitoring for your network, services and devices. Using telemetry feeds, threat intelligence feeds, use cases and play books, the norm. Security Operations Centre (SOC) identifies and isolates threats in near real-time, giving you peace of mind 24 hours a day, every day.



Malicious Android Apps Pose as Google, Instagram, WhatsApp to Steal Credentials (
Android Remote Access Trojan Equipped to Harvest Credentials (
Vultur Android Banking Trojan Returns with Upgraded Remote Control Capabilities (
Device admin deprecation | Android Enterprise (


Critical Chrome Zero-Day Vulnerability Requires Immediate Attention

Google has issued a critical security update for Chrome in response to a zero-day vulnerability, CVE-2024-4671, which has been actively exploited by attackers. This flaw, identified in Chrome’s Visuals component, poses a significant risk as it could potentially allow attackers to gain control over affected systems.

How the Exploit Works:

Imagine your computer’s memory as a workspace with labelled drawers. This vulnerability is like accidentally trying to use a drawer you’ve already emptied and closed. In Chrome’s case (CVE-2024-4671), this could potentially allow attackers to insert malicious code or take unauthorised control of your system.

The vulnerability, termed as a high-severity use-after-free bug, enables attackers to exploit Chrome’s Visuals component. By doing so, they can execute arbitrary code, leading to potential system compromise.

Why You Must Act Now:

Given that attackers have been exploiting this vulnerability prior to its discovery by Google, immediate action is imperative. This marks the second zero-day vulnerability actively exploited in Chrome this year alone, underscoring the critical importance of keeping your browser up to date to safeguard against emerging threats.

How to Update Chrome:

While Chrome typically updates automatically, it’s prudent to verify and manually trigger the update if necessary. Follow these steps:

  1. Click on the three dots located in the top right corner of Chrome.
  2. Navigate to “Settings,” then select “About Chrome.”
  3. Check your current version number. If an update is available, it will download and install automatically.
  4. After the update is downloaded, click “Relaunch” to restart Chrome and apply the changes.

For Users of Other Chromium-Based Browsers:

If you’re using a browser based on Chromium such as Microsoft Edge, Brave, Opera, or Vivaldi, ensure that you update to the latest version once the fix is released for your browser.

By promptly updating your browser, you play a crucial role in fortifying your online security and mitigating the risks posed by this critical vulnerability.



How Machine Learning improved the Chrome address bar on Windows, Mac and ChromeOS (
Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability (


Hijack Loader Receives New Features to Evade Detection

A recent iteration of a malware loader known as ‘Hijack Loader’ has been identified implementing an updated array of anti-analysis techniques to evade detection. These refinements aim to enhance the malware’s stealthiness, enabling it to remain undetected for extended periods, as per findings from Zscaler ThreatLabz researcher Muhammed Irfan V A.

The latest version of Hijack Loader includes modules designed to add an exclusion for Windows Defender Antivirus, bypass User Account Control (UAC), evade inline API hooking commonly employed by security software for detection, and utilise process hollowing.

Originally documented by cyber security experts in September 2023, Hijack Loader, also referred to as IDAT Loader, has since been utilised as a conduit for various malware families, including Amadey, Lumma Stealer (also known as LummaC2), Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys.

Additionally, readers can refer to the recent threat bulletin from norm. which detailed the usage of the Rhadamanthys malware family by threat actor group TA547, for further awareness.

What distinguishes this recent version is its utilisation of a technique decrypting and parsing a PNG image to load the subsequent payload, a method initially outlined by Morphisec in connection with a campaign targeting Ukrainian entities in Finland.

The loader, according to Zscaler, is equipped with a first stage responsible for extracting and launching the second stage from a PNG image either embedded within or separately downloaded, based on the malware’s configuration.

The primary objective of the second stage is to inject the main instrumentation module, explained Irfan. To bolster stealthiness, the second stage of the loader employs additional anti-analysis techniques through multiple modules.

Hijack Loader artifacts detected in the wild during March and April 2024 integrate up to seven new modules to facilitate the creation of new processes, UAC bypass, and adding a Windows Defender Antivirus exclusion via PowerShell command.

Further enhancing its stealth is the application of the Heaven’s Gate technique to circumvent user mode hooks, as previously disclosed by CrowdStrike in February 2024.

Amadey has been the most frequently delivered family by HijackLoader, noted Irfan. The loading of the second stage involves the use of an embedded PNG image, or a PNG image downloaded from the web. Additionally, new modules have been integrated into HijackLoader, enhancing its capabilities, and making it even more robust.

These developments coincide with malware campaigns disseminating various malware loader families such as DarkGate, FakeBat (also known as EugenLoader), GuLoader via malvertising and phishing attacks.

Furthermore, this follows the emergence of an information stealer named TesseractStealer distributed by ViperSoftX, leveraging the open-source Tesseract optical character recognition (OCR) engine to extract text from image files.

The malware focuses on specific data related to credentials and cryptocurrency wallet information, stated Symantec, which is owned by Broadcom. Next to TesseractStealer, some recent ViperSoftX runs have also been observed to drop another payload from the Quasar RAT malware family.

As a part of NormCyber’s ongoing commitment to safeguarding against evolving cyber threats, users are encouraged to explore our modules addressing Cyber Safety and Phishing, which provide invaluable insights into protecting against malware and phishing attempts.



Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version (

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: