Cybercriminals Bought Facebook Ads for a Fake Clubhouse App That Was Riddled With Malware

Illustration for article titled Cybercriminals Bought Facebook Ads for a Fake Clubhouse App That Was Riddled With Malware

Photo: Josh Edelson/AFP (Getty Images)

Cybercriminals have been pushing Facebook users to download a Clubhouse app “for PC,” something that doesn’t exist. The app is actually a trojan designed to inject malware into your computer. The popular new invite-only chat app is only available on iPhone but worldwide interest in the platform has risen and users are clamoring for Android and, presumably, “PC” versions.

Advertisement

Per TechCrunch, the malicious campaign used Facebook ads and pages to direct platform users to a series of fake Clubhouse websites. Those sites, hosted in Russia, asked visitors to download the app, which they promised was just the most recent version of the product: “We tried to make the experience as smooth as possible. You can check it out right now!” one proclaims.

However, once downloaded, the app would begin signaling to a command and control (C&C) server. In cyberattacks, the C&C is typically the server that informs malware what to do once it has infected a system. Testing of the app through malware analysis sandbox VMRay apparently showed that, in one instance, it tried to infect a computer with ransomware.

Taking advantage of a popular new product to deploy malware is a pretty classic cybercriminal move—and given Clubhouse’s prominence right now, it’s no surprise that this is happening. In fact, researchers recently discovered a different fake Clubhouse app. Lukas Stefanko of security firm ESET revealed how another fictional “Android version” of the app was acting as a front for criminals looking to steal users’ login credentials from others services.

Fortunately, it doesn’t appear that this most recent campaign was too popular, as TechCrunch reports that the Facebook pages associated with the fake app only had a handful of likes.

It’s an interesting little incident, though it may be difficult to find out more about this tricky campaign because the websites hosting the fake app have apparently disappeared. The takedown of the sites appears to have disabled the malware. Facebook has also taken down the ads associated with the campaign.

Hackers Are Swarming Microsoft Exchange

Illustration for article titled Hackers Are Swarming Microsoft Exchange

Photo: Jeenah Moon (Getty Images)

Those Microsoft Exchange security flaws you may have heard about are really getting pummeled. If ever there was a time for cybersecurity reporters to trot out metaphors involving phrases like “blood in the water” and “deranged swarm of piranhas,” it might be right now.

Advertisement

At least 10 separate advanced persistent threat actors (a fancy term for well-organized hacker groups) are targeting the email product’s vulnerabilities, according to a recent report from security firm ESET. This is contrary to what Microsoft initially said, which is that the flaws were mainly being targeted by one group, a “state-sponsored” threat actor located in China that they are calling “HAFNIUM.”

Instead, ESET reports that Exchange is basically getting pillaged by close to a dozen different groups, all of whom have names that sound like bad gamertags, including Tick, LuckyMouse, Calypso, Websiic, Winnti, TontoTeam, Mikroceen and DLTMiner. There are also apparently two other hacker groups that have not yet been identified. So, yeah, it’s a pretty big mess.

The hacking seems to have picked up directly after Microsoft released its patches, too, as ESET’s report states that “the day after the release of the patch” security researchers “started to see many more threat actors (including Tonto Team and Mikroceen) scanning and compromising Exchange servers en masse.”

A new report from security researchers with DomainTools has also thrown cold water on the idea that “HAFNIUM” is actually a hacker group associated with the Chinese government. So, on top of everything else, it’s not even clear who or what “HAFNIUM” is:

“While such a link [to the PRC] is certainly possible and has not been ruled out, as of this writing no conclusive evidence has emerged linking HAFNIUM operations to the People’s Republic of China (PRC). And HAFNIUM is also far from the only entity assessed to be targeting this vulnerability.”

Advertisement

Who is getting targeted? According to a warning from the FBI published Wednesday, it would appear the answer is: pretty much everybody.

Threat actors have targeted local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical.

Advertisement

While the entities in the U.S. said to be affected number 30,000 or more, it’s so far been a slow trickle of disclosures—though local governments and small businesses are thought to be some of the more heavily targeted. On Wednesday, U.S. officials said that, so far, there is no evidence of federal executive agencies having been compromised by the attacks.

Advertisement