The xls attachment of the mail, also arrived in Italy, randomly contacts a link from an internal list and downloads the dll, starting the malware infection.
There is a malware that steals chat messages on Android smartphones: it’s called Cloud Mobile and it has been discovered by the Trustlook cybersecurity researchers
There’s a new malware running around, stealing chat messages on Android smartphones. It’s a Trojan with a malicious code, which subtracts information from the best known Instant Messenger (IM) services. It is called Cloud Module and was discovered by Trustlook cybersecurity researchers. This targets from Facebook Messenger to Skype, via Telegram, Twitter, Viber and other IMs. Furthermore, the cyber threat confuses its configuration files, in which the data relating to the command and control server are hidden, and part of the modules. The goal is to avoid being detected by the antivirus and the victim’s cyber defense systems. Finally, edit the file “/system/etc/install-recovery.sh” to be able to activate and exfiltrate data every time the mobile device is restarted. All operations, however, are carried out automatically. Without the attacker having to enter commands.
The cyber threat is spreading rapidly in China, but it may already be elsewhere. However, it does not use the Google Play Store as the carrier of the infection
Cloud Module is currently spreading to China as a com.android.boxa package. But it is not excluded that malware can also be present in other areas of the world. So far, unlike other similar malicious codes, it has not used the Google Play Store as a carrier. Presumably, it does so through cyber phishing attacks on emails or through downloads from third-party websites. As a result, users who download content for their smartphones and mobile devices only from the Store should be safe. At the moment. Once the Trojan has managed to compromise the Android device, it immediately starts looking for conversations on Instant Messenger chats. Then, it extracts all the data it finds and sends it to its command and control servers automatically. Without the attacker having to enter commands anymore.