Daily Archives: February 7, 2020

Cyber News Rundown: Emotet Targets Tax Season

Reading Time: ~ 2 min.

Tax Season Brings Emotet to the Front

As Americans prepare for tax season, Emotet authors have started a new campaign that imitates a W-9 tax form requested by the target. As with most malicious phishing, an attached document asks users to enable macros when viewing the files. This campaign can be particularly dangerous, because many people don’t spend much time looking at W-9s since they are only sent to contractors and clients who often quickly sign and return them. Emotet infections can further harm companies by downloading additional info-stealing malware and using infected machines to distribute spam campaigns.

Australian Logistics Company Faces Delays After Ransomware Attack

Toll Group, a major transportation company in Australia, fell victim to a ransomware attack this week that forced them to take several vital systems offline. Due to company cybersecurity policies, no customer data was accessed and the damage was minimized by a quick response from their team. While many customers have been able to conduct business as normal, some are still experiencing issues as they wait for all of Toll Group’s systems to return to normal operation.

Cryptomining Botnet Found on DoD Systems

A bug bounty hunter recently found an active cryptocurrency mining botnet hidden within systems belonging to the U.S. Department of Defense (DoD). The bug was also being used as a silent backdoor for additional malware execution. Unfortunately, the misconfigured server had already been illicitly accessed and the attackers had installed a cryptominer to obtain Monero coins, but officials for the DoD worked quickly to secure the system before further damage could be inflicted.

Maze Ransomware Targets Multiple French Industries

At least five French law firms and a construction corporation have fallen victim to the Maze ransomware variant, which is known for quickly exfiltrating sensitive information. Maze authors also made an announcement that they will begin releasing the stolen data if the victims refuse to pay the ransom. Though only two of the law firms have had their data posted so far, the remaining firms are expected to be exposed if the ransom is not paid.

British Charity Falls for Impersonation Scam

The British housing charity Red Kite recently fell victim of an impersonation scam in which nearly $1 million was redirected to a scammer’s account. By disguising their domain and illicitly accessing previous Red Kite email threads, the attackers were able to impersonate a contracting company without payment system safeguards stopping the payment or notifying victims that anything was abnormal until it was too late.

The post Cyber News Rundown: Emotet Targets Tax Season appeared first on Webroot Blog.

Heimdal™ Security Discovers Gangs Hiding Behind Multiple Domains to Avoid TTPC Detection

Heimdal™ Security’s cybercrime research unit has recently uncovered a criminal infrastructure that employs multiple domains in order to release malware into the wild. Despite the domains being taken offline, per request, the malicious software distributed through them appears to elude any known simple behavioral-based detection methodology. This type of malicious activity, which has yet to be named, focuses on machines running on multi-core architecture. Evidence suggests that gangs  hiding behind multiple domains may be responsible for this new attack wave.

‘Multi-process malware’ : terminology, classification, dispersal pattern, and ‘tainting’ mechanism

Heimdal™ Security has ascertained that a new variety of malware may have been released into the wild. More worrisome is the fact that controlled, sandboxing-type tests performed on the sample have yielded some interesting results. The infection appears to be targeting multi-core machines and has so far evaded most behavioral and some simple threat detection tools.


The multi-process malware has been observed to spawn what we refer to as ‘mirrored processes’ – whereas canonical malware has a single-process viral dispersal pattern, multi-process malware create multiple system processes that register as safe when the behavioral analysis is applied. Code- or signature-based approaches have proved just as ineffective as heuristic analysis.

On their own, these continuously-spawned processes have the same properties as regular OS processes, and will therefore not impact the system in a malicious way. However, the ensemble, which is triggered by an exterior compiler, can be just as viral and damaging as single-process malware.

Proposed terminology

In analyzing the dispersal and tainting mechanism of multi-process malware, we propose the following terminology:

1) Polymorphism: considering that multi-process malware can change its form in order to evade detection, it would be only fair to include it in this larger category.

2) System call dependency: in existing malware detection methodology, a process can be flagged down as either “malicious” or “safe” based on the way it is interacting with various OS functions. Sandboxed malware samples perform very specific system call sequences and/or graphs.

3) TTPC:  Threat-to-Process Correlation acronym. Our new method in behavioral analysis that aims to establish a connection between the malware and the process it is attempting to access on the infected machine.

4) Malware “Download-Execution” algorithm. In a typical malware propagation schema, the malicious process beings by queuing two types of operations: recv (instructs FPT that a file transfer will ensue) and open. In turn, this will trigger a write operations and finally, the malicious package executes itself on the target machine.

5) Multi-process malware ‘internal’ C&C (coordination and communication). To coordinate malicious code dissemination, all ‘mirrored’ processes communicate between them. Furthermore, an ‘overseer’ type of entity is warranted for malicious package recompilation.

Example of possible multi-process malware execution in a controlled environment

On executing the malware sample in a sandbox environment, we have observed the following behavior.

A) D&E (download & execute) behavior

File-manipulation operations are commencing – a recv command is issued at the same time as a write operation. Concomitantly, the targeted processes’ kernels are opened before the write command is executed.

This primary dyad is processed & executed along with a secondary one: recv before write and write before execute. The entire sequence allows the multi-process malware sample to tamper with a key system call sequence that would ultimately allow it to commit modifications to sensitive registry entries.

B) Proxy behavior

On the proxy side, the malware begins by piping data from a socket to a buffer. After that, it will simply store the data from a compromised comm socket into the same buffer.

C) Registry modification

As far as registry modification is concerned, there are two possible outcomes:

  • The malware can execute a registry key creation command before deleting the value of a preexisting registry key.
  • The malware can execute a registry-creation key command before closing the value-modification process for that key.

This is how the malware sample behaved in a sandbox-type environment. Further research has revealed that once the multi-process strain is released into the wild, it employs rogue domains in order to call up various system processes, which further reinforces the hypothesis of a criminal infrastructure hiding behind malicious domains.

Modus operandi, hits, and process calls.

Heimdal™ Security’s internal data has yielded that a single domain can call up to 35 different system processes. Here are the highlights of Heimdal™ Security’s investigation.

Case Study A – Kamburnk

A malicious domain named “tracking.kamburnk.com” (domain blocked and sanitized by Heimdal™ Security) called up urbanvpnserv.exe no less than 2,400 times.

The process in question is a PE32 executable (GUI) Intel 80386 for Microsoft Windows, developed by Urban Security. It has been designed to install a VPN service called UrbanVPN. The malicious pattern was later established after the executable attempted to drop a viral payload and/or rewrite itself.

The same domain called up various other system processes such as chrome.exe, net_svc.exe, hola_svc.exe, firefox.exe, and HD-Player.exe.

Regular behavioral-based analysis returned inconclusive results. No attack pattern could have been established. TTPC analysis indicated a high probability of malicious activity based on system processes opened concurrently.

Multi-process malware attack pattern established, prompting the agent to sever communications to C&C servers.


A malicious domain, called “tvmds.tvpassport.com” (domain blocked and sanitized by Heimdal™ Security), attempts to open chrome.exe.

Hit count has been estimated at around 270. The same domain called up additional system processes. Sorted by hit count, the processes are firefox.exe, iexplore.exe, System Idle, brave.exe, node.exe, dragon.exe, msedge.exe, and browser.exe. Applied behavioral-based analysis has rendered inconclusive results. No attack pattern could have been established.

TTPC detects a high probability of malicious activity, based on the holistic analysis performed on accessed processes’ log trail. Multi-process malware attack pattern established. C&C connection severed.

Case Study C – U11929015 Sendgrid

A malicious domain, call sign “u11929015.ct.sendgrid.net” (domain blocked and sanitized by Heimdal™ Security) attempts to open OUTLOOK.exe.

Hit count estimated at around 35. Concomitantly, the same domain attempts to open other system processes.

Sorted by hit count, the processes are as follows: System Idle, chrome.exe, HxOutlook.exe (32-bit executable that serves various Outlook functions such as task managing, note-making, calendar, and journaling), postbox.exe, MicrosoftEdgeCP.exe, and msedge.exe.

Behavioral analysis performed on sample marked the connection as safe. Subsequent TTPC analysis established multi-process malware-type behavior. The connection to C&C servers was severed.

Case Study D – Update Sbis\Saby

A malicious domain called “update1.sbis.ru” (domain blocked and sanitized by Heimdal™ Security) attempts to open several system processes, including svchost.exe.

Low hit count on the first pass – one time for svchost.exe and around 15 times for sbis3plugin.exe. Polymorphic pathology established. Domain mutates into “update5.sbis.ru” (blocked & sanitized by Heimdal™ Security).

On the second pass, the hit count and the accessed processes are as follows: 14 registered attempts for sbi3plugin.exe and one attempt for svchost.exe. Second mutation – attack launched from “update6.saby.ru” (blocked & sanitized by Heimdal™ Security). Remark the subdomain permutation (. sbis→.saby); same two processes are targeted (svchost.exe and sbis3plugin.exe).

Hit count grows exponentially – around 28 times for the Service Process Host and once for the sbis3 plugin.

Upon establishing beachhead, the subdomain is again changed (. saby→ .sbis). From “updade6.sbis.ru”, svchost and sbi3plugin are again called up. Hit count reaches 1,400 for the sbi plugin and around 800 for the Service Process Host. Other processes are called up during this second wave: SbisMon.exe and Launcher.exe. The fourth pass – subdomain and form are changed again.

The new call sign is “update7.saby.ru” (blocked & sanitized by Heimdal™ Security). Subdomain targeting attempts to access the sbi3 plugin, with a hit count of 35.

Once the foray has seized, the subdomain is changed once more (.saby →.sbis); “update7.sbis.ru” (blocked and sanitized by Heimdal™ Security) aims for sbi3plugin.exe, svchost.exe, and other processes. A pattern variation can be observed: the attack launched upon subdomain shift would have commenced with a different system process.

This time, the attack starts by accessing sbis3, as opposed to the last round, before moving on to svc host and other system processes.

Hit count is over 1,000 of sbi3, followed by 856 for System Idle, and 43 for Service Process Host. Fifth pass (“update8.saby.ru” and “update8.sbis.ru”, both blocked & sanitized by Heimdal™ Security) is symmetrical to the last: sbi3 is the round-opener; subdomain switch (.saby→.sbis).

Hit count for the sbi3 plugin is 37 on “.saby” pass, and over 1,000 from the .sbis subdomain. Other ‘tainted’ system processes: SbisMon.exe, sbis.exe, and chrome.exe.

Behavioral analysis has yielded inconclusive results. TTPC indicated a high probability of malware activity. Given the attack pattern and the number of domains and subdomains used to deploy the malware, it stands to reason that a criminal infrastructure may be at work. Polymorphic and multi-process malware pathologies confirmed. Connections to C&C servers had been severed.

Statistical analysis

  • A total of 3,148,815 attacks have been observed in the last three months.
  • 13,24% of attacks originated from a domain called “pixel.yabidos.com” (blocked & sanitized by Heimdal™ Security).
  • In 62.39% of cases, the attackers targeted the System Idle Process, Chrome.exe – 10.16%,  firefox.exe – 1.57%, and iexplore.exe -1.49%.
  • Top 10 malware processes (based on hit count):

Malware processNo. of hits
Chrome.exe 320,069
FastVD.exe 28,069
Rundll32.exe 35,350
Svc.exe 27,263
YoudaoIE.exe 44,418
Auto FTP Manager.ex11271


  • 1,665 system processes have been targeted within the last three months.
  • Total hit count for svc.exe and svchost was 28,185. In only 3,27% of cases, the attackers attempted to tamper with svchost.


Considering the sheer amount of factual data, we can safely conclude that a criminal infrastructure is using multiple domains to coordinate malicious attacks. In all instances, behavioral-, code-, and signature-based would have returned conflicting results. None of the access attempts appear to be malicious in nature.

However, once intercommunication is established, the malware would have executed a multi-pronged attack that would have more than likely cripple key processes.

Heimdal Official Logo

Antivirus is no longer enough to keep an organization’s systems secure.

Thor Foresight Enterprise

Is our next gen proactive shield that stops unknown threats
before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

The discovery of this APT has been facilitated by correlating the data from Thor Foresight Enterprise’s TTPC backlog with the number of connections severed by DarkLayer Guard™, Heimdal™ Security’s DNS traffic-filtering solution.

Is multi-process malware the next stage in APT’s evolutionary process? Most definitely, considering that it’s far easier to deploy compared to single-process malware and has a higher stealth factor.

The post Heimdal™ Security Discovers Gangs Hiding Behind Multiple Domains to Avoid TTPC Detection appeared first on Heimdal Security Blog.

Keys to the Kingdom, Smart Cities Security Concerns

By Sean Wray, VP NA Government Programs, Certes Networks

Smart cities seem inevitable. According to IDC, Smart City initiatives attracted technology investments of more than £63 billion globally in 2018, and spending is estimated to grow to £122 billion in 2022. Similarly, in 2018, the number of major metropolitan cities relying on or developing a comprehensive smart city plan – as opposed to implementing a few innovative projects without an overall smart plan – dramatically increased.

In the US, for example cities like Philadelphia, Newark and Chicago all have goals to upgrade and to become leading ‘SMART’ cities, while UK innovation is being spearheaded by major conurbations such as Bristol, London and Manchester.

A significant investment is being made by cities in data connectivity providing a number of technologies such as Wi-Fi 6, smart grid, and IoT sensor devices, all promising to enhance overall visibility and security. However, as we extend the reach of technology and connectivity, there will increasingly be cyber-risks to take into account. As part of their transformation, smart cities serve as a technology hub and gateway to major institutions such as banks, hospitals, universities, law enforcement agencies, and utilities. This means the storage and transmission of customer data such as social security numbers, addresses, credit card information, and other sensitive data, is a potential goldmine for malicious actors. Not to mention an increasing number of projects monitoring roads, traffic, traffic light and metro services, all of which must be kept secure from threats at all times.

Security Challenges
When connectivity and innovation meet such large city infrastructures, they immediately become vulnerable to cyber threats from malicious actors waiting to bring all that hard work to a standstill. And, the routes in are manifold.

We are increasingly dealing with connected versions of devices that have existed for a long time, such as CCTV cameras, and as a consequence, digital security is not very often incorporated into their designs.

In addition, cybersecurity will have to extend far past personal, or internal corporate networks, to encompass far-ranging technological protection for vast city networks at a scale and a pace many are struggling to respond to.

Moreover, the sheer volume of data being collected and transmitted across a multi-user network, with numerous locations, can be extremely challenging to protect. London’s City Hall Datastore, for example, holds over 700 sets of big data that helps address urban challenges and improve public services, and the rise in cashless payment methods for transport.

It is the complexity that the above factors represent that often overwhelms a network security team’s ability to ensure sensitive data is protected with encryption, especially when network infrastructures can be constructed using different vendor technology, many of whom do not provide strong encryption. This also includes many municipalities who have older Legacy, third party or disaggregated networks.

It is therefore not a matter of if but when sensitive data may fall into the wrong hands. Network security teams have to ensure that any data breach must be detected immediately before the infection spreads from network system to network system, potentially shutting off critical services for thousands of companies, notwithstanding for those who reside in the City itself.

Providing the Keys
Choosing the right encryption solution is critical and can be key in mitigating damage caused by a data breach. Most cities find implementing these solutions disruptive and complex, especially for organisations that operate large and diverse networks. For example, manual configuration of encryption can lead to human error unknowingly exposing risk and managing multiple vendors can be burdensome and inefficient. Most importantly, network visibility is lost with many encryption solutions, which is a significant issue as it reduces the ability for security teams to detect and thwart malicious actors and cyber threats.

The vulnerabilities and threats associated with trying to protect large volumes of data moving across a vast multi-user network involves a security strategy that is simple, scalable and uncomplicated in order to avoid any disruption of critical infrastructure services provided to businesses or citizens, not to mention be compliant with governmental cybersecurity regulations and / or code of practices

Whereas traditional Layer 2 & 3 encryption methods are often disruptive and complex, a Layer 4 solution enables encryption of data in transit independent of network applications and without having to move, replace or disrupt the network infrastructure. This is a significant savings in resources, time and budget. 

In addition, network blind spots due to problems, outages, and cyber-criminals using encryption to conceal malware, increase network security risk and are potential regulatory compliance issues. According to a recent survey from Vanson Bourne[i], roughly two-thirds, or 67 percent, of organisations say that network blind spots are one of the biggest challenges they face when trying to protect their data.

With network monitoring one of the strongest defences against blind spots, Layer 4 encryption and encryption management tools offer network visibility by keeping a close and constant eye on network traffic. Network visibility tools allows existing applications and net performance tools to work after encryption is turned on without blinding the network.

Finally, adding in network observability allows smart cities to analyse and gain deeper understanding of network policy deployment and policy enforcement by scrutinising every application that tries to communicate across the network, all the while monitoring pathways for potential threats now that each policy is observable in real-time. 

For organisations and teams tasked with implementing smart technology in residential, commercial and public spaces, plans on how to do so will have to be part of the design and planning stage – including how we securely implement and maintain these smart spaces. It is integral that all connected aspects of smart cities have undergone extensive planning and designing, with a smart city architecture for service key management at the core. Defining standards and enforceable policies that can be analysed to help identify network vulnerabilities and thwart potential threats is critical.

Providing better technology is an ever-evolving, fast-paced race and caution should be given to those cities who move so fast that they risk building an infrastructure without equally giving precedence to the protection of data of those who work and live in their city.

Related, my IBM Developer article 'Combating IoT Cyber Threats

Weekly Update 177

Weekly Update 177

I've got audio! Ok, so I cheated a bit in terms of recording back in the home office, but the plugs I need to make the Zoom H6 work the way it should (and yeah, I know I said "Rode" H6 in the vid, sorry!) are on the way and hopefully they'll be all good for next week when I'm in Sydney. I'm talking about that trip in this week's update along with the Chrome 80 changes to SameSite cookies not that its hit, the Adult FriendFinder breach and then recapping on a heap of the week's news in tweets. I hope the audio (and video) improvements this week do the job, I'll do it all again from Sydney next week with (hopefully) a much improved audio setup.

Weekly Update 177
Weekly Update 177
Weekly Update 177
Weekly Update 177


  1. I'm speaking at the Azure user group in Sydney on Tuesday night (only 15 spots left at the time of writing so get in quick if you're going to be around!)
  2. Chrome 80 has hit and that means breaking changes for a bunch of sites (if you haven't already tested your apps, you really want to do that ASAP)
  3. The Adult FriendFinder breach is now in HIBP (this is the 2016 one - the 2015 one is already in there)
  4. Sponsored by: Duo. Modern security is evolving beyond the perimeter. Download Five Steps to Perimeter-Less Security and secure your application access.