Category Archives: botnet

This Week in Security News: Radio Frequency Technology and Telecom Crimes

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how radio frequency technology is putting industrial organizations at risk. Also, understand the threat landscape of telecommunications and how to prepare for future threats.

Read on:

How Radio Frequency Technology is Putting the Industrial Sector at Risk

Leaders of industrial organizations must understand that the devices and systems employees leverage to control processes could open their business up to specific vulnerabilities. 

Microsoft warns Windows 7 users of looming end to security updates

Microsoft has rolled out a patch that will warn Windows 7 users that security updates will come to an end on January 14, 2020. At that time, the software giant will no longer roll out fixes for security flaws and vulnerabilities.

Attackers Targeting Cloud Infrastructure for Their Cryptocurrency-Mining Operations

With the rise of cryptocurrency-mining malware over the past couple of years, cybercriminals are constantly trying different kinds of monetization schemes. 

Email Scammers Stole More Than $150K from Defense Contractors and a University, FBI Says

Cybercriminals defrauded two defense contractors and a university out of more than $150,000 through email scams last year, the FBI has warned companies.

Global Telecom Crime Undermining Internet Security: Cyber-Telecom Crime Report

As the field of telecommunication continues to evolve, so should its security. Understanding its current threat landscape can help reduce the impact of crimes and prepare us for future threats. 

Half of Organizations Lack the Security Talent Needed to Remain Secure

According to the latest Trend Micro figures, organizations worldwide are faced with an ‘ongoing and often detrimental’ shortage of cybersecurity talent.

New Mirai Botnet Variant Targets IoT TV, Presentation Systems

Trend Micro researchers found a new Mirai variant in the wild targeting smart signage TV and wireless presentation systems commonly used by businesses. 

Aluminum Maker Hydro Battles to Contain Ransomware Attack

Norsk Hydro, one of the world’s largest aluminum producers, battled to contain a cyber-attack that halted parts of its production.

What You Need to Know About the LockerGoga Ransomware

The systems of Norwegian aluminum manufacturing company Norsk Hydro were reportedly struck last Tuesday, March 19, by LockerGoga ransomware. 

Round 4: Hacker Returns and Puts 26 Million User Records for Sale on the Dark Web

A hacker who previously put more than 840 million user records up for sale has returned with a fourth round of hacked data from six companies, totaling 26.42 million user records. 

Trump’s Cybersecurity Budget Emphasizes DOD While Spreading Cuts Elsewhere

Federal cybersecurity spending would increase by about 5 percent overall in fiscal 2020 under President Donald Trump’s proposed budget, with the Department of Defense getting a big boost and many civilian agencies seeing small cuts or relatively flat funding.

Are you surprised with the growth and evolution of telecom technology? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Radio Frequency Technology and Telecom Crimes appeared first on .

New Mirai variant leverages 11 new exploits and targets smart signage TVs and wireless presentation systems

This new variant now uses 11 new exploits and targets LG Supersign TVs and WePresent WiPG-1000 wireless presentation systems. In addition to using new exploits in its multi-exploit battery, this

The post New Mirai variant leverages 11 new exploits and targets smart signage TVs and wireless presentation systems appeared first on The Cyber Security Place.

A new development shows a potential shift to using Mirai to target enterprises

PaloAlto Networks researchers discovered a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Researchers at PaloAlto Networks spotted a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

mirai

Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

A variant discovered last year was leveraging an open-source project to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

The new Mirai variant targets embedded devices (i.e. routers, network storage devices, NVRs, and IP cameras) and leverages various exploits to hack them.

Experts observed attacks against WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both families of devices intended for use within business environments.

“In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs. Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises.” Palo Alto Networks notes

“The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,”

The malicious code was hosted at a compromised website in Colombia: an “Electronic security, integration and alarm monitoring” business.

Researchers discovered that the new Mirai variant uses a total of 27 exploits, 11 of them are new to the threat. The bot can also leverage a new set of credentials to use while carrying out brute force attacks.

The new malware implements the same encryption scheme characteristic of Mirai, it is also able to scan for vulnerable devices and launch HTTP Flood DDoS attacks.

The samples analyzed by the experts were fetching the same payload hosted at the same IP that had been hosting some Gafgyt samples just a few days before, and that these used the same name as the binaries fetched by the shell script.

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both.”
Palo Alto Networks concludes. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,”

Further details, including IoCs are reported in the analysis published by PaloAlto Networks.

Pierluigi Paganini

(SecurityAffairs – Mirai, IoT)

The post A new development shows a potential shift to using Mirai to target enterprises appeared first on Security Affairs.

Security Affairs: A new development shows a potential shift to using Mirai to target enterprises

PaloAlto Networks researchers discovered a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Researchers at PaloAlto Networks spotted a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

mirai

Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

A variant discovered last year was leveraging an open-source project to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

The new Mirai variant targets embedded devices (i.e. routers, network storage devices, NVRs, and IP cameras) and leverages various exploits to hack them.

Experts observed attacks against WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both families of devices intended for use within business environments.

“In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs. Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises.” Palo Alto Networks notes

“The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,”

The malicious code was hosted at a compromised website in Colombia: an “Electronic security, integration and alarm monitoring” business.

Researchers discovered that the new Mirai variant uses a total of 27 exploits, 11 of them are new to the threat. The bot can also leverage a new set of credentials to use while carrying out brute force attacks.

The new malware implements the same encryption scheme characteristic of Mirai, it is also able to scan for vulnerable devices and launch HTTP Flood DDoS attacks.

The samples analyzed by the experts were fetching the same payload hosted at the same IP that had been hosting some Gafgyt samples just a few days before, and that these used the same name as the binaries fetched by the shell script.

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both.”
Palo Alto Networks concludes. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,”

Further details, including IoCs are reported in the analysis published by PaloAlto Networks.

Pierluigi Paganini

(SecurityAffairs – Mirai, IoT)

The post A new development shows a potential shift to using Mirai to target enterprises appeared first on Security Affairs.



Security Affairs

39% of Counter Strike 1.6 Servers Found to be Delivering Malware

It has been roughly two decades since the launch of Counter Strike. Yet, the game continues to be popular among

39% of Counter Strike 1.6 Servers Found to be Delivering Malware on Latest Hacking News.

Emotet revisited: pervasive threat still a danger to businesses

One of the most common and pervasive threats for businesses today is Emotet, a banking Trojan turned downloader that has been on our list of top 10 detections for many months in a row. Emotet, which Malwarebytes detects as Trojan.Emotet, has been leveled at consumers and organizations across the globe, fooling users into infecting endpoints through phishing emails, and then spreading laterally through networks using stolen NSA exploits. Its modular, polymorphic form, and ability to drop multiple, changing payloads have made Emotet a thorn in the side of cybersecurity researchers and IT teams alike.

Emotet first appeared on the scene as a banking Trojan, but its effective combination of persistence and network propagation has turned it into a popular infection mechanism for other forms of malware, such as TrickBot and Ryuk ransomware. It has also earned a reputation as one of the hardest-to-remediate infections once it has infiltrated an organization’s network.

Emotet Graph

Emotet detections March 12, 2018 – February 23, 2019

In July 2018, the US Department of Homeland Security issued a Technical Alert through CISA (Cyber-Infrastructure) about Emotet, warning that:

“Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

From banking Trojan to botnet

Emotet started out in 2014 as an information-stealing banking Trojan that scoured sensitive financial information from infected systems (which is the reason why Malwarebytes detects some components as Spyware.Emotet). However, over time Emotet and its business model evolved, switching from a singular threat leveled at specific targets to a botnet that distributes multiple malware payloads to industry verticals ranging from governments to schools.

Emotet was designed to be modular, with each module having a designated task. One of its modules is a Trojan downloader that downloads and runs additional malware. At first, Emotet started delivering other banking Trojans on the side. However, its modular design made it easier for its authors—a group called Mealybug—to adapt the malware or swap functionality between variants. Later versions began dropping newer and more sophisticated payloads that held files for ransom, stole personally identifiable information (PII), spammed other users with phishing emails, and even cleaned out cryptocurrency wallets. All of these sidekicks were happy and eager to make use of the stubborn nature of this threat.

Infection mechanism

We have discussed some of the structure and flow of Emotet’s infection vectors in detail here and here by decoding an example. What most Emotet variants have in common is that the initial infection mechanism is malspam. At first, infections were initiated from Javascript files attached to emails; later, (and still true today) it was via infected Word documents that downloaded and executed the payload.

A considerable portion of Emotet malspam is generated by the malware’s own spam module that sends out malicious emails to the contacts it finds on an infected system. This makes the emails appear as though they’re coming from a known sender. Recipients of email from a known contact are more likely to open the attachment and become the next victim—a classic social engineering technique.

Besides spamming other endpoints, Emotet also propagates through the popular EternalBlue vulnerability stolen from the NSA and released by the ShadowBrokers Group. This functionality allows the infection to spread laterally across a network of unpatched systems, which makes it even more dangerous to businesses that have hundreds or thousands of endpoints linked together.

Difficult to detect and remove

Emotet has several methods for maintaining persistence, including auto-start registry keys and services, and it uses modular Dynamic Link Libraries (DLLs) to continuously evolve. Because Emotet is polymorphic and modular, it can evade typical signature-based detection.

In fact, not only is Emotet difficult to detect, but also to remediate.

A major factor that frustrates remediation is the aforementioned lateral movement via EternalBlue. This particular exploit requires admins follow a strict policy of isolating infected endpoints from the network, patching, disabling Administrative Shares, and ultimately removing the Trojan before reconnecting to the network—otherwise, face the certainty that cleaned endpoints will become re-infected over and over by infected peers.

Add to that mix an ongoing development of new capabilities, including the ability to be VM-aware, avoid spam filters, or uninstall security programs, and you’ll begin to understand why Emotet is every networks administrators’ worst nightmare.

Recommended remediation steps

An effective, though time-consuming method for disinfecting networked systems has been established. The recommended steps for remediation are as follows:

  • Identify the infected systems by looking for Indicators of Compromise (IOCs)
  • Disconnect the infected endpoints from the network. Treat systems where you have even the slightest doubt as infected.
  • Patch the system for EternalBlue. Patches for many Windows versions can be found through this Microsoft Security Bulletin about MS17-010.
  • Disable administrative shares, because Emotet also spreads itself over the network through default admin shares. TrickBot, one of Emotet’s trusty sidekicks, also uses the Admin$ shares once it has brute forced the local administrator password. A file share server has an IPC$ share that TrickBot queries to get a list of all endpoints that connect to it.
  • Scan the system and clean the Emotet infection.
  • Change account credentials, including all local and domain administrator passwords, as well as passwords for email accounts to stop the system from being accessible to the Trojan.

Prevention

Obviously, it’s preferable for businesses to avoid Emotet infections in the first place, as remediation is often costly and time-consuming. Here are some things you can do to prevent getting infected with Emotet:

  • Educate users: Make sure end users are aware of the dangers of Emotet and know how to recognize malspam—its primary infection vector. Train users on how to detect phishing attempts, especially those that are spoofed or more sophisticated than, say, the Nigerian Prince.
  • Update software regularly: Applying the latest updates and patches reduces the chances of Emotet infections spreading laterally through networks via EternalBlue vulnerabilities. If not already implemented, consider automating those updates.
  • Limit administrative shares: to the absolute minimum for Emotet damage control.
  • Use safe passwords: Yes, it really is that important to use unique, strong passwords for each online account. Investigate, adopt, and role out a single password manager for all of the organization’s users.
  • Back up files: Some variants of Emotet also download ransomware, which can hold now-encrypted files hostage, rendering them useless unless a ransom is paid. Since we and the FBI recommend never paying the ransom—as it simply finances future attacks and paints a target on an organization’s back—having recent and easy-to-deploy backups is always a good idea.

IOCs

Persistence

C:\Windows\System32\randomnumber\
C:\Windows\System32\tasks\randomname
C:\Windows\[randomname]
C:\users[myusers]\appdata\roaming[random]
%appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup [Randomname].LNK. file in the startup folder

Registry keys

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services {Random Hexadecimal Numbers}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {Random Names} with value c:\users\admin\appdata\roaming\{Random}{Legitimate Filename}.exe

Filename examples

PlayingonaHash.exe
certapp.exe
CleanToast.exe
CciAllow.exe
RulerRuler.exe
connectmrm.exe

Strings

C:\email.doc
C:\123\email.doc
C:\123\email.docx
C:\a\foobar.bmp
X:\Symbols\a
C:\loaddll.exe
C:\email.htm
C:\take_screenshot.ps1
C:\a\foobar.gif
C:\a\foobar.doc

Subject Filters

“UPS Ship Notification, Tracking Number”
“UPS Express Domestic”
“Tracking Number *”

Trick to check whether a UPS tracking number is real: a legitimate UPS tracking number contains eighteen alpha-numeric characters and starts with ‘1Z’ and ends with a check digit.

A number matching this format may still be false, but one that doesn’t match is certainly not real.

The post Emotet revisited: pervasive threat still a danger to businesses appeared first on Malwarebytes Labs.

GlitchPOS: New PoS malware for sale



Warren Mercer and Paul Rascagneres authored this post with contributions from Ben Baker.

Executive summary


Point-of-sale malware is popular among attackers, as it usually leads to them obtaining credit card numbers and immediately use that information for financial gain. This type of malware is generally deployed on retailers' websites and retail point-of-sale locations with the goal of tracking customers' payment information. If they successfully obtain credit card details, they can use either the proceeds from the sale of that information or use the credit card data directly to obtain additional exploits and resources for other malware. Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers. Cisco Talos recently discovered a new PoS malware that the attackers are selling on a crimeware forum. Our researchers also discovered the associated payloads with the malware, its infrastructure and control panel. We assess with high confidence that this is not the first malware developed by this actor. A few years ago, they were also pushing the DiamondFox L!NK botnet. Known as "GlitchPOS," this malware is also being distributed on alternative websites at a higher price than the original.

The actor behind this malware created a video, which we embedded below, showing how easy it is to use it. This is a case where the average user could purchase all the tools necessary to set up their own credit card-skimming botnet.



GlitchPOS


Packer overview


A packer developed in VisualBasic protects this malware. It's, on the surface, a fake game. The user interface of the main form (which is not displayed at the execution) contains various pictures of cats:

The purpose of the packer is to decode a library that's the real payload encoded with the UPX packer. Once decoded, we gain access to GlitchPOS, a memory grabber developed in VisualBasic.

Payload analysis


The payload is small and contains only a few functions. It can connect to a command and control (C2) server to:

  • Register the infected systems
  • Receive tasks (command execution in memory or on disk)
  • Exfiltrate credit card numbers from the memory of the infected system
  • Update the exclusion list of scanned processes
  • Update the "encryption" key
  • Update the User Agent
  • Clean itself


Tasks mechanism


The malware receives tasks from the C2 server. Here is the task pane:

The commands are executed via a shellcode directly sent by the C2 server. Here is an example in Wireshark:

The shellcode is encoded with base64. In our screenshot, the shellcode is a RunPE:

"Encryption" key


The "encryption" key of the communication can be updated in the panel. The communication is not encrypted but simply XORed:

Credit card grabber


The main purpose of this malware is to steal credit card numbers (Track1 and Track2) from the memory of the infected system. GlitchPOS uses a regular expression to perform this task:

  • (%B)\d{0,19}\^[\w\s\/]{2,26}\^\d{7}\w*\?
    The purpose of this regular expression is to detect Track 1 format B
    Here is an example of Track 1:
    Cardholder : M. TALOS
    Card number*: 1234 5678 9012 3445
    Expiration: 01/99
    %B1234567890123445^TALOS/M.

  • ;\d{13,19}=\d{7}\w*\?
    The purpose of this regular expression is to detect Track 2
    Here is an example of Track 2 based on the previous example:
    ;1234567890123445=99011200XXXX00000000?*


If a match is identified in memory, the result is sent to the C2 server. The malware maintains an exclusion list provided by the server. Here is the default list: chrome, firefox, iexplore, svchost, smss, csrss, wininit, steam, devenv, thunderbird, skype, pidgin, services, dwn, dllhost, jusched, jucheck, lsass, winlogon, alg, wscntfy, taskmgr, taskhost, spoolsv, qml, akw.

Panel


Here are some additional screenshots of the GlitchPOS panel. These screenshots were provided by the seller to promote the malware.

The "Dashboard:"

The "Clients" list:

The "Cards Date:"

Linked with DiamondFox L!NK botnet


Author: Edbitss


The first mention of GlitchPOS was on Feb. 2, 2019 on a malware forum:

Edbitss is allegedly the developer of the DiamondFox L!NK botnet in 2015/2016 and 2017 as explained in a report by CheckPoint.

The developer created this video to promote GlitchPOS, as well. In this video, you can see the author set up the malware and capture the data from a swiped card. We apologize for the quality, shakiness, music, and generally anything else with this video, again, it's not ours.


The built malware is sold for $250, the builder $600 and finally, the gate address change is charged at $80.

Panel similarities


In addition to the malware language (VisualBasic), we identified similarities between the DiamondFox panel and the GlitchPOS panel. In this section, the DiamondPOS screenshots come from the CheckPoint report mentioned previously.

Both dashboards' world map are similar (image, code and color):

The author used the same terminology such ask "Clients" or "Tasks" on the left menu:

The icons are the same too in both panels, as well as the infected machine list (starting with the HWID). The PHP file naming convention is similar to DiamondFox, too.

The author clearly reused code from DiamondFox panel on the GlitchPOS panel.

Comparison of GlitchPOS and the DiamondFox POS module


In 2017, the DiamondFox malware included a POS plugin. We decided to check if this module was the same as GlitchPOS, but it is not. For DiamondFox, the author decided to use the leaked code of BlackPOS to build the credit card grabber. On GlitchPOS, the author developed its own code to perform this task and did not use the previously leaked code.

Bad guys are everywhere


It's interesting to see that someone else attempted to push the same malware 25 days after edbitss on an alternative forum:

This attacker even tried to cash in by increasing some prices.

Some members even attempted to call out the unscrupulous behaviour:

With the different information we have, we think that Chameleon101 has taken the previous malware created by Edbitss to sell it on an alternative forum and with a higher price.

Conclusion


This investigation shows us that POS malware is still attractive and some people are still working on the development of this family of malware. We can see that edbitss developed malware years even after being publicly mentioned by cybersecurity companies. He left DiamondFox to switch on a new project targeting point-of-sale. The sale opened a few weeks ago, so we don't know yet how many people bought it or use it. We also see that bad guys steal the work of each other and try to sell malware developed by other developers at a higher price. The final word will be a quote from Edbitss on a DiamondFox screenshot published by himself "In the future, even bank robbers will be replaced."

Coverage


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)


The following IOCs are associated to this campaign:

GlitchPOS samples

ed043ff67cc28e67ba36566c340090a19e5bf87c6092d418ff0fd3759fb661ab (SHA256)
abfadb6686459f69a92ede367a2713fc2a1289ebe0c8596964682e4334cee553 (SHA256)

C2 server

coupondemo[.]dynamicinnovation[.]net

URLs

hxxp://coupondemo[.]dynamicinnovation[.]net/cgl-bin/gate.php
hxxp://coupondemo[.]dynamicinnovation[.]net/admin/gate.php
hxxp://coupondemo[.]dynamicinnovation[.]net/glitch/gate.php

Pro-Brexit Camp Wages Active ‘Fake News’ Twitter Campaign

Suspicious activity on Twitter is trying to sway public opinion in favor of Brexit as the United Kingdom continues its struggle to reach a deal to withdraw from the European Union, according to a new report.

The post Pro-Brexit Camp Wages Active ‘Fake News’ Twitter Campaign appeared first on The Security Ledger.

Related Stories

New Golang brute forcer discovered amid rise in e-commerce attacks

E-commerce websites continue to be targeted by online criminals looking to steal personal and payment information directly from unaware shoppers. Recently, attacks have been conducted via skimmer, which is a piece of code that is either directly injected into a hacked site or referenced externally. Its purpose is to watch for user input, in particular around online shopping carts, and send the perpetrators that data, such as credit card numbers and passwords, in clear text.

Compromising e-commerce sites can be achieved in more than one way. Vulnerabilities in popular Content Management Systems (CMSes) like Magento, as well as in various plugins are commonly exploited these days. But because many website owners still use weak passwords, brute force attacks where multiple logins are attempted are still a viable option.

Our investigation started following the discovery of many Magento websites that were newly infected. We pivoted on the domain name used by the skimmer and found a connection to a new piece of malware that turned out to be a brute forcer for Magento, phpMyAdmin, and cPanel. While we can’t ascertain for sure whether this is how the skimmer was injected, we believe this may be one of many campaigns currently going after e-commerce sites.

Compromised website

The malicious code was found injected directly into the site’s homepage, referencing an external piece of JavaScript. This means that the shopping site had been compromised either via a vulnerability or by brute forcing the administrator password.

The online store is running the Magento CMS and using the OneStepCheckout library to process customers’ shopping carts. As the victim enters their address and payment details, their data is exfiltrated via a POST request with the information in Base64 format to googletagmanager[.]eu. This domain has been flagged before as part of criminal activities related to the Magecart threat groups.

Using VirusTotal Graph, we found a connection between this e-commerce site and a piece of malware written in Golang, more specifically a network query from the piece of malware to the compromised website. Expanding on it, we saw that the malware was dropped by yet another binary written in Delphi. Perhaps more interestingly, this opened up another large set of domains with which the malware communicates.

Payload analysis

Delphi downloader

The first part is a downloader we detect as Trojan.WallyShack that has two layers of packing. The first layer is UPX. After unpacking it with the default UPX, we get the second layer: an underground packer using process hollowing.

The downloader is pretty simple. First, it collects some basic information about the system, and then it beacons to the C2. We can see that the domain names for the panels are hardcoded in the binary:

The main goal of this element is to download and run a payload file:

Golang payload

Here the dropped payload installs itself in the Startup folder, by first dumping a bash script in %TEMP%, which is then deployed under the Startup folder. The sample is not packed, and looking inside, we can find artifacts indicating that it was written in Golang version 1.9. We detect this file as Trojan.StealthWorker.GO.

The procedure of reversing will be similar to what we have done before with another Golang sample. Looking at the functions with prefix “main_”,  we can distinguish the functions that were part of the analyzed binary, rather than part of statically-linked libraries.

We found several functions with the name “Brut,” suggesting this piece of malware is dedicated to brute forcing.

This is the malware sample that communicated with the aforementioned compromised e-commerce site. In the following section, we will review how communication and tasks are implemented.

Bot communication and brute forcing

Upon execution, the Golang binary will connect to 5.45.69[.]149. Checking that IP address, we can indeed see a web panel:

The bot proceeds to report the infected computer is ready for a new task via a series of HTTP requests announcing itself and then receiving instructions. You can see below how the bot will attempt to brute force Magento sites leveraging the /downloader/directory point of entry:

Brute force attacks can be quite slow given the number of possible password combinations. For this reason, criminals usually leverage CMS or plugin vulnerabilities instead, as they provide a much faster return on investment. Having said that, using a botnet to perform login attempts allows threat actors to distribute the load onto a large number of workers. Given that many people are still using weak passwords for authentication, brute forcing can still be an effective method to compromise websites.

Attack timeframe and other connections

We found many different variants of that Golang sample, the majority of them first seen in VirusTotal in early February (hashes available in the IOCs section below).

Checking on some of these other samples, we noticed that there’s more than just Magento brute forcing. Indeed, some bots are instead going after WordPress sites, for example. Whenever the bot checks back with the server, it will receive a new set of domains and passwords. Here’s an example of brute forcing phpMyAdmin:

POST:
set_session=&pma_username=Root&pma_password=Administ..&server=1&target=
index.php&token=

User-Agent:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

As we were investigating this campaign, we saw a tweet by Willem de Groot noting a recent increase in skimmers related to googletagmanager[.]eutied to Adminer, a database management utility. The shopping site on which we started our research was compromised only a few days ago. Without server logs and the ability to perform a forensic investigation, we can only assume it was hacked in one of many possible scenarios, including the Adminer/MySQL flaw or brute forcing the password.

Multiple weaknesses

There are many different weaknesses in this ecosystem that can be exploited. From website owners not being diligent with security updates or their passwords, to end users running infected computers turned into bots and unknowingly helping to hack web portals.

As always, it is important to keep web server software up-to-date and augment this protection by using a web application firewall to fend off new attacks. There are different methods to thwart brute force attacks, including the use of the .htaccess file to restrict which IP address is allowed to log in.

Skimmers are a real problem for online shoppers who are becoming more and more wary of entering their personal information into e-commerce websites. While victims may not know where and when theft happened, it does not bode well for online merchants when their platform has been compromised.

Malwarebytes detects the malware used in these attacks and blocks the skimmer gate.

With additional contributions from @hasherezade.

Indicators of Compromise (IOCs)

Skimmer domain

googletagmanager[.]eu

Delphi downloader

cbe74b47bd7ea953268b5df3378d11926bf97ba72d326d3ce9e0d78f3e0dc786

Delphi C2

snaphyteplieldup[.]xyz
tolmets[.]info
serversoftwarebase[.]com

Golang bruteforcer

fdc3e15d2bc80b092f69f89329ff34b7b828be976e5cbe41e3c5720f7896c140

Similar Golang bruteforcers

46fd1e8d08d06cdb9d91e2fe19a1173821dffa051315626162e9d4b38223bd4a
05073af551fd4064cced8a8b13a4491125b3cd1f08defe3d3970b8211c46e6b2
fdc3e15d2bc80b092f69f89329ff34b7b828be976e5cbe41e3c5720f7896c140
96a5b2a8fdc28b560f92937720ad0dcc5c30c705e4ce88e3f82c2a5d3ad085aa
81bd819f0feead6f7c76da3554c7669fbc294f5654a8870969eadc9700497b82
5e7581e3c8e913fe22d56a3b4b168fd5a9f3f8d9e0d2f8934f68e31a23feabd5
d87b4979c26939f0750991d331896a3a043ecd340940feb5ac6ec5a29ec7b797
36d62acd7aba4923ed71bfd4d2971f9d0f54e9445692b639175c23ff7588f0a7
7db29216bcb30307641b607577ded4a6ede08626c4fa4c29379bc36965061f62
4e18c0b316279a0a9c4d27ba785f29f4798b9bbebb43ea14ec0753574f40a54f
91a696d1a0ef2819b2ebb7664e79fa9a8e3d877bedcb5e99f05b1dc898625ed5
8b1b2dee404f274e90bd87ff6983d2162abee16c4d9868a10b802bd9bcbdbec6
046c5b18ec037ec5fbdd9be3e6ee433df3e4d2987ee59702b52d40e7f278154d
6b79345a2016b2822fd7f7bed51025b848b37e026d4638af59547e67078c913e
181ebf89a32a37752e0fc96e6020aa7af6dbb00ddb7ba02133e3804ac4d33f43
5efd1a27717d3e41281c08f8c048523e43b95300fb6023d34cb757e020f2ff7f
5dccce9b5611781c0edee4fae015119b49ce9eb99ee779e161ec0e75c1c383da

C2 server

5.45.69[.]149:7000

The post New Golang brute forcer discovered amid rise in e-commerce attacks appeared first on Malwarebytes Labs.

US will map and disrupt North Korean botnet

The US government plans to turn the tables on North Korea-linked hackers trying to compromise key infrastructure. The Justice Department has unveiled an initiative to map the Joanap botnet and "further disrupt" it by alerting victims. The FBI and the Air Force Office of Special Investigations are running servers imitating peers on the botnet, giving them a peek at both technical and "limited" identifying info for other infected PCs. From there, they can map the botnet and send notifications through internet providers and foreign governments -- they'll even send personal notifications to people who don't have a router or firewall protecting their systems.

Source: Department of Justice

HIstorical OSINT – Malicious Economies of Scale – The Emergence of Efficient Platforms for Exploitation – 2007

Dear blog readers it's been several years since I last posted a quality update following my 2010 disappearance. As it's been quite a significant period of time since I last posted a quality update I feel it's about time I post an quality update by detailing the Web Malware Exploitation market segment circa 2007 prior to my visit to the GCHQ as an independent contractor with the Honeynet Project.

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild Serves Scareware

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent blackhat SEO campaign successfully enticing hundreds of thousands globally into interacting with a multi-tude of rogue and malicious software also known as scareware. In this post I'll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and

Historical OSINT – A Diversified Portfolio of Fake Security Software Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another malicious and fraudulent domain portfolio serving a variety of fake security software also known as scareware potentially exposing hundreds of thousands of users to a variety of fake security software with the cybercriminals behind the campaign potentially earning fraudulent revenue largely relying on the utilization of an affiliate-network

Historical OSINT – A Diversified Portfolio of Fake Security Software

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent porfolio of fake security software also known as scareware potentially enticing hundreds of thousands of users to a multi-tude of malicious software with the cybercriminals behind the campaign potentially earning fraudulent revenue in the process of monetizing access to malware-infected hosts

Historical OSINT – Spamvertized Swine Flu Domains – Part Two

It's 2010 and I've recently came across to a currently active diverse portfolio of Swine Flu related domains further enticing users into interacting with rogue and malicious content. In this post I'll profile and expose a currently active malicious domains portfolio currently circulating in the wild successfully involved in an ongoing variety of Swine Flu malicious spam campaigns and will

Historical OSINT – Yet Another Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2010 and I've recently came across to a currently active malicious and fraudulent blackhat SEO campaign successfully enticing users into interacting with rogue and fraudulent scareware-serving malicious and fraudulent campaigns. In this post I'll provide actionable intelligence on the infrastructure behind the campaign. Related malicious domains known to have participated in the campaign:

Historical OSINT – Yet Another Massive Blackhat SEO Campaign Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another diverse portfolio of blackhat SEO domains this time serving rogue security software also known as scareware to unsuspecting users with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type

Historical OSINT – Profiling a Portfolio of Active 419-Themed Scams

It's 2010 and I've recently decided to provide actionable intelligence on a variety of 419-themed scams in particular the actual malicious actors behind the campaigns with the idea to empower law enforcement and the community with the necessary data to track down and prosecute the malicious actors behind these campaigns. Related malicious and fraudulent emails known to have participated in the

Historical OSINT – Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface Gang

It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of the Koobface gang in what appears to be a direct connection between the gang's activities and the Russian Business Network. In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the

Ghosts of Botnets Past, Present, and Future

‘Twas the morning of October 21st, and all through the house many IoT devices were stirring, including a connected mouse. Of course, this wasn’t the night before Christmas, but rather the morning of Dyn — the 2016 DDoS attack on the service provider that took the entire East Coast offline for a few hours. The root of the attack: botnets, AKA unsecured IoT devices that were enslaved by Mirai malware. And though this attack made history back in 2016, botnet attacks and the manipulation of vulnerable IoT devices have shown no signs of slowing since. To explore how these attacks have evolved over time, let’s examine the past, present, and future of botnets.

The Past

Any internet-connected device could potentially become a botnet. A botnet is an aggregation of connected devices, which could include computers, mobile devices, IoT devices, and more that have been infected and thereby under the control of one malware variant. The owners of these devices are typically unaware their technology has been infected and thereby under the control of the malware author.

This infection and enslavement process came to a powerful fruition on that fateful October morning, as thousands of devices were manipulated by Mirai malware and transformed into botnets for cybercriminals’ malicious scheme. Cybercriminals used this botnet army to construct one of the largest DDoS attacks in recent history on DNS provider Dyn, which temporarily knocked major sites such as Twitter, Github, and Etsy offline.

The Present

Now, the Dyn attack is arguably one of the most infamous in all of security history. But that doesn’t mean the attacks stop there. Fast forward to 2018, and botnets are still just as prominent, if not more. Earlier in the year, we saw Satori emerge, which even borrowed code from Mirai, as well as Hide N Seek (HNS), which has managed to build itself up to 24,000 bots since January 10th.

What’s more — DDoS attacks, which are largely driven by botnets, have also showed no signs of slowing this year. Just take the recent WordPress attack for example, which actually involved an army of over 20,000 botnets attacking sites across the web.

The Future

Botnets don’t just have a past and present — they likely have a future as well. That’s because cybercriminals favor the potency of this ‘infect and enslave’ tactic, so much so that they’re trying to spread it far and wide. Turns out, according to one report, you can even rent an IoT botnet, as one Dark Web advertisement displayed a 50,000-device botnet for rent for a two-week duration to conduct one-hour attacks a rate of $3000 – $4000.

The good news is — the cybersecurity industry is preparing for the future of botnet attacks as well. In fact, we’ve engineered technology designed to fight back against the nature of insecure IoT devices — such as our Secure Home Platform solution.

However, a lot of the botnet attacks can be stopped by users themselves if they implement strong security practices from start. This means changing the default passwords on any new IoT device you get, keeping any and all software up-to-date, always using a firewall to detect unusual behavior, and implementing comprehensive security software to ensure that all your computers and devices have protection.

If users everywhere implement the right processes and products from the start, botnet attacks may eventually become a thing of the past, and won’t ever be part of the present again.

To learn more about IoT device security and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post Ghosts of Botnets Past, Present, and Future appeared first on McAfee Blogs.

It’s no Fun Being Right All the Time

Last week, I finally got around to writing about HideMyAss, and doing a spot of speculation about how other proxy anonymizers earn their coin. Almost immediately I hit "publish" I spotted this article pop up on Zdnet. Apparently/allegedly, Hola subsidise their income by turning your machine into a part-time member of a botnet.
Normally, I really enjoy being proved right - ask my long suffering colleagues. In this case though, I'd rather the news wasn't quite so worrying. A bit of advertising, click hijacking and so forth is liveable. Malware? You can get rid... but a botnet client means you might be part of something illegal, and you'd never know the difference.

Android/FakeToken.A

OTP forwarder dumped months ago.

Login:

Statistics:

Bots:

Bot:

Passwords:

Send a command:

Commands sent:

Apps:

Apps builder:

MD5s:
2d4770137ae0b91446fc2f99d9fdb2b0
f629adcfbcdd4622ad75337ec0b1a0ff
dd4ac55df6500352dd2cad340a36a40f
b9f9614775a54aa42f94eedbc4796446
1fababfd02ea09ae924cd0a7dbfb708c
bc8394bc9c6adbcfca3d450ee4ede44a
1cb87e1716c503bf499e529ee90e5b31
6db5cdd2648fcd445481cdfa2f2b065a
2ad6f8b8e4aaf88b024e1ddb99833b79
8bac185b6aff0bec4686b7f4cb1659c8

App settings:

Settings:

Second panel, a bit different, look like a 'test' one.
Statistics:

Phone:

Phone search:

Settings:

RSA Security talked also about it here