Author Archives: Julia Sowells

What Is The True Score of AI VS Malware?

We admit here in hackercombat.com, we are one of the cybersecurity news organizations that somewhat hyped Artificial Intelligence (AI) when it comes to cybersecurity. We wrote numerous articles heralding the “hero” that will save us from the seemingly endless cat and mouse race between discovering a vulnerability that is currently exploited, and the time the vendor issues the patch addressing the vulnerability. We are no different from other tech sites which placed AI as a possible solution to the human labor-intensive process in order to quash software bugs, let alone the security flaws it enables.

IBM Security exposed the world’s dependence on the “hero”, the AI being mistakenly identified by many cybersecurity organizations as a silver bullet of our current cybersecurity problems. Big Blue considers such a premise as bias, indeed, IBM is correct. Seemingly the industry is so used to the intensive labor procedure of fixing a discovered security flaw. It takes humans to discover a bug, report it to the vendor and another unknown period until the latter issues the patch which will quash the bug. That is, of course, is an ideal situation, many of the flaws were discovered, weaponized by cybercriminals without the vendor knowing its existence for weeks, months or even years. It takes a “good samaritan” to finally report the bug with enough details to the developers, who is the only one that can issue a fix.

One is the algorithm itself. Is it biased in the way it’s approached, and the outcome it’s trying to solve? If you’re trying to solve the wrong outcome, and the outcome is biased, then your algorithm is biased. It’s not like the bad guys are waiting for us to learn how to do this. So, the faster we get there, the better off (we are),” hinted Aarti Borkar, IBM Security’s Vice President.

Antivirus products and End Point services for decades have employed heuristics scanning, which in itself is a crude type of artificial intelligence. Heuristics scanning claims to detect threats that signature-based scanning cannot accomplish, as the latter requires the actual virus signature present in its scanning engine to detect the particular malware. Instead of causing the number of malware to plummet, cybercriminals took the challenge – employing a combination of virus development and social engineering in their campaigns.

Heuristics scanning technologies predates all the current crop of malware we are encountering such as ransomware, cryptocurrency mining malware and stealth banking trojans. Current heuristics from a practical standpoint were unable to disable infection from those mentioned threats. We continue to hear news of local governments operations disabled due to ransomware infections, and all of them paid the steep ransom demand of cybercriminals.

Other than that Artificial Intelligence technologies will continue to improve, maybe in a year or two from now, we will post a follow-up article expressing our happiness as AI becomes truly effective against the campaigns launched by malware authors. Till then, we will continue reporting stories about malware infections, even if that means we will indirectly implicate the ineffectiveness of today’s antimalware software products.

Also Read,

Artificial Intelligence’s Deep Learning, A New Cybersecurity Tool?

A New Malware Called Silex Targets IoT Devices

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

The post What Is The True Score of AI VS Malware? appeared first on .

Cybersecurity In Mid-2019: Nothing To See Here, Same Problems

The need for cybersecurity measures has been viewed as an issue, however, many companies have problems with countermeasures, as proven by our many years of coverage of cybersecurity news here at hackercombat.com. Due to insufficient security investment and security personnel shortage, the risks in conducting business in today’s technology-driven economy. We at hackercombat.com defines cybersecurity as the act of protecting information data from cyber attacks such as computer intrusion, virus infection, information leakage, data alteration, and destruction. The most common threats against firms include targeted attack, malware infiltration and lack of security personnel.

A targeted attack is one of the cyber attack methods. It is conducted aiming at the information in a specific organization such as a company and will steal various information regardless of the method. As an example, after collecting information on employees who belong to you, you may be spoofed by employees of affiliated companies, etc.

Three Foundations of a secure enterprise:

  1. Enforce security measures including not only the company but also supply partners such as business partners and system management.
  2. Appropriate communication with related parties such as information disclosure related to cybersecurity risks and measures to combat them.
  3. Recognize cybersecurity risks and take appropriate leadership in allocating resources, etc.

It is necessary for companies to take appropriate measures, such as whether they have bases overseas, along with the strengthening of domestic and foreign laws and regulations and security measures. In the case of the European Union-enforced GDPR (General Data Protection Regulation), for example, all global companies that provide Web services for domestic and foreign users, and handle IP addresses and cookies (data sent from the browser to the server according to the past user behavior), Even if you do not have branch offices overseas, if you do not respond according to the GDPR, you may be subject to disposal and compensation.

It is essential to work on strengthening cybersecurity measures throughout the entire organization. And for implementation, securing security personnel is one of the important items. Lack of security personnel and human resource development have become major issues in cybersecurity measures. In addition to hiring outside personnel, implementing human resources development in-house as a measure is the first step in cybersecurity measures. When it comes to cybersecurity measures, there is a tendency for security enhancement of systems and electronic devices to precede.

On the other hand, many of the security damage is triggered by human factors, and we must be aware that employee literacy may lead to security vulnerabilities. Conversely, if you raise security awareness and enable all employees to respond appropriately, you can effectively strengthen corporate cybersecurity. In order to improve employee security literacy, it is necessary to improve IT literacy and to hold regular training sessions on the latest cyber-attack methods and countermeasures. The important thing is that each and every employee has an active role in security measures. Along with the progress of digitization, cybersecurity measures have been taken for granted. In addition to proactive measures, when an incident such as an information leak occurs, the employees involved must immediately make a sure decision and create a system that does not aggravate the damage.

On the other hand, IT and security fields are very diverse, so it is difficult to decide how much literacy should be acquired, and it is necessary to have a training system to learn appropriately. In such cases, it is recommended to outsource cybersecurity training to a specialized school. By asking for a specialized training period, you can efficiently improve security skills using a structured IT and security curriculum. In addition, there is also the merit that it is possible to carry out education and training without having to spend the work hours of senior employees by requesting training to the outside.

Also Read,

What’s New With Separ Malware Family in 2019

Why We Need the Antivirus Software Even in 2019

A Brief Look At The Shade Ransomware (2019 variant)

The post Cybersecurity In Mid-2019: Nothing To See Here, Same Problems appeared first on .

Why PCI DSS Compliance Is Important For Smartcards?

As more and more people are conducting their everyday financial transaction needs through the use of smartcards, that is the reality on the ground. People use less cash, and the growing demand for the use of debit/credit cards is globally speaking the release of EMV cards to replace magnetic stripe cards are not yet fully implemented. Hence the PCI DSS Goals and Requirements are established in order to guide the financial sector.

The six goals with their corresponding requirements are enumerated below:

1. Build and maintain secure networks and systems:

Install and maintain a firewall to protect cardholder data

This is the responsibility of system administrators and their team of IT staff. The smartcard itself is just a frontend, the “magic” of using a piece of plastic card in on its backend, the servers that supports the electronic transactions. Both the merchant and the bank are connected by this network that is expected to run 24/7, as ecommerce never stops as office hours stop.

Do not use vendor-supplied defaults for system passwords and other security parameters

Trouble comes with the “default”, there is a term in the IT support industry called the “tyranny of the default”, where the end-user are totally dependent on the default values. Default values for passwords are documented in the web, never use them for a production system.

2. Protect cardholder data

Protect stored cardholder data

Physical security is still one of the strongest security to implement. But immediately succeeding it is the stored data itself that gets read and written through machines like ATMs and POS terminals. It is the full responsibility of banks and merchants that their terminals fully comply with the current security standards.

Encrypt when transmitting cardholder data over an open public network

This is a common practice across the industry, no one will trust a merchant with non-encrypted POS, and no one will ever transact with a bank that has no reasonable implementation of encryption standards practice all around the world for securing their customer’s data.

3. Maintenance of vulnerability management program

Protect all systems as malware and update anti-virus software regularly

Malware infection vulnerability is the very reason why POS and ATM machines are usually running a variant of the Unix and Linux operating systems. This is due to the number of malware available in the Windows platform, it is not recommended for use in merchandising and banking purposes.

Develop and maintain highly secure systems and applications

Many banks maintain their old but still dependable Unix systems, some banks even uses the decades-old mainframe systems for the same reason, security.

4. Introducing powerful access control methods

Restrict access to cardholder data to the extent necessary for business

Also known as user account control, only those bank employees and merchant staff tasks with handling data of customers should have access to customer information.

Identify and authenticate access to system components

Aside from time-tested vaults, banks using their Unix/Linux systems have elaborate components that work together in a secure fashion.

Restrict physical access to cardholder data

Same as number 7, however, securing data on the card is itself is the full responsibility of the owner. Misuse of the card does not make the bank responsible for fraudulent transactions.

5. Regular monitoring and testing of the network

  • Track and monitor all access to network resources and cardholder data
  • Test security systems and processes regularly

6. Development of information security policy

  • Develop a policy to support information security for all personnel

Also, Read:

Cybersecurity Risk Readiness Of Financial Sector Measured

11 Signs That We May Be Nearing Another Global Financial Crisis

How Financial Apps Could Render You Vulnerable to Attacks

The post Why PCI DSS Compliance Is Important For Smartcards? appeared first on .

eCh0raix Ransomware Targeting QNAP Devices

The newly discovered ransomware family targets the QNAP network attached storage (NAS) devices. This malicious program, known by security researcher Anomali as eCh0raix (identified by Trend Micro as Ransom.Linux.ECHORAIX.A), was developed for ransomware attacks similar to those of Ryuk or LockerGoga.

A NAS device that is connected to a network acting as file storage and backup system or located in a central location where users can easily access the data. They are a measurable and cost-effective solution for many businesses.

How eCh0raix’s works

eCh0raix is written in Go/Golang, a programming language increasingly used to develop malware. This ransomware- Ch0raix determine the location of the NAS devices by performing language checks and cancels out if it is located in some Commonwealth countries such as Ukraine, Belarus, and Russia. eCh0raix encrypts documents and text files, PDF files, files, and databases as well as multimedia files.

The ransomware demands a ransom of 0.05 – 0.06 bitcoin (around US$567 as of July 11, 2019), paid via a site hosted in Tor, in exchange for the necessary decrypt key. Bleeping Computer has reported that the decryptors seem to be available for Windows and macOS. Affected QNAP NAS devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.

Ransomware demands 0.05 to 0.06 bitcoin, which are paid via Tor-hosted Web sites in exchange for the required decryption key. Decrypters for Windows and macOS seem to be available, according to BleepingComputer.

Experts have not been able to know the exact infection vector, but the message on the Bleeping Computer forum reads that infected NAS devices do not have the latest patches, with weak passwords. It is believed that people behind eCh0raix used brute-force to exploit the vulnerabilities of their specific NAS devices. The researchers also discovered that eCh0raix, unlike the normal ransomware is designed for targeted attacks. For example, in the offline version of eCh0raix, a coded encryption key for a particular purpose is embedded and the decryption key is uniquely assigned to each key.

Targeted ransomware attack

eCh0raix is not the first family of ransomware to target NAS devices, but a threat for file encryption designed specifically for this purpose. Although ransomware activities decreased in 2019, they targeted ransomware attacks was very much in the news. For example, with LockerGoga, Norsk Hydro lost about $ 40 million, while Ryuk was used to block the press activity in the United States. Ransomware also suspended some government services in Baltimore following an alleged attack costing them $ 18.2 million.

Many threats use insecure systems. In the case of eCh0raix, these are weak password or vulnerabilities. For example, Anomali researchers discovered that their Internet analytics in the United States had generated more than 19,000 QNAP NAS devices with direct access to the Internet. NAS devices are generally not protected by anti-malware solutions, making them highly vulnerable.

Backup NAS devices

QNAP Systems, the NAS device manufacturer targeted by eCh0raix, has issued recommendations for the prevention of ransomware software, such as, enabling the QNAP snapshot feature that can backup and restore files. To further reduce the number of attacks on NAS devices, users and businesses must apply best practices, including:

  • Update the NAS device firmware to fix exploitable vulnerabilities, and change the default credentials or add the authentication and authorization mechanism to access the NAS device.
  • Make sure other systems or devices, including routers connected to or integrated with NAS devices, are also updated.
  • Minimal Privilege Policy Compliance: Enable features or components only when necessary or use a VPN to access NAS devices over the Internet.
  • Enable the built-in security features of NAS devices. For example, protecting access to the QNAP network helps to prevent brute force attacks or similar disruptions.

Also, Read:

Data Resolution LLC Battles Ryuk Ransomware Attack

Ryuk Ransomware – Too Early to Predict The Actors

Top 5 Encryption Software to Securely Encrypt Your Files in the Cloud

The post eCh0raix Ransomware Targeting QNAP Devices appeared first on .

New Hacking Technique Using Bluetooth Exposed

Bluetooth makes it easy to transfer files, photos, and documents to devices, such as mobile phones, PDAs, and laptops in a short distance. This wireless communication protocol was developed in 1998. Bluetooth technology has revolutionized wireless communication between devices with its simple and ubiquitous features. Unfortunately, Bluetooth technology has increased security issues in individuals. Hackers continue to use Bluetooth vulnerabilities for various known activities, such as: theft of personal data, installation of malware and others. This is a newly discovered major security breach that not only affects mobile phones, but even cars and systems.

BlueBorne

BlueBorne is a security hole in some Bluetooth implementations. It was reviewed on April 2017 by security researchers in Armis. Vulnerabilities exist on mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux. This can allow hackers to take control of the device and attack the center’s users to steal information.

The researchers explained the scope of the attack vectors as follows: “For the attack, the target device does not need to be coupled to a drive device or configured invisible mode.” So far, Armis Labs has identified eight days-zero vulnerabilities indicating the existence and potential of attack vectors. Armis believes that there are more vulnerabilities to be expected on various platforms using Bluetooth, and this vulnerability is fully functional and can be exploited successfully.

BlueBorne has become a dangerous threat because of the kind of complex medium. Unlike most Internet-based attacks, BlueBorne attacks spread through the air. This means that hackers can silently connect to smartphones and computers and take control of devices without user intervention.

Btlejacking

Btlejacking, this Bluetooth attack vector, was released in August 2018 at the DefCon conference in Las Vegas by Damien Cauquil, Head of Research and Development at Digital Security. With this new technology, hackers can disrupt and recover Bluetooth devices with low power consumption. This is based on an interference vulnerability identified as CVE-2018-7252, which affects versions 4.0, 4.1, 4.2, and 5 of the BLE devices. In order to exploit the weak points, the attacker must be within 5 meters of distance.

Hundreds of millions of Bluetooth devices are potentially vulnerable to attack vectors, allowing hackers to discover BLE connections, block BLE devices, and control vulnerable Bluetooth devices. Attacks on Bluetooth enabled devices can be done with a micro-integrated BIT computer that costs only $ 15 and a few lines of open source code.

Bleedingbit

Security researchers at security firm Armis have discovered two new “BleedingBit” bugs on Bluetooth chips that affect companies around the world. The first bug, followed by CVE-2018-16986, was a remote code execution bug that involved four chip models embedded in seven Cisco access points and five Meraki access points. By exploiting the vulnerabilities, remote attackers can send dangerous BLE transmission messages, called “ad packages,” stored on vulnerable memory chips. When BLE is enabled, these malicious messages may be called to trigger a critical memory overflow. It can also allow hackers to corrupt memory, access the operating system, create a backdoor, and remotely execute malicious code.

The second chip vulnerability was identified as CVE-2018-7080 and affected multiple Aruba access points, including the full 300 series, and allowed attackers to access completely new and different firmware versions and install them.

BleedingBit is cited as a wake-up call to enterprise security for two reasons.

“First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can destroy network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device,” said Yevgeny Dibrov, Armis CEO in a blog post.

CarsBlues

Privacy4Cars researchers have discovered a new major vulnerability, CarsBlues, in the information and entertainment systems of different types of vehicles. This attacks can be done in minutes with cheap, available hardware and software. This allows hackers to remove personal identification information (PII) from users who have synchronized their mobile phone with their car via Bluetooth. It is estimated that tens of millions of vehicles worldwide are victims of hacker attacks.

Also, Read:

Intel Discovers And Publishes New Bluetooth Vulnerability

The post New Hacking Technique Using Bluetooth Exposed appeared first on .

Remove TV Adware With These Easy Steps

It may be irritating, your screen is full of ads, and when you close one, another appears. Yes, we are talking about adware.

What is adware?

Adware is synonymous with the ad-supported software. Known as one of the Mac’s biggest problems, it has become ubiquitous in the Android operating system and reaches the Google Play Store as a Trojan application.

Adware is a PC problem. It delivers ads and other browser-cluttering junk most often in the form of pop-ups, tabs, and toolbars. Beyond simply bombarding you with ads, the adware can hijack your browser, and redirect you to websites you weren’t planning to visit (and show your ads there) or deliver random, back-alley search engine results. It can slow down your computer and is often frustratingly difficult to remove.

Why would anyone knowingly install a program that behaves this way?

The answer is: they don’t. When legitimate software applications use online advertising, the ads are bundled within the program and designed in ways that the developer specified. A good developer knows that he should not irritate the visitors with overbearing ads. Adware, in contrast, is specifically designed to be a nuisance, sneaking its way onto people’s systems by bundling up with legit programs or disguising itself as something else.

Whether you are downloading advertising software without knowing exactly what you are getting from that other software, such as the blind in the EULA, it behaves in such a way that you and the software do not depend on your needs. This makes adware a type of program that can be undesirable.

How do you get adware?

The most common method for adware to infect PCs is to use toolbars/browser extensions, including software and downloads offered through the pop-up window

Trojans containing adware, may claim to be what you want, such as a plug-in or a video player. In the end, you download an adware installer. Adware can also hide in legitimate downloads of unethical websites. This often happens in files downloaded from torrents or hacking sites. It’s even more popular in the Google Play Store these days, blaming Android devices for their unwanted content.

Fraud is a common subject of these shipping methods. Adware manufacturers mislead users by forcing them to download programs they do not like by re-enabling the boxes, reducing the size or minimizing the skipped options, or inserting the “recommended” options next to multiple choice options. To prevent adware from entering your device, you must read the installation wizards and the EULA with the utmost accuracy.

How to remove adware?

The output is relatively simple. If you feel that you have an adware problem on your PC, you can delete it manually in a few simple steps.

Save your files –

It is always the first best precaution for a possible infection. Get an external hard drive or back up your most important data in the cloud.

Download or update the tools you need –

To get the most out of your computer, you must download or run a scanner update that specializes in removing adware and potentially unwanted programs like; the free version of Adwcleaner or Malwarebytes. If you think that your computer is seriously infected and that you do not have these tools, you must install them on a friend’s computer and transfer them to your computer via a CD or a USB key.

Uninstall unnecessary programs –

Before scanning with security products, make sure the adware program has an uninstall program. To do this, open the Software list in the Windows Control Panel. If there is an unwanted program, highlight it and click the remove button. Restart the computer after removing the adware, even if you are not prompted to do so.

Scan the PC to remove adware and other potentially unwanted programs. Once the program has searched for and found advertising software, it is likely to be quarantined so you can see it and decide whether or not it should be removed. Our recommendation is to eliminate/delete it. This removes the adware and other files that can help to restore adware.

The post Remove TV Adware With These Easy Steps appeared first on .

Google Acknowledges Having Android Backdoor Triada

On June 6, 2019, Google released a case study of very intelligent hackers who were trying to plant backdoor in Android phones. This is about a family of apps called “Triada” that can place spam and ads on the device. After a brief overview about its beginning in 2016 and the operation of the first version, Google took a surprising turn: Triada has developed a method to create malware on Android phones ready to use even before the clients open or install an application box.

The key is that many smartphone manufacturers do not have the tools to develop some features, and they depend on third-party vendors to build them. This third-party, then becomes is the attack vector.

The Triada’s story began when Kaspersky Lab researchers discovered it early in 2016. According to Google, the purpose of the Android malware was “primarily to install anti-spam applications on devices displaying advertisements.” Lukasz Siewierski, a reverse engineer on Google’s security and privacy team for Android, said Triada was way ahead of schedule.

If you are reading this, it is very unlikely that a mobile phone you purchased has been affected. Google didn’t mention the names of the devices infected by Triada. According to an analysis of anti-malware software vendors, Dr. Web found the backdoors on Chinese manufacturers Leagoo and Nomu, which were not sold in the United States.

Earlier this year, Forbes reported the discovery of a banking Android Trojan called Triada on many new low priced Android smartphones. Google has now confirmed that the threat actors have successfully compromised Android smartphones by installing backdoors as part of a supply chain attack.

“The method used by Triada is complicated and unusual for this type of application,” wrote Siewierski in a blog post. “The Triada app is launched as a root Trojan, but if Google Play Protect strengthens defense against root attacks, Triada apps were forced to adapt, progressing to a system image backdoor.”

Although Google has added Android anti-threat features such as Triada, the summer 2017 malware threat has taken a different and unusual approach and has attacked the supply chain so that the backdoor of malware pre-installed on small budget mobile phones.

As for Triada, Google Lukasz Siewierski analysis on the blog confirms the existence of Google backdoor in the latest Android smartphones.

Also, Read:

22 Apps in Google Play Store Taken Down Due To Backdoor Downloaders

Smartphone Backdoor found in Four models in Germany

7 Tips on How Firms can Prevent Successful RDP Backdoor Attacks

The post Google Acknowledges Having Android Backdoor Triada appeared first on .

Cases of Cyber-Attacks in Kenya Rise to 11.2 Million

Security researchers have found that 11.2 million cyber-attacks hit organizations in Kenya in the first quarter of 2019, this is a 10.1 percent increase in the number of security incidents compared to the previous quarter. The Kenya Communications Authority (CA) reports that the Incident Response Center has detected an increase in malware, web application attacks, system configuration errors, and online abuse.

According to CA cyber intelligence, the cyber-attacks cost Kenya’s economy about 29.5 billion shillings. The CA cyber intelligence team has sent about 14,078 cyber-threat alerts to relevant organizations in the country, announcing an increase of 12,138 alerts last year.

The Central Bank of Kenya (CBK), Kenya’s banking supervisory authority, recently announced the introduction of new cyber security policies for the country’s financial services sector. According to Patrick Jorge, Governor (CBK), new cyber security guidelines for payment services will help reduce the threats to the financial sector.

“The regulatory and advisory initiatives are targeted towards safeguarding the Kenya’s financial sectors from cybercrime,” said Njoroge at the launch of Kenya Bankers Association (KBA) 2019 Card, Mobile, and Online Safety Awareness Campaign. “As a result, a single attack on any given commercial bank could have a devastating effect on the entire financial services system.”

Habil Olaka, the CEO of KBA said “While this is an inspiring development, financial fraud is among the challenges that threaten progress in the adoption of new technologies. As an industry, we firmly believe that it is through cross-sector collaborations that we can defeat fraud and ensure a sustainable environment for growth.”

Last year, the Central Bank of Kenya proposed new cybersecurity standards to combat bank fraud and to better understand the threats that payment service providers are facing. Under the new guidelines, banks and mobile service providers are required to submit cybersecurity reports to industry regulators. Companies are invited to inform the Central Bank of Kenya within 24 hours of suspicious activity and to provide CBK with quarterly information on incidents and their resolution.

Also, Read:

How to Protect Yourself from Online Cyber Attacks at Work

The 3 Sectors Most Prone to Cyber Attacks

The post Cases of Cyber-Attacks in Kenya Rise to 11.2 Million appeared first on .

Malicious Torrent GoBotKR Targets South Korean TV

ESET researchers detected an ongoing malicious campaign by distributing backdoor torrents, using Korean TV content, and sometimes games like bait. The back door is spreading through torrent sites in South Korea and China. The Malware allows the attacker to connect a compromised computer to the botnet and remotely control it.

The malware concerned is a modified version of a publicly available backdoor named GoBot2; the modifications to the source code are mainly South Korea-specific evasion techniques. Due to the campaign’s clear focus on South Korea, ESET has dubbed this Win64/GoBot2 variant GoBotKR. With 80% of all detections, South Korea is the most affected, followed by China (10%) and Taiwan (5%). According to ESET telemetry, GoBotKR has been active since 2018.

According to researchers, GoBotKR has been active since 2018. The malicious software is a modified version of a publicly accessible backdoor called GoBot2. The modification of the source code is mainly a special evasion technique in South Korea. Due to the clearly defined goal of the campaign in South Korea. With 80% of all detections, South Korea is the most affected, followed by China and Taiwan.

ESET Researcher Zuzana Hromcova said: “The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions, and icons,” says, who analyzed the malware. “By directly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file is often hidden in a different directory, and users might first encounter the malicious file mimicking it.”

The malware is technically not too complicated. However, the actors behind GoBotKR build a network of robots capable of handling DDoS attacks of various kinds. Therefore, after execution, GoBotKR first collects a list of installed antivirus software on the infiltrated computers, and also other system information like; network configuration, operating system version information, and CPU and GPU versions.

Hromcova further elaborates, “This information is sent to a C&C server, which helps the attackers determine which bots should be used in the respective attacks. All C&C servers that we extracted from the analyzed malware samples are hosted in South Korea and registered by the same person.”

The bot has the capability to misuse compromised computers and enables botnet operators to control or extend botnets and avoid detection. Among other things, supported commands can be used to target DDoS attacks on specific victims, it can copy malware to removable connected media or public folders for cloud storage services (Dropbox, OneDrive, Google Drive); and create malicious file streams to further develop the bot network.

The very interesting thing about GoBotKR is its anti-detection techniques, which are extended to South Korea. In particular, malicious programs analyze processes running on vulnerable systems to detect certain antivirus products, including products of South Korean security companies. If a product is detected, it will shut down by itself. Other mitigation methods detect system analysis tools and use the same security company in South Korea. In the third method of escape, the attacker abusively used a legitimate South Korean online platform to determine the victim’s IP address. “In general, we are seeing changes allowing hackers to adapt their malicious programs to a specific audience because they are making extra efforts not to be detected in their campaigns.

The post Malicious Torrent GoBotKR Targets South Korean TV appeared first on .