Cloudmark has reported a new SMS malware campaign it has called TangleBot. At present, attacks are confined to the USA and Canada, but it could target other countries soon. TangleBot uses COVID-19 lures to trick its victims into clicking on a link in an SMS. Users who click on the link are told that the Adobe Flash player on their device is outdated and must be updated. If the user follows the prompts, then the malware is installed on their Android device. This gives it access to a range of functions on the device.
According to security researchers Felipe Naves, Andrew Conway, W Stuart Jones and Adam McNeil: “The malware has been given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone.”
Control over device makes TangleBot exceptionally dangerous
The range of functions that TangleBot controls makes it extremely dangerous. Take its control of text messaging and the ability to interact with applications on a device. For those that do mobile banking, this is a nightmare scenario. TangleBot can interact with their banking app, intercept SMS authentication and move monies.
It can also use text messaging to spread malware to anyone in the contacts list on the device. People are more likely to click on a link from a trusted contact. At the same time, the group behind TangleBot can use the SMS function to exfiltrate data and then delete messages later. They can also use it to send links to new malware.
Theft of credentials poses a risk to enterprises
Control over location data, microphone and camera also turn the device into the ideal spy tool. The rise of BYOD and Work From Home (WFH) has meant that personal devices are now commonly used to access corporate data. An attacker can use an infected device to spy on meetings or capture user credentials from installed applications.
According to Hank Schless, Security Manager of Security Solutions at Lookout [lookout.com]: “Attackers use mobile phishing as a jumping-off point. Once they’ve stolen login credentials, they’re free to log in from any device. Most frequently, they’ll hop over to their laptop and try to log into a number of common cloud-based services such as Google Workspace, Office 365, AWS, Workday, or Salesforce with that employee’s compromised credentials.
“Once they’re inside the infrastructure, the attacker can move laterally and start to find out where the crown jewels are hidden. From there, they can encrypt that data to execute a ransomware attack or exfiltrate it for sale on the dark web. This attack chain is why organizations need to have visibility and access control for users, their devices, the apps they want to access, and the data stored within it.”
Enterprise Times: What does this mean?
TangleBot is just one of several pieces of mobile phishing malware that is using COVID-19 lures to infect machines. All have the same goal in common, control over the device and the ability to steal user credentials.
The problem for enterprise security teams is that it is hard to lock down personal devices. Users do not want to cede control of their devices to enterprise security teams and nor should they. What is needed is better communication with users, including the security team warning them of attacks such as this. It also means that security teams need to deploy other tools to spot unexpected usage patterns. However, with WFH, what is an unexpected usage pattern has still to be defined.
We will likely see more malware such as TangleBot and its European equivalent, FluBot, as we move through the winter.
