#FactCheck- AI-Generated Video Falsely Claims Free Mobile Phones for Ration Card Holders

Introduction:

With improved capabilities and evasion strategies, the Vultur banking Trojan has reappeared and is a serious danger to Android users. The virus now employs numerous encrypted payloads, encrypted communication, and poses as legitimate apps. It is transmitted by trojanized dropper programs on the Google Play Store. Vultur targets victims via phone calls and SMS messages. With the help of this updated version of Vultur, attackers may take total control of compromised devices. They can perform a variety of remote control operations like install, remove, upload, and download files, halt the execution of programs, and circumvent the lock screen. The virus is now far more hazardous than it was previously because of its improved capacity to remotely access and manipulate machines.

Overview: 

The Android banking malware Vultur is well-known for its ability to record screens. It was first identified by ThreatFabric in March 2021 and targets banking apps for remote control and keylogging.

The malicious apps were hosted on the Google Play Store by the Brunhilda dropper-framework, which was used for its distribution. Initial versions of the program used reputable remote access tools such as ngrok and AlphaVNC.

Hybrid attacks have been used in recent operations to disseminate the Brunhilda dropper via phone calls and SMS. The dropper uses a number of payloads to distribute an upgraded version of Vultur.

41 new Firebase Cloud Messaging (FCM) commands and seven new Command-and-Control (C2) methods are included in the most recent version of Vultur. 

With the help of Android's Accessibility Services, these enhancements concentrate on remote access functionality that improves the malware's capacity to communicate with the victim's screen.

Modus operandi of Attack:

Hybrid Attack Method:

• Utilizes a phone call, two SMS messages, and trick users into installing malware.

• First SMS tricks victims into calling a certain number by claiming to have made significant, unlawful transactions, which gives the impression of urgency.

• Although there was no transaction in reality, the urgency motivates victims to act quickly.

Trozonized MacAfee App:

• The victims are told to install a trojanized version of the McAfee Security program from a given link during the phone call.

• This app looks harmless and has features similar to the original McAfee Security app, but it's actually the Brunhilda dropper.

• The victims are misled into assuming that the security software they are installing is authentic.

Execution of Vultur Payloads:

• Three payloads connected to Vultur are decrypted and executed via the Brunhilda dropper.

• Threat actors can carry out a variety of malicious operations, including keylogging and screen recording, on the victim's mobile device thanks to these payloads, which grant them total access over it.

• The infected device of the victim allows the threat actors to launch additional assaults or obtain private data.

Indication of the attack:

The symptoms of a Vultur banking Trojan infection include:

• Remote Access: This malware gives the hacker the ability to remotely use the infected device via clicking, scrolling, and swiping through Android's accessibility services.

• File Management: Through this, the malware is able to copy, share, remove, create, and locate files from devices it has infected.

• App Blocking: For instance; the malicious software can be programmed to stop the victims from opening a certain bunch of apps.

• Custom Notifications: Attackers can embed the malware with the functionality of displaying the customized notifications in the taskbar.

• Keyguard Disabling: The malware may be designed to turn off Screen Lock Guard feature so the lock screen security measure can be easily bypassed.

• Encrypted C2 Communication: The malware chooses AES data encryption, with Base64 text encoding to provide hidden traces for C2 communication.

• Payload Decryption: The malware uses native code, mostly written in C as well as C++, to decode the goods, thus, making a process of reversing more complicated.

• Spying on Financial Apps: The malware uses screen-streaming and keylogging as ways of acquiring facts about the victim’s mobile banking applications.

Indicator of Compromise:

File hash (SHA-256)

• edef007f1ca60fdf75a7d5c5ffe09f1fc3fb560153633ec18c5ddb46cc75ea21
• 89625cf2caed9028b41121c4589d9e35fa7981a2381aa293d4979b36cf5c8ff2
• 1fc81b03703d64339d1417a079720bf0480fece3d017c303d88d18c70c7aabc3
• 4fed4a42aadea8b3e937856318f9fbd056e2f46c19a6316df0660921dd5ba6c5
• 001fd4af41df8883957c515703e9b6b08e36fde3fd1d127b283ee75a32d575fc
• fc8c69bddd40a24d6d28fbf0c0d43a1a57067b19e6c3cc07e2664ef4879c221b
• 7337a79d832a57531b20b09c2fc17b4257a6d4e93fcaeb961eb7c6a95b071a06
• 7f1a344d8141e75c69a3c5cf61197f1d4b5038053fd777a68589ecdb29168e0c
• 26f9e19c2a82d2ed4d940c2ec535ff2aba8583ae3867502899a7790fe3628400
• 2a97ed20f1ae2ea5ef2b162d61279b2f9b68eba7cf27920e2a82a115fd68e31f
• c0f3cb3d837d39aa3abccada0b4ecdb840621a8539519c104b27e2a646d7d50d
• 92af567452ecd02e48a2ebc762a318ce526ab28e192e89407cac9df3c317e78d
• fa6111216966a98561a2af9e4ac97db036bcd551635be5b230995faad40b7607
• dc4f24f07d99e4e34d1f50de0535f88ea52cc62bfb520452bdd730b94d6d8c0e
• 627529bb010b98511cfa1ad1aaa08760b158f4733e2bbccfd54050838c7b7fa3
• f5ce27a49eaf59292f11af07851383e7d721a4d60019f3aceb8ca914259056af
• 5d86c9afd1d33e4affa9ba61225aded26ecaeb01755eeb861bb4db9bbb39191c
• 5724589c46f3e469dc9f048e1e2601b8d7d1bafcc54e3d9460bc0adeeada022d
• 7f1a344d8141e75c69a3c5cf61197f1d4b5038053fd777a68589ecdb29168e0c
• fd3b36455e58ba3531e8cce0326cce782723cc5d1cc0998b775e07e6c2622160
• 819044d01e8726a47fc5970efc80ceddea0ac9bf7c1c5d08b293f0ae571369a9
• 0f2f8adce0f1e1971cba5851e383846b68e5504679d916d7dad10133cc965851
• fb1e68ee3509993d0fe767b0372752d2fec8f5b0bf03d5c10a30b042a830ae1a
• d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a
• f4d7e9ec4eda034c29b8d73d479084658858f56e67909c2ffedf9223d7ca9bd2
• 7ca6989ccfb0ad0571aef7b263125410a5037976f41e17ee7c022097f827bd74
• c646c8e6a632e23a9c2e60590f012c7b5cb40340194cb0a597161676961b4de0

Command and Control Servers

• safetyfactor[.]online
• cloudmiracle[.]store
• flandria171[.]appspot[.]com (FCM)
• newyan-1e09d[.]appspot[.]com (FCM)

Droppers distribution URL’s

• mcafee[.]960232[.]com
• mcafee[.]353934[.]com
• mcafee[.]908713[.]com
• mcafee[.]784503[.]com
• mcafee[.]053105[.]com
• mcafee[.]092877[.]com
• mcafee[.]582630[.]com
• mcafee[.]581574[.]com
• mcafee[.]582342[.]com
• mcafee[.]593942[.]com
• mcafee[.]930204[.]com

Steps to be taken when your device is compromised?.

• Change the password: Vultur revealed multiple cases where threat actors can gain access to your financial and private information. To safeguard your account, reset passwords on other devices and create secure, unique passwords during the time. Instead of simply storing your password, a reputed password manager is the most secure way of storing information.

• Keep an eye on your transactions and accounts: It is advised that you regularly monitor your online accounts for any unusual or illegal activity. Keep a watch out for any irregularities, and report anything suspicious to the provider or authorities straight immediately.. Also check your credit reports and scores attentively to make sure that your identity or cards are not compromised.

• Make sure you are using identity theft protection: Many pieces of information about your identity are stored in an Android device. Cyber criminals can easily get hold of this data and make major damage to you, including stealing your money and identity. For your own protection, some of the identity theft protection services that monitor all your personal information and notify you on any unusual activity and, as well, helps you to freeze your accounts would be beneficial.

• Immediately get in touch with your banks and credit card companies: Your personal information such as credit card or bank details is of high risk to be exposed to hackers who could use them to make transactions without you knowing. You should inform your credit card and the lending bank about the situation as soon as possible. They would help you if your cards were used for fraudulent charges and your card be either frozen or canceled. Besides, they can get new cards issued.

• Make your contacts alert regarding the fraud you faced: Threat actors may access your social media or email accounts to send phishing messages or spam to people in your contact list, if they gain access to them. Moreover, they may masquerade as you and try to extort cash from you or disclose your personal information. Distributing a message to your contacts stating that they shouldn’t open or reply to any messages that look like they are not from you and look very strange or suspicious, will be a great idea.

• Make a backup and wipe all your device content in factory settings: You can always factory reset your device to ensure it is free of viruses and spyware. In other words, it will refresh Android and leave behind all your data and settings. Back up all the critical data prior to processing it and assure that everything is restored from a trustworthy source only.

Preventive measures to be taken:

• Avoid calling back to the hacker: If a hacker texts you claiming to have approved a sizable bank transaction, refrain from picking up the phone. You can always check by making a call to your own financial intuition. However, never pick up on an unknown number that someone else sends you.

• Avoid sideloading apps and shortened URLs: Try to avoid sideloading apps. That's the moment when you install apps from unofficial sources. Users may be tricked into downloading malware using short URLs.

• Be careful granting permissions: Be cautious when allowing permissions for apps. Think about whether an app really needs access to specific data or device functions.

• Limit the apps you have on your phone: On your phone, having plenty of apps might sometimes make it easier to become infected with malware. Over time, these apps may allow harmful code to enter your system, and the more programs you have to update and monitor, the greater the risk to your Android device. This is how to remove pointless apps from your Android device.

• Download apps from reputable sources: Additionally, make sure the programs you download are from reputable and authorized developers. Do your homework and read reviews before you install.

• Keep your Android device updated: With the help of software and security upgrades, your phone can automatically maintain security. Remember to install them.

• Have good antivirus software on all your devices: The best defense against malware on all of your devices is to install antivirus software. By blocking you from clicking on potentially dangerous links, antivirus software can keep malware off your devices and keep hackers from accessing your personal data.

Conclusion:

Vultur is a terrifying banking Trojan with a great deal of sophistication. It's unsettling that hackers can take complete control of your Android device, which emphasizes how crucial it is that you take precautions. It all starts with a text message in these attacks. You must take the time to independently contact your banking institution to check whether there are any issues. You may prevent having your entire device compromised and your personal information exposed by simply investing an additional few minutes.

Reference:

• https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its-wingspan/
• https://www.threatfabric.com/blogs/vultur-v-for-vnc\
• https://www.tomsguide.com/computing/malware-adware/this-nasty-android-banking-trojan-lets-hackers-completely-hijack-your-phone-how-to-stay-safe
• https://thehackernews.com/2024/04/vultur-android-banking-trojan-returns.html?m=1
• https://www.smallbiztechnology.com/archive/2024/04/vultur-trojan-heightens-android-app-security-risks.html/
• https://securityaffairs.com/161320/malware/vultur-banking-trojan-android.html
• https://www.malwarebytes.com/blog/detections/android-trojan-spy-vultur
• https://www.scmagazine.com/brief/updated-vultur-android-banking-trojan-emerges
• https://innovatecybersecurity.com/security-threat-advisory/windows-server-updates-blamed-for-domain-controller-crashes-kb5035855-and-kb5035857/

‍

Introduction:

Welcome to the third edition of our blog on digital forensics series. In our previous blog we discussed the difference between copying, cloning, and imaging in the context of Digital Forensics, and found out why imaging is a better process. Today we will discuss the process of evidence collection in Digital Forensics. The whole process starts with making sure the evidence collection team has all necessary tools required for the task.

Investigating Tools and Equipment:

Below are some mentioned tools that the team should carry with them for a successful evidence collection:

• Anti-static bags
• Faraday bags
• Toolkit having screwdrivers(nonmagnetic), scissors, pins, cutters, forceps, clips etc.
• Rubber gloves
• Incident response toolkit (Software)
• Converter/Adapter: USB, SATA, IDE, SCSI
• Imaging software
• Volatile data collection tools (FTK Imager, Magnet Forensics RAM Capture)
• Pens, permanent markers
• Storage containers
• Batteries
• Video cameras
• Note/sketch pads
• Blank storage media
• Write-Blocker device
• Labels
• Crime scene security tapes
• Camera

What sources of Data are necessary for Digital Evidence?

• Hard-Drive (Desktop, Laptop, External, Server)
• Flash Drive
• SD Cards
• Floppy Disks
• Optical Media (CD, DVD)
• CCTV/DVR
• Internal Storage of Mobile Device
• GPS (Mobile/Car)
• Call Site Track (Towers)
• RAM

‍

‍

Evidence Collection

The investigators encounter two primary types of evidence during the course of gathering evidence: non-electronic and electronic evidence.

The following approaches could be used to gather non-electronic evidence:

• In the course of looking into electronic crimes, recovering non-electronic evidence can be extremely important.  Be cautious to make sure that this kind of evidence is retrieved and kept safe. Items that may be relevant to a later review of electronic evidence include passwords, papers or printouts, calendars, literature, hardware and software manuals, text or graphical computer printouts, and photos.  These items should be secured and kept for further examination.
• They are frequently found close to the computer or other related hardware.  Locating, securing, and preserving all evidence is required by departmental procedures.

Three scenarios arise for the collection of digital evidence from computers: 

Situation 1: The desktop is visible, and the monitor is on.

• Take a picture of the screen and note the data that is visible. 
• Utilize tools for memory capturing to gather volatile data.
• Look for virtual disks. If so, gather mounted data's logical copies.
• Give each port and connection a label.
• Take a picture of them.
• Turn off network access to stop remote access.
• Cut off the power or turn it off.
• Locate and disconnect the hard drive by opening the CPU chassis.
• Take all evidence and place it in anti-magnetic (Faraday) bags.
• Deliver the evidence to the forensic lab.
• Keep the chain of custody intact.

Situation 2: The monitor is turned on, but it either has a blank screen (sleep mode) or an image for the screensaver.

• Make a small mouse movement (without pressing buttons). The work product should appear on the screen, or it should ask for a password.
• If moving the mouse does not result in a change to the screen, stop using the mouse and stop all keystrokes.
• Take a picture of the screen and note the data that is visible.
• Use memory capturing tools to gather volatile data (always use a write blocker to prevent manipulation during data collection).
• Proceed further in accordance with Situation 1.

Situation 3: The Monitor Is Off

• Write down the "off" status.
• After turning on the monitor, check to see if its status matches that of situations 1 or 2 above, and then take the appropriate action.
• Using a phone modem, cable, confirm that you are connected to the outside world. Try to find the phone number if there is a connection to the phone.
• To protect evidence, take out the floppy disks that might be there, package each disk separately, and label the evidence.  Put in a blank floppy disk or a seizure disk, if one is available. Avoid touching the CD drive or taking out CDs.
• Cover the power connector and every drive slot with tape.
• Note the serial number, make, and model.
• Take a picture of the computer's connections and make a diagram with the relevant cables.
• To enable precise reassembly at a later date, label all connectors and cable ends, including connections to peripheral devices. Put "unused" on any connection ports that are not in use.  Recognize docking stations for laptop computers in an attempt to locate additional storage media.
• All evidence should be seized and placed in anti-magnetic (Faraday) bags.
• All evidence should be seized and placed in anti-magnetic (Faraday) bags.
• Put a tag or label on every bag.
• Deliver the evidence to the forensic lab.
• Keep the chain of custody intact. 

Following the effective gathering of data, the following steps in the process are crucial: data packaging, data transportation, and data storage.

The following are the steps involved in data packaging, transportation, and storage:

Packaging:

• Label every computer system that is gathered so that it can be put back together exactly as it was found

When gathering evidence at a scene of crime,

• Before packing, make sure that every piece of evidence has been appropriately  labeled and documented.
• Latent or trace evidence requires particular attention, and steps should be taken to preserve it.
• Use paper or antistatic plastic bags for packing magnetic media to prevent static electricity. Do not use materials like regular plastic bags (instead use faraday bags) that can cause static electricity. 
• Be careful not to bend, fold, computer media like tapes, or CD-ROM.
• Make sure that the labels on every container used to store evidence are correct.

Transporting

• Make sure devices are not packed in containers and are safely fastened inside the car to avoid shock and excessive vibrations. Computers could be positioned on the floor of the car,and monitors could be mounted on the seat with the screen down .

When transporting evidence—

• Any electronic evidence should be kept away from magnetic sources.  Radiation transmitters, speaker magnets, and heated seats are a few examples of items that can contaminate electronic evidence.
• Avoid leaving electronic evidence in your car for longer than necessary. Electronic devices can be harmed by extremes in temperature, humidity.
• Maintain the integrity of the chain of custody while transporting any evidence.

Storing

• Evidence should be kept safe and away from extremes in humidity and temperature. Keep it away from dust, moisture, magnetic devices, and other dangerous impurities.  Be advised that extended storage may cause important evidence—like dates, times, and system configurations—to disappear. Because batteries have a finite lifespan, data loss may occur if they malfunction. Whenever the battery operated device needs immediate attention, it should be informed to the relevant authority (eg., the chief of laboratory, the forensic examiner, and the custodian of the evidence). 

CONCLUSION:

Thus, securing the crime scene to packaging, transportation and storage of data are the important steps in the process of collecting digital evidence in forensic investigations. Keeping the authenticity during the process along with their provenance is critical during this phase. It is also important to ensure the admissibility of evidence in legal proceedings. This systematic approach is essential for effectively investigating and prosecuting digital crimes.

‍

 Introduction

Children today are growing up amidst technology, and the internet has become an important part of their lives. The internet provides a wealth of recreational and educational options and learning environments to children, but it also presents extensively unseen difficulties, particularly in the context of deepfakes and misinformation. AI is capable of performing complex tasks in a fast time. However, misuse of AI technologies led to increasing cyber crimes. The growing nature of cyber threats can have a negative impact on children wellbeing and safety while using the Internet.  

 India's Digital Environment

India has one of the world's fastest-growing internet user bases, and young netizens here are getting online every passing day. The internet has now become an inseparable part of their everyday lives, be it social media or online courses. But the speed at which the digital world is evolving has raised many privacy and safety concerns increasing the chance of exposure to potentially dangerous content.

 Misinformation: The raising Concern

Today, the internet is filled with various types of misinformation, and youngsters are especially vulnerable to its adverse effects. With the diversity in the language and culture in India, the spread of misinformation can have a vast negative impact on society. In particular, misinformation in education has the power to divulge young brains and create hindrances in their cognitive development. 

To address this issue, it is important that parents, academia, government, industry and civil society start working together to promote digital literacy initiatives that educate children to critically analyse online material which can ease navigation in the digital realm.

DeepFakes: The Deceptive Mirage:

Deepfakes, or digitally altered videos and/or images made with the use of artificial intelligence, pose a huge internet threat. The possible ramifications of deepfake technology are concerning in India, since there is a high level of dependence on the media. Deepfakes can have far-reaching repercussions, from altering political narratives to disseminating misleading information.

Addressing the deepfake problem demands a multifaceted strategy. Media literacy programs should be integrated into the educational curriculum to assist youngsters in distinguishing between legitimate and distorted content. Furthermore, strict laws as well as technology developments are required to detect and limit the negative impact of deepfakes.

Safeguarding Children in Cyberspace

●   Parental Guidance and Open Communication: Open communication and parental guidance are essential for protecting children's internet safety. It's a necessity to have open discussions about the possible consequences and appropriate internet use. Understanding the platforms and material children are consuming online, parents should actively participate in their children's online activities.

●  Educational Initiatives: Comprehensive programs for digital literacy must be implemented in educational settings. Critical thinking abilities, internet etiquette, and knowledge of the risks associated with deepfakes and misinformation should all be included in these programs. Fostering a secure online environment requires giving young netizens the tools they need to question and examine digital content.

●   Policies and Rules: Admitting the threats or risks posed by misuse of advanced technologies such as AI and deepfake, the Indian government is on its way to coming up with dedicated legislation to tackle the issues arising from misuse of deepfake technology by the bad actors. The government has recently come up with an advisory to social media intermediaries to identify misinformation and deepfakes and to make sure of the compliance of Information Technology (IT) Rules 2021. It is the legal obligation of online platforms to prevent the spread of misinformation and exercise due diligence or reasonable efforts are made to identify misinformation and deepfakes. Legal frameworks need to be equipped to handle the challenges posed by AI. Accountability in AI is a complex issue that requires comprehensive legal reforms. In light of various cases reported about the misuse of deepfakes and spreading such deepfake content on social media, It is advocated that there is a need to adopt and enforce strong laws to address the challenges posed by misinformation and deepfakes. Working with technological companies to implement advanced content detection tools and ensuring that law enforcement takes swift action against those who misuse technology will act as a deterrent among cyber crooks. 

●    Digital parenting: It is important for parents to keep up with the latest trends and digital technologies. Digital parenting includes understanding privacy settings, monitoring online activity, and using parental control tools to create a safe online environment for children.

Conclusion

As India continues to move forward digitally, protecting children in cyberspace has become a shared responsibility. By promoting digital literacy, encouraging open communication and enforcing strong laws, we can create a safer online environment for younger generations. Knowledge, understanding, and active efforts to combat misinformation and deeply entrenched myths are the keys to unlocking the safety net in the online age. Social media Intermediaries or platforms must ensure compliance under IT Rules 2021, IT Act, 2000 and the newly enacted Digital Personal Data Protection Act, 2023. It is the shared responsibility of the government, parents & teachers, users and organisations to establish safe online space for children.   

References:

• https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1975445
• https://www.safes.so/blogs/dangers-of-deepfake/