At a glance.
- Caffeine phishing-as-a-service platform.
- Malicious apps in official app stores.
- New Android spyware.
- Criminals continue using malicious HTML attachments.
Caffeine phishing platform.
Mandiant describes a phishing-as-a-service (PhaaS) platform called "Caffeine," which is surprisingly accessible and available to anyone on the Internet who knows the URL for its website:
"Unlike most PhaaS platforms Mandiant encounters, Caffeine is somewhat unique in that it features an entirely open registration process, allowing just about anyone with an email to register for their services instead of working directly through narrow communication channels (such as underground forums or encrypted messaging services) or requiring an endorsement or referral through an existing user. Additionally, to seemingly maximize support for a variety of clientele, Caffeine also provides phishing email templates earmarked for use against Chinese and Russian targets; a generally uncommon and noteworthy feature of the platform."
Malicious apps in official app stores.
Researchers at Facebook's parent company Meta have published a list of more than 400 malicious Android and iOS apps designed to steal Facebook credentials since the beginning of 2022. The apps "were listed on the Google Play Store and Apple’s App Store and disguised as photo editors, games, VPN services, business apps and other utilities to trick people into downloading them." The majority of the apps (42.6%) posed as photo editors. Meta has reported the apps to Google and Apple, and they've since been taken down.
New Android spyware.
Zimperium has observed a new strain of mobile spyware dubbed "RatMilad" that's targeting users in the Middle East. The spyware is distributed via a virtual phone number app called "NumRent":
"The Zimperium zLabs mobile threat research team detected the failed spyware infection of a customer’s enterprise device, identifying one application delivering the spyware payload. During the investigation into the threat and distribution methods, the Telegram channel used to distribute the sample was discovered. While inconclusive, the post had been viewed over 4,700 times with 200+ external shares.
"Spyware such as RatMilad is designed to run silently in the background, constantly spying on its victims without raising suspicion. We believe the malicious actors responsible for RatMilad acquired the code from the AppMilad group and integrated it into a fake app to distribute to unsuspecting victims. The evidence does not point to a coordinated campaign against singular targets, instead representing a broader operation. For any device that has been compromised by spyware, the malicious actors behind RatMilad have potentially gathered significant amounts of personal and corporate information on their victims, including private communications and photos."
Criminals continue using malicious HTML attachments.
Researchers at Trustwave SpiderLabs have observed a rise in malicious HTML attachments in phishing emails over the past month. Most of these attachments open a phishing page that impersonates a login portal to steal users’ credentials. The researchers note that some of these files will plug the user’s email address into the login field of the phishing page, to trick the user into thinking they had previously logged in. Attackers are also using HTML smuggling to avoid detection by email security filters.