Vibrator virus steals your personal information
2024-2-21 20:58:19 Author: www.malwarebytes.com(查看原文) 阅读量:9 收藏

spying kitty

I know that some of you are expecting a post similar to that about a toothbrush botnet, but this is not a hypothetical case. It actually happened.

A Malwarebytes Premium customer started a thread on Reddit saying we had blocked malware from trying to infect their computer after they connected a vibrator to a USB port in order to charge the device.

The vibrator, Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator, was infected with an information stealer known as Lumma.

Lumma is available through a Malware-as-a-Service (MaaS) model, where cybercriminals pay other cybercriminals for access to malicious software and its related infrastructure. Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details. Lumma is often distributed via email campaigns, but nothing stops the cybercriminals from spreading it through infected USB drives, as is the case here.

The question that remains is, how did the vibrator get infected? The victim bought the vibrator at Spencer’s, so we reached out to the company in an attempt to get to the bottom of this.

Spencer’s acknowledged that it was aware of the problem, but the team investigating the issue was unable to provide further information at this point. We’ll keep you updated if we receive word from them or find out any more information ourselves.

Our advice when it comes to USB devices, including rechargeable vibrators:

  • Don’t connect the USB to your computer for charging. If you use a good old-fashioned AC plug socket then no data transfer can take place while you charge.
  • If you still want the option to connect via USB, USB condoms or “juice-jack defenders” as they are sometimes called will prevent accidental data exchange when your device is plugged into another device with a USB cable.
  • Treat untrusted devices like you would the “lost USB stick” in the parking lot. You know you shouldn’t connect those to your computer, right?
  • Always use security software. In this case, the customer was protected by Malwarebytes Premium. If they weren’t using security software, their personal information might have ended up in the hands of cybercriminals.

Technical details

The customer was kind enough to provide us with the content of the flash drive. On it were a host of XML files and a Microsoft Software Installer file (Mia_Khalifa 18+.msi).

content of one of the hundrreds of XML files
content of one of the hundrreds of XML files
content of one of the hundrreds of XML files

The XML files all look very similar to the above and seem to be designed to functions as an XML bomb. An XML bomb is an exponential entity expansion attack, similar to a ZIP bomb, that is designed to crash the web application. This is likely used to draw the attention of the victim away from the actual malware.

The installer creates a program entry called Outweep Dynes.

Outweep Dynes entry in list of installed Programs
Outweep Dynes entry in list of installed Programs
Outweep Dynes entry in list of installed Programs

The Outweep Dynes “program” is yet another installer dropped in %USERPROFILE%\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe

To hinder reverse engineering, extraction of the executable is password protected. But with the password hardcoded in the file, that was not a problem.

Russian prompt to enter password for the executable

The file then executes a heavily obfuscated portable executable detected by Malwarebytes as Trojan.Crypt.MSIL which is Malwarebytes’ generic detection name for a type of obfuscated Trojan programmed in Microsoft Intermediate Language (MSIL).

The dropped executable is a combination of the Lumma Stealer and an additional .NET dll library.

Malwarebytes ThreatDown customers enjoy protection by Advanced Device Control. When a USB device is connected, ThreatDown now doesn’t just control access—it actively scans it. You can also now choose to block the device until the system scans it. This means threats are stopped in their tracks, well before they can do any harm.

IOCs

Program name:

Outweep Dynes

Folder:

%USERPROFILE%\AppData\Local\Outweep Dynes

Filenames:

  • InstallerPlus_v3e.5m.exe
  • Installer-Advanced-Installergenius_v4.8z.1l.exe

SHA256 hashes:

  • 207ee8fb2a824009fe72a857e041297bde3b82626b8883bc05ca8572b4dd148a
  • e0f4382f4534c2c0071ce0779d21f0fed59f428cdb622b1945e0a54157c19f95
  • be6efe16701cb69ec6e48441a6ad1c1f934e0f92878ccdfafc3f52cbc97be5c2

Vibrator:

Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


文章来源: https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-personal-information
如有侵权请联系:admin#unsafe.sh