At a glance.
- Domestic Kitten updates its FurBall malware.
- Varonis discovers two Windows vulnerabilities.
Domestic Kitten updates its FurBall malware.
Researchers at ESET have observed a new version of the FurBall Android spyware used by the Iranian threat actor Domestic Kitten. The malware is targeting citizens of Iran, and is being distributed through "a translation app via a copycat of an Iranian website that provides translated articles, journals, and books":
"Based on the contact information from the legitimate website, they provide this service from Iran, which leads us to believe with high confidence that the copycat website targets Iranian citizens. The purpose of the copycat is to offer an Android app for download after clicking on a button that says, in Persian, 'Download the application'. The button has the Google Play logo, but this app is not available from the Google Play store; it is downloaded directly from the attacker’s server."
The researchers add, "The analyzed sample requests only one intrusive permission – to access contacts. The reason could be its aim to stay under the radar; on the other hand, we also think it might signal it is just the preceding phase, of a spearphishing attack conducted via text messages. If the threat actor expands the app permissions, it would also be capable of exfiltrating other types of data from affected phones, such as SMS messages, device location, recorded phone calls, and much more."
Varonis discovers two Windows vulnerabilities.
Researchers at Varonis discovered two Windows vulnerabilities dubbed “LogCrusher” and “OverLog,” located in the operating system’s Internet Explorer-specific Event Log. The vulnerabilities can be used to carry out denial-of-service attacks:
- “LogCrusher, which allowed any domain user to remotely crash the Event Log application of any Windows machine on the domain.
- “OverLog, which causes a remote denial-of-service (DoS) attack by filling the hard drive space of any Windows machine on the domain. (CVE-2022-37981)”
Varonis says Microsoft has patched the OverLog vulnerability and offered recommendations for mitigating LogCrusher:
“Microsoft has opted not to fully fix the LogCrusher vulnerability on Windows 10 (more recent operating systems are unaffected). As of Microsoft's Oct. 11, 2022 Patch Tuesday update, the default permissions setting that had allowed non-administrative users access to the Internet Explorer Event Log on remote machines has been restricted to local administrators, greatly reducing the potential for harm.
“While this addresses this particular set of Internet Explorer Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks. We recommend that all potentially vulnerable systems apply the Microsoft-provided patch and monitor any suspicious activity.”