Category Archives: Cybercrime

Joker’s Stash, the largest carding site, is shutting down

Joker’s Stash to shut down on February 15, 2021.

Joker’s Stash, the largest carding marketplace online announced that it was shutting down its operations on February 15, 2021.

Joker’s Stash, the largest carding marketplace online, announced that its operations will shut down on February 15, 2021.

The administrator announced the decision via messages posted on various cybercrime forums.

Joker’s Stash Official Closing Message
Image source FlashPoint

Joker’s Stash is one of the most longevous carding websites, it was launched in October 2014 and is very popular in the cybercrime underground due to the freshness of its cards and their validity. The administrators always claimed the exclusivity of their offer that is based on “self-hacked bases.”

In December, Joker’s Stash was shut down as a result of a coordinated operation conducted by the FBI and Interpol.

Joker's Stash

At the time, the authorities only seized some of the servers used by the carding portal, but the Joker’s Stash site hosted on the ToR network was not affected by the operations conducted by the police.

The sized sites were at jstash.bazar, jstash.lib, jstash.emc, and jstash.coin, which are all those accessible via blockchain DNS.

Joker Stash admins said in a message published on a hacking forum that the law enforcement only seized the servers hosting the above domains, that were only used to redirecting visitors to the actual website.

The seizure operated by law enforcement in December had an impact on the reputation of the portal, some users were also claiming that the quality of the services offered by Joker’s Stash was decreasing.

“Throughout 2020, the typically active administrator JokerStash had several gaps in communications. JokerStash claimed that they were hospitalized due to a coronavirus infection. The decreasing number of large fresh bases also questioned their ability to source new card data.” reported FlashPoint.

The news of the closure of the card shop represents a major hit to the carding activities in the underground market.

The success of the recent operations might have pushed the administrators into an exit from their operations.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, carding)

The post Joker’s Stash, the largest carding site, is shutting down appeared first on Security Affairs.

Phishers count on remotely hosted images to bypass email filters

Loading remotely hosted images instead of embeedding them directly into emails is one of the latest tricks employed by phishers to bypass email filters. Phishers are always finding new ways trick defenses Phishing emails – especially when impersonating popular brands – contain widely known brand logos and other images to give the illusion of having been sent by legitimate organizations. Images have also been used for ages as a way to circumvent an email’s textual … More

The post Phishers count on remotely hosted images to bypass email filters appeared first on Help Net Security.

Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds

Russian-speaking scammers started targeting users of European marketplaces and classifieds is a criminal scheme dubbed Classiscam.

Group-IB, a global threat hunting and and adversary-centric cyber intelligence company, has discovered that Russian-speaking scammers started targeting users of European marketplaces and classifieds. The scheme, dubbed Classiscam by Group-IB, is an automated scam as a service designed to steal money and payment data. The scheme uses Telegram bots that provide scammers with ready-to-use pages mimicking popular classifieds, marketplaces and sometimes delivery services. According to Group-IB, over 20 large groups, leveraging the scheme, currently operate in Bulgaria, the Czech Republic, France, Poland, Romania, the US, and post-Soviet countries, while 20 more groups work in Russia. These 40 groups altogether made at least USD 6.5 mln in 2020. Scammers are actively abusing brands of popular international classifieds and marketplaces, such as Leboncoin, Allegro, OLX, FAN Courier, Sbazar, and etc. Group-IB has sent notifications to the affected brands so they could take the necessary steps to protect against Classiscam. 


The scheme, which initially exploited delivery brands, has been tried and tested in Russia. Analysts warn that it is now growing rapidly and reaching users of European classifieds and marketplaces, which were chosen as a target by Russian-speaking scammers to increase their profits and reduce the risk of being caught. Fighting the scam requires joint efforts by classifieds, marketplaces, and delivery services. It is also key to use advanced digital risk protection technology to ensure that any brand impersonating attacks are quickly detected and taken down. 

Exporting Classiscam

Group-IB Computer Emergency Response Team (CERT-GIB) for the first time recorded the Classiscam in Russia in the summer of 2019. Peak activity was recorded in the spring of 2020 due to the massive switch to remote working and an increase in online shopping.

“In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3,000 pages,” says Yaroslav Kargalev, the deputy head of CERT-GIB. “We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time when Russia serves as a testing ground for cybercriminals with global ambitions.” 

Group-IB’s Digital Risk Protection and CERT-GIB experts have so far identified at least 40 active Classiscam gangs that use scam pages mimicking popular classified, marketplace, and delivery companies with every one of them running a separate Telegram bot. Half of the groups already operate outside of Russia. Despite that scammers are making their first attempts in Europe, an average theft costs users about USD 120. The scam was localized for the markets of Eastern and Western Europe. The brands abused by scammers include the French marketplace Leboncoin, Polish brand Allegro, Czech site Sbazar, Romanian FAN Courier, DHL and many others. An analysis of underground forums and chats revealed that scammers are getting ready to use new brands in their scams, these are FedEx and DHL Express in the US and Bulgaria.

As part of the scheme, scammers publish bait ads on popular marketplaces and classified websites. The ads usually offer cameras, game consoles, laptops, smartphones, and similar items for sale at deliberately low prices. The buyer contacts the seller, who lures the former into continuing the talk through a third party messenger, such as  WhatsApp. It’s noteworthy that scammers pose as both buyers and sellers. To be more persuasive, the scammers use local phone numbers when speaking with their victims. Such services are offered in the underground. 


Although many marketplaces and classifieds that sell new and used goods have an active policy of protecting users from fraudsters by posting warnings on their resources, victims continue to give away their data. 

Evildoers ask victims to provide their contact information to allegedly arrange a delivery. The scammer then sends the buyer an URL to either a fake popular courier service website or a scam website mimicking a classified or a marketplace with a payment form, which turns out to be a scam page. As a result, the fraudster obtains payment data or withdraws money through a fake merchant website. Another scenario invlolves a scammer contacting a legitimate seller under the guise of a customer and sending a fake payment form mimicking a marketplace and obtained via Telegram bot, so that the seller could reportedly receive the money from the scammer. 


Classiscam Hierarchy 

Group-IB discovered at least 40 groups leveraging Classiscam, with each of them running a separate Telegram chat-bot. At least 20 of these groups focus on European countries. On average, they make around US $61,000 monthly, but profits may differ from group to group. It is estimated that all 40 most active criminal groups make US $522,000 per month in total. 

The hierarchy of the scammer groups represents a pyramid, with the topic starters on top. They are responsible for recruiting new members, creating scam pages, registering new accounts, and providing assistance when the bank blocks the recipient’s card or the transaction. The topic starters’ share is about 20-30 percent of the stolen sum. “Workers” get 70-80 percent of the stolen sum for communicating with victims and sending them phishing URLs. 


All details of deals made by workers (including the sum, payment number and username) are displayed in a Telegram bot. That’s how Group-IB experts were able to calсulate their estimated monthly haul. 

Based on payment statistics, the most successful workers move to the top of the list and become influential members of the project. By doing so, they gain access to VIP options in the chats and can work on European marketplaces, which offer a higher income and involve less risks for Russian-speaking scammers. Workers’ assistants are called “callers” and “refunders.” They pretend to be tech support specialists and receive 5-10 percent of the revenue.

Phishing kit in Telegram

The scheme is simple and straightforward, which makes it all the more popular. There are more reasons behind its growing popularity, however, such as automated management and expansion through special Telegram chat bots. More than 5,000 users (scammers) were registered in 40 most popular Telegram chats by the end of 2020.  

As it stands, workers just need to send a link with the bait product to the chatbot, which then generates a complete phishing kit including courier URL, payment, and refund. There are more than 10 types of Telegram bots that create scam pages for brands from Bulgaria, the Czech Republic, France, Poland, and Romania. For each brand and country, scammers write scripts that help newbie workers log in to foreign sites and communicate with victims in the local language.

Chatbots also have shops where you can purchase accounts to various marketplaces, e-wallets, targeted mailings, and manuals, or even hire a lawyer to represent you in court.  

“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing our stolen money abroad,” says Dmitriy Tiunkin, Head of Group-IB Digital Risk Protection Department, Europe. “Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it.” 

Fighting the Classiscam

In order to protect their brands from Classiscam, companies need to go beyond the simple monitoring and blocking approach. Instead, it is necessary to identify and block adversary infrastructure using AI-driven digital risk protection systems enriched with data about adversary infrastructure, techniques, tactics, and new fraud schemes. 


The recommendations for users are quite simple and include: 

·     Trust only official websites. Before entering your login details and payment information, double check the URL and Google it to see when it was created. If the site is only a couple of months old, it is highly likely to be a scam or a phishing page.

·      When using services for renting or selling new and used goods, do not switch to messengers. Keep all your communication in the official chat.

·      Do not order goods or agree to deals involving a prepaid transaction. Pay only after you receive the goods and make sure that everything is working properly.

·      Large discounts and unbelievable promotions may be just that: too good to be true. They are likely to indicate a bait product and a phishing page. Be careful.

About the author: Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services. 

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Classiscam)

The post Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds appeared first on Security Affairs.

Global cyber-espionage campaign linked to Russian spying tools

Kaspersky investigators uncover evidence that may support US claims Moscow was behind attack

A Moscow-based cybersecurity company has reported that some of the malicious code employed against the US government in a cyber-attack last month overlaps with code previously used by suspected Russian hackers.

The findings by Kaspersky investigators may provide the first public evidence to support accusations from Washington that Moscow was behind the biggest cyber-raid against the government in years, affecting 18,000 users of software produced by SolarWinds, including US government agencies.

Related: What you need to know about the biggest hack of the US government in years

Continue reading...

Ransomware Gangs Scavenge for Sensitive Data by Targeting Top Executives

In their attempt to extort as much money as quickly as possible out of companies, ransomware gangs know some effective techniques to get the full attention of a firm’s management team. And one of them is to specifically target the sensitive information stored on the computers used by a company’s top executives, in the hope […]… Read More

The post Ransomware Gangs Scavenge for Sensitive Data by Targeting Top Executives appeared first on The State of Security.

C2 Traffic Patterns: Personal Notes

Detection is a key point in threat hunting. During the past few weeks, stright in the middle of the winter “holidays” (well, maybe if you live in a place where no COVID-19 lockdown was involved), many people re/started a studying program on cybersecurity. Some of them wrote to me asking if there is a way to detect common malware infections through network traces. So I thought it was a nice idea to share some personal and quick notes on that topic.

BTW The short answer is: Yes there is a way. So it makes sense to trace Malware traffics for studying purposes, but also to find patterns for network detections in real environments.

First of all you need to build your own laboratory, you might decide to build a dual VM systems, in which VM1 is the victim machine and VM2 is the traffic sniffer or you might decide to have a single victim machine and the main host sniffing and analyzing traffic streams. This is actually my favourite choice: a single MV called “victim” where I detonate malwares and the main host (the real machine in which the victim is virtualized) where the traffic tools are run. You need to create a certificate and manke it trusted from the victim machine in order to facilitate the SSL inspection. But this is not a post on how to build your own laboratory, if you are interested on building your own Malware laboratory the following 2 links are great starting points:

  • Christophe wrote a very nice starting post on it: HERE
  • Byte-Atlas followed on the topic showung how to harden the machine to reduce Malware Evasion: HERE

After you set up your own laboratory you are ready to start your tracking process. Following some personal notes on my “network traceing days”. Please note the following collection is a mix-up of personal traced network traffic (and already published on gists/reports/repositories/pastebins etc) and the one I found from different friends/posts/reports/repositories as well during the past years.

Traffic Patterns

The following paragraphs describe traffic traces captured by executing in a controlled environment some of the most known malware untill now. Please note that I’ve taken descriptions from Malpedia for reading convenience.


A .NET based keylogger and RAT. Logs keystrokes and the host’s clipboard, it finally beacons this information back to the C2. It has a modular infrastructure, following some of the traffic grabs for the following modules:


POST /zin/WebPanel/api.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv: Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
Content-Length: 308
Expect: 100-continue
Connection: Keep-Alive

HTTP/1.1 100 Continue



<html>Time: 11/25/2019 17:48:57<br>User Name: admin<br>Computer Name: VICTIM-PC<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz<br>RAM: 4095.61 MB<br><hr>URL:<br><br>


From: office@xxx.]com
To: officelogs@xxx[.]com
Date: 12 Oct 2019 17:58:19 +0100
Subject: admin/VICTIM-PC Recovered Cookies
Content-Type: multipart/mixed;

Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Time: 10/12/2019 11:58:13<br>UserName: admin<br>ComputerName: VICTI=
M-PC<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Int=
el(R) Core(TM) i5-6400 CPU @ 2.70GHz<br>RAM: 3583.61 MB<br>IP: 18=<hr>


AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit. The following network trace is of one of the most relevant POST action taking back pattern with many “/”

POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 103
Cache-Control: no-cache


Buer Loader

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.


Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Nov 2019 20:00:24 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive


Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Nov 2019 20:00:24 GMT
Content-Type: application/*
Content-Length: 2109952
Connection: keep-alive
Last-Modified: Tue, 12 Nov 2019 19:32:38 GMT
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Apple-iPhone7C2/1202.466; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543 Safari/419.3
Content-Length: 1046


Cobalt Strike

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.

Following a general profile

GET /Mdt7 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Wed, 16 Nov 2019 02:13:32 GMT
Content-Type: application/octet-stream
Content-Length: 213589


GET /push HTTP/1.1
Accept: */*
Cookie: TwJl1o2Nzk3+xmC39FsNTbyJPGHyNxllFZ8wZUwR831SYmTwrxoGydXQGF1ej89K1t0rTLgzjd95c8127hlZ6SQ4hx95YrYuRHooitXYGEAxtbKv53LJ6K+6r1y1OQU3n0+O93xxPiyx6RvPeKzlACbO4nEc5YKzh0vAfWJvlm0=
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Wed, 16 Nov 2019 02:017:31 GMT
Content-Type: application/octet-stream
Content-Length: 0

Following Amazon C2 profile (from external sources)

GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1
Accept: */*
Cookie: skin=noskin;session-token=MM4bZQ5WUPUrn7TPQuCWct6G+WGXZaLdezMQVEv8PHnB7tnvTk7ct3W71pQmn2NMJQD7IFbjPnKJV27tKshA8AjgzpXoeUtOIrDiBEg0x3AesYq52s74IbjnsVA+wASo0D6L23fd87XNDUiBro5wNBzcybUOADAO1fjCobw5MAw=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Fri, 13 Dec 2019 17:48:39 GMT
Server: Server
x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo=
X-Frame-Options: SAMEORIGIN
Content-Encoding: gzip
Content-Length: 0

Following a safebrowsing profile (from external sources)

GET /safebrowsing/ref/eNKSXUTdWXGYAMHYg2df0Ev1wVrA7yp0T-WrSHSB53oha HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip
Cookie: PREF=ID=foemmgjicmcnhjlacgackacadbclcmnfoeaeeignjhiphdgidlmahkgbchcahclpfcadjnegckejpiofbmllpnaeancgbikcdjohkekapgnkgiijobnknkgiahmkcjipnncehcamnopcmlngcboppjdplhhobhgekdcblgpkdggeklenpcabdkhhhaedogkacljhdgdphfanfbmcbnkgjmplhdkomllhnnoppchchejooiplahpgpmfaegdcpbnd
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Encoding: gzip
Age: 1609
Alternate-Protocol: 80:quic
Cache-Control: public,max-age=172800
Content-Type: application/
Date: Fri, 22 Nov 2019 13:34:50 GMT
Server: ECAcc (frb/67BC)
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 82480


Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

It looks like TLS traffic, but it really isen’t. The matching flag is on “24 01 00 00” pattern and following 24 byte first packet. (external take)

00000000  24 01 00 00 00 00 00 00 e5 7c 00 00 00 00 00 00    $....... .|......
00000010  09 7e 00 00 00 00 00 00                            .~...... 


DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.


Dridex loader

OxCERT blog describes Dridex as “an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.”
According to MalwareBytes, “Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.”
IBM X-Force discovered “a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the ‘atom tables’ that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.”

GET /function.php?3b3988df-c05b-4fca-93cc-8f82af0e3d2b HTTP/1.1
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 05 Nov 2019 20:32:12 GMT
Content-Type: application/octet-stream
Content-Length: 455830
Connection: keep-alive
Keep-Alive: timeout=60
Accept-Ranges: bytes
Content-Disposition: attachment; filename=5dc1dc4cd884c.pdf

Content-Length: 3442
Connection: Close
Cache-Control: no-cache

v..jq..........G.0vR...@ ..6tw..<.{It.y


While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.
It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.

The following trace is an external trace not updated to the last versions

POST /mult/tlb/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 468
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Oct 2019 13:38:33 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 148
Connection: keep-alive

.^ta.I..Z .._AJ*..=._...5-...F.L{>...`.c.....~.|.h...@.E...2.Z|U..W..M....b......X.FA....x.....\.j?/C......{pi.b....Cz......>D..yQ........G.q...4?..


FormBook is yet another Stealer malware. Like most stealer malware, it performs many operations to evade AV vendors when deploying itself on a victim’s machine. And of course as we see with UrsnifHancitor, Dridex and other trojans, there are many variants with more than one way to receive the payload.

In the past year the threat actor’s favorite method of distributing FormBook has been via malspam and the use of CVE-2017-8570, using an .RTF file format with malicious code to exploit this vulnerability.

Patter suggestion. Host name is almast always “www” driven 😉

POST /k9m/ HTTP/1.1
Connection: close
Content-Length: 3769
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate



According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites (external take)

GET /photo.png?id=0181B9BACBCF3080870000000000FF40000001 HTTP/1.1
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: openresty
Date: Wed, 16 Oct 2019 15:30:33 GMT
Content-Type: application/octet-stream
Content-Length: 605211
Connection: keep-alive
Last-Modified: Tue, 08 Oct 2019 11:43:19 GMT
ETag: "5d9c7657-93c1b"
Accept-Ranges: bytes

IHDR..............N.T....sRGB.........gAMA......a....	pHYs..........o.d.	;.IDATOLrEV.....Le.D|...Rp.{..D...g`...a@.\8,E


The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.

POST /te.php HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------58748130728276
User-Agent: Mozilla/5.0 Gecko/20100115 Firefox/3.6
Content-Length: 1526
Cache-Control: no-cache

Content-Disposition: form-data; name="userfile"; filename="admin-MM-PC-passwords.txt"

########## User: admin ##########

------------------- Firefox passwords -----------------

[+] Password found !!!
Password: testpassword

------------------- Outlook passwords -----------------

[-] Password not found !!!
Account Name:
POP3 User:
POP3 Server:
u'Delivery Store EntryID: \x00\x00\ua138\u10bb\ue505\u1a10\ubba1\x08\u2a2b\uc256\x00\u736d\u7370\u2e74\u6c64l\x00\x00\u494e\u4154\ubff9\u01b8\uaa00\u3700\u6ed9\x00\x00C:\\Users\\admin\\Documents\\Outlook Files\\\x00'
SMTP Secure Connection: 0
SMTP Server:
Mini UID: 224868084
'Delivery Folder EntryID: \x00\x00\x00\x00\x81 \xa1\x9f\x92\x06>N\x9c\xc7t\xd9H\xba>f\x82\x80\x00\x00'
u'clsid: \u457b\u3444\u3537\u3134\u2d31\u3042\u3644\u312d\u4431\u2d32\u4338\u4233\u302d\u3130\u3430\u3242\u3641\u3736\u7d36'
Display Name: test Mail.
POP3 Password: testpassword.
u'Leave on Server: \u3139\u3537\u3730'

------------------- Google chrome passwords -----------------

[+] Password found !!!
Password: testpassword

[+] 3 passwords have been found.
For more information launch it again with the -v option

elapsed time = 2.4423969775


HTTP/1.1 200 OK
Date: Tue, 15 Sept 2019 12:08:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 1
Content-Type: text/html; charset=UTF-8


Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well. Keylog files are stored on the infected machine in an obfuscated form. Nice to spot in “41 00 00 00 99” pattern on initial packet.

00000000  41 00 00 00 99 80 3a e0 e8 5f d7 ea 8c af 76 cc   A.....:. ._....v.
00000010  c4 cc ad 5a 10 72 cc d0 5e 64 d8 50 80 fc b6 e6   ...Z.r.. ^d.P....
00000020  54 25 bf e0 ea 7f 7b e4 ff 54 70 e8 eb c0 fa 80   T%....{. .Tp.....
00000030  a0 a0 f3 a0 b0 0a 94 04 84 31 7c 3f e7 8c 90 c5   ........ .1|?....
00000040  ce c4 11 97 d9                                     .....


Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes.

Following a network trace externally found

POST /angola/mabutu.php?pi=29h&tan=cezar&z=662343339&n=0&u=20&an=9468863238 HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain; Charset=UTF-8
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 1034

Microsoft Windows 7 Professional 6.1.7601*Locale:0409
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sent64.jse

System Idle Process*null
WINWORD.EXE*C:\Program Files\Microsoft Office\Office14\WINWORD.EXE


RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim’s machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.

POST /update?wd=b0b9d49c HTTP/1.1
Accept: */*
x-debug: 0
x-request: 0
x-content: 61456
x-storage: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


GET /EF003AAB6425775CD949B40C HTTP/1.1
Accept: */*
Cookie: QhTbeUW+YzYYsZWz0PQvBvYIgo8=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SLCC2;)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 203 
Server: nginx
Date: Tue, 02 October 2019 17:32:40 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 660
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Server: ip-172-31-28-245
Set-Cookie: JSESSIONID=4618E9008B004BEE8FE5C81AB063A332; Path=/; HttpOnly


Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. Interesting pattern flag on “40 00 00 00”, 68 data bytes on first packet. (external source)

00000000  40 00 00 00 3e 83 58 08 ad d1 05 8d 77 20 53 1f   @...>.X. ....w S.
00000010  dc 2e e8 99 0a f3 f1 bb 3a 8c c2 a1 9d 72 4a 69   ........ :....rJi
00000020  e6 60 97 da 1e 76 87 16 91 f2 1b c4 f4 89 f9 8a   .`...v.. ........
00000030  20 5b 19 e5 7c ae ed f1 b4 5a d2 ce 5f 86 17 20    [..|... .Z.._.. 
00000040  c6 b3 03 8c   


The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as,,, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. The following net trace is an external take

Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 299

..+.........O..`...4..A..wT.F...XM&2.^.Y................E.4	W`.......(.....<,.zK..>c..^...p......n.z"]....\S,[.
......qV4`..Pu*...8W.........M .h.v.S.:.


A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.The following trace is an external take.

      << 200 OK 224b
      << 200 OK 12b
      << 200 OK 937b
      << 200 OK


In 2006, Gozi v1.0 (‘Gozi CRM’ aka ‘CRM’) aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula. In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka ‘Gozi ISFB’ aka ‘ISFB’ aka Pandemyia). This version came with a webinject module.

POST /images/wsF0B4sp/ZaYjjdVgt73Q1BSOy_2Fofi/qF_2BfPTuK/5Ha_2F0xEvmbSfT_2/FluJ8ZF_2Fx8/g6xkZAZrZwN/2skHgzv92i_2BS/uPf4RDQvATKCgx0GZ5gez/ph_2BLcscLQkKDVw/HGZ6zA6DhGCqgPD/VTX09Q_2FUWIFyWps1/nfJ0I3rIZ/QNKbXjeu7xXa3W_2FZSX/bcWtE2zC4RafXFoRlqL/4EC4YHwclzkXrfX/58a3.bmp HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=36775038942641984568
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Content-Length: 399

Content-Disposition: form-data; name="upload_file"; filename="78C6.bin"

\.\..V.]:.o..<]......H..)E.J=x...e%3..U.@.f......].tZ..1....g..OzC.5v.?o.NL...;..)..E.G.a~.....M#;.Cu;N/.3\$....x.....R....e..5.....-mW,..	..C................n.G.|..k0...@...?I.Iu......9k^.U6tzT9.b.3....#..V.4].La....zL.h+...aa..H.D.....Ar.......3.w.<.!.-.....|F9! 3.....7

Fighting Cybercrime: We Are Stronger Together than We Are Individually

As a cybersecurity professional, how numb have you become to vendors who try to scare you with frightening statistics in an effort to sell you a new product? It is understandable that a vendor has to present as much information in a limited amount of attention-grabbing time, so their doomsday technique makes some sense. Perhaps the vendors’ […]… Read More

The post Fighting Cybercrime: We Are Stronger Together than We Are Individually appeared first on The State of Security.

Cyber Security Roundup for January 2021

A suspected nation-state sophisticated cyber-attack of SolarWinds which led to the distribution of a tainted version the SolarWinds Orion network monitoring tool, compromising their customers, dominated the cyber headlines in mid-December 2020.  This was not only one of the most significant cyberattacks of 2020 but perhaps of all time. The United States news media reported the Pentagon, US intelligence agencies, nuclear labs, the Commerce, Justice, Treasury and Homeland Security departments, and several utilities were all compromised by the attack. For the full details of the SolarWinds cyber-attack see my article Sunburst: SolarWinds Orion Compromise Overview

Two other cyberattacks are possibly linked to the SolarWinds hack was also reported, the cyber-theft of sophisticated hacking tools from cybersecurity firm FireEye, a nation-state actor is suspected to be responsible. And the United States National Security Agency (NSA) advised a VMware security vulnerability was being exploited by Russian state-sponsored actors.

Amidst the steady stream of COVID-19 and Brexit news reports, yet another significant ransomware and cyber-extortion attack briefly made UK headlines. Hackers stole confidential records, including patient photos, from UK cosmetic surgery chain 'The Hospital Group', and threatening to publish patient's 'before and after' photos. The UK cosmetic surgery firm, which has a long history of celebrity endorsements, confirmed it was the victim of a ransomware attack, and that it had informed the UK's Information Commissioner's Office about their loss of personal data.

Spotify users had their passwords reset after security researchers alerted the music streaming platform of a leaky database which held the credentials of up to 350,000 Spotify users, which could have been part of a credential stuffing campaign. Security researchers at Avast reported 3 million devices may have been infected with malware hidden within 28 third-party Google Chrome and Microsoft Edge extensions.

A McAfee report said $1 Trillion was lost to cybercrime in 2020, and companies remained unprepared for cyberattacks in 2021.

Stay safe and secure.



    A Review of Ransomware in 2020

    As if dealing with COVID-19 were not enough, 2020 turned out to be a banner year for another troublesome strain of virus— ransomware. Malicious actors grew more sophisticated, daring and brutal. They also hit a number of high-profile targets. For those of you who didn’t keep up with all of the developments in the ransomware […]… Read More

    The post A Review of Ransomware in 2020 appeared first on The State of Security.

    Fact vs. Fiction: Film Industry’s Portrayal of Cybersecurity

    Article by Beau Peters

    The movie industry is infamous for its loose depictions of hacking and cybersecurity. Hollywood often gets a lot wrong about hacking and digital protections, but what does it get right?

    The power of film in influencing the future of technology and the experts that create it is immense. Because of this, it is important to assess what the facts are versus movie fiction.  Here, we’ll explore the film industry’s portrayal of cybersecurity.

    Cybersecurity in Movies
    From WarGames to Blackhat, hacking and cybersecurity movies have glamorized the world of digital safety and the compromising of said safety. However, each Hollywood outing does so with varying levels of realism, typically embracing excitement over reality. 
    In the 1983 WarGames movie, a young hacker almost triggers World War 3
    These portrayals have led to common tropes and views of the cybersecurity industry in their attempts to prevent and combat hacking attempts. Among these tropes are some of the following portrayals, each occurring with varying degrees of absurdity.

    1 Hacking is exciting, fast, and often ethical
    The trope of a computer-savvy individual slamming on a keyboard for a few seconds and saying “I’m in” is common enough to be a defining joke about cybersecurity in film. Hacking is shown to be a process that takes minutes with has instant results. This is often far from reality, where hacking attempts can take weeks or even months to produce results.

    And the results of actual digital break-ins are often far from ethical. Movies tend to show hacking as a victimless crime, but real-life hacking tends to mean data theft that can have severe implications on people’s lives.

    2. There is a visually distinct or compelling element of hacking 
    Hollywood has to keep an audience engaged. Because of this, hacking and cybersecurity are often paired with some visually striking element that would simply be ridiculous in reality.

    Jurassic Park has a great scene exemplifying this trope. Under attack from a velociraptor, a child logs on to a computer and proceeds to navigate through a 3D maze representing the computer system’s files. In reality, typing in a few commands would have achieved a result faster. However, this wouldn’t have been as exciting.

    3. Hacking and cybersecurity are defined by excessively fast typing
    You always know a hacker or a computer systems expert by their excessively fast keyboard smashing. In movies and TV, computer experts are always clicking away at a keyboard at speeds few of us could match, speeds that would unlikely result in very productive work due to mistakes and time needed to assess the situation.

    However, fast typing is a staple of hacking movies. The faster you type, the faster you can get in or defend a system.

    When compared to the reality of cybersecurity systems, these Hollywood portrayals often come up short. Though some movies are getting better at portraying hacking and security, they rarely capture the grittier, less exciting truth. 

    Cybersecurity in Reality
    In reality, hacking is a much more time consuming and boring process, with results that have real impacts on the lives of everyday people. Hollywood neglects some of these finer points in favour of spectacle, as can be expected. Cybersecurity comes with its own set of tedious practices as well as the glamorous aspects of navigating computer systems.

    Here are just a few ways that hacking and cybersecurity operate in the real world that movies tend to obscure or fail to depict:

    1. Hacking is about information more than profit.
    While cybercriminals can sometimes come away with a profit, doing so is incredibly difficult and not very common. Ransomware is sometimes used to extort profits from corporations, a process that occurs when a cybercriminal uses malware to hold a system hostage until a payment is made. However, break-ins usually result in little more than data theft or blockages with costly implications for businesses and individuals.

    For example, Distributed Denial of Service (DDoS) attacks are used to slow or stop the computer processes of a business. This doesn’t necessarily result in any money for the hackers, but the downtime can cost companies thousands to millions of dollars.

    2. Hackers rely heavily on phishing and social engineering.
    Breaking into a system often requires access to valid user IDs and account passwords. This means hackers tend to use phishing and social engineering methods to mine information. They use all kinds of bots and scams to try and trick average individuals into clicking a link or divulging personal information.

    However, this means that a lot of good can be done in the cybersecurity world without even needing to code. Simply teaching teams what to look for in avoiding scams and fraud can be a great way to approach cybersecurity incident management and keep private data safe.

    3. White-hat hackers are real, and they make good money.
    One thing movies get right sometimes is that hackers can be the good guys. There is a whole category of ethical hackers who often work as bounty hunters to find flaws in a company's cybersecurity systems. These so-called “white hat” hackers attempt to break in and are paid a bounty if they can reveal security deficiencies.

    Sometimes, white-hat hacking comes with a significant paycheck. The bounty platform HackerOne has paid out $40 million across 2020 alone, making seven different hackers millionaires in a single year.

    With the desperate need for individuals in the cybersecurity field, the truth around hacking is important to note. While Hollywood can make hacking seem glamorous and exciting, the truth is that many hacking processes come with dangerous implications. However, hacking can also be used to benefit the safety of information in ethical bounty situations.

    With the emergence of cloud computing as a standard for remote workspaces, security professionals are needed now more than ever. Secure public and private cloud solutions are required for a functioning application marketplace, and cybersecurity professionals play a key role in maintaining that safety.

    While cybersecurity isn’t always exciting, the results of keeping systems safe are much more rewarding than the black-hat alternatives.

    The movie industry propagates a view of the cybersecurity field that is often far from reality. However, by acknowledging the departures from the truth, we get a better idea of the need and value of cybersecurity solutions as a whole, especially in the modern world of accelerated digital innovation.

    While hacking and cybersecurity might not be anywhere near as exciting as they are in movies, working in cybersecurity—whether as a systems expert or a white-hat hacker—can mean a big paycheck and a safer world for the people you know and love. And that reality is better than any movie.

    Outing of FSB hit squad highlights Russia’s data security problem

    Analysis: trade in stolen data is a boon for investigators and a headache for Kremlin

    In early 2019, the journalist Andrei Zakharov managed to buy his own phone and banking records in a groundbreaking investigation into Russia’s thriving markets in stolen personal data, in which law enforcement and telecoms employees can be contracted anonymously to dip into their systems and pull out sensitive details on anyone.

    A year and a half later, investigators from Bellingcat and the Insider used some of the same tools and clever analysis to out a secret FSB team that had been tasked with killing Alexei Navalny using a novichok nerve agent.

    Related: Russian FSB hit squad poisoned Alexei Navalny, report says

    Related: 'We got really lucky': how novichok suspects' identities were revealed

    Continue reading...

    Christmas Shopping 2020

    How To Stay Safe While Shopping Online This Holiday Season

    I’m pleased to report that I’ve achieved a number of personal bests in 2020 but the one I’m most proud about is my achievement in the highly skilled arena of online shopping. I’ve shopped online like I’m competing in the Olympics: groceries, homewares, clothing – even car parts! And my story is not unique. Living with a pandemic has certainly meant we’ve had to adapt – but when it came to ramping up my online shopping so we could stay home and stay safe – I was super happy to adapt!

    And research from McAfee shows that I am not alone. In fact, over 40% of Aussies are buying more online since the onset of COVID-19 according to the 2020 Holiday Season: State of Today’s Digital e-Shopper survey. But this where it gets really interesting as the survey also shows that nearly 1/3 of us (29%) are shopping online 3-5 days a week, and over one in ten consumers (11%) are even shopping online daily!! But with many online retailers offering such snappy delivery, it has just made perfect sense to stay safe and stay home!

    Santa Isn’t Far Away…

    With just over a month till Santa visits, it will come as no surprise that many of us are starting to prepare for the Holiday season by purchasing gifts already. Online shopping events such as Click Frenzy or the Black Friday/Cyber Monday events are often very compelling times to buy. But some Aussies have decided they want to get in early to secure gifts for their loved ones in response to warnings from some retailers warning that some items may sell out before Christmas due to COVID-19 related supply chain issues. In fact, McAfee’s research shows that 48% of Aussies will be hitting the digital links to give gifts and cheer this year, despite 49% feeling cyber scams become more prevalent during the holiday season.

    But What About The Risks?

    McAfee’s research shows very clearly that the bulk of us Aussies are absolutely aware of the risks and scams associated with online shopping but that we still plan to do more shopping online anyway. And with many of us still concerned about our health and staying well, it makes complete sense. However, if there was ever a time to take proactive steps to ensure you are minimizing risks online – it is now!

    What Risks Have McAfee Found?

    McAfee’s specialist online threat team (the Advanced Threat Research team) recently found evidence that online cybercrime is on increase this year, with McAfee Labs observing 419 threats per minute between April to June 2020 – an increase of almost 12% over the previous quarter.

    And with many consumers gearing up to spend up big online in preparation for the Holiday season, many experts are worried that consumers are NOT taking these threats as seriously as they should. McAfee’s research showed that between April to June 2020, 41% of 18-24 year olds have fallen victim to an online scam and over 50% of the same age group are aware of the risks but have made no change to their online habits.

    My Top Tips To Stay Safe While Shopping Online

    At the risk of sounding dramatic, I want you to channel your James Bond when you shop online this holiday period. Do your homework, think with your head and NOT your heart and always have your wits about you. Here are my top tips that I urge you to follow to ensure you don’t have any unnecessary drama this Christmas:

    1. Think Before You Click

    Click on random, unsafe links is the best way of falling victim to a phishing scam. Who wants their credit card details stolen? – no one! And Christmas is THE worst time for this to happen! If something looks too good to be true – it probably is. If you aren’t sure – check directly at the source – manually enter the online store address yourself to avoid those potentially nasty links!

    1. Turn On Multi-Factor Authentication Now

    This is a no-brainer – where possible, turn this on as it adds another lay of protection to your personal data and accounts. Yes, it will add another 10 seconds to the log-in process but it’s absolutely worth it.

    1. Invest in a VPN

    If you have a VPN (or Virtual Private Network) on your laptop, you can use Wi-Fi without any concern – perfect for online purchases on the go! A VPN creates an encrypted tunnel between your device and the router which means anything you share is protected and safe! Check out McAfee’s Safe Connect which includes bank-grade encryption and private browsing services.

    1. Protect Yourself – and Your Device!

    Ensuring all your devices are kitted out with comprehensive security software which will protect against viruses, phishing attacks and malicious website is key. Think of it as having a guardian cyber angel on your shoulder. McAfee’s Total Protection software does all that plus it has a password manager, a shredder and encrypted storage – and the Family Pack includes the amazing Safe Family app – which is lifechanging if you have tweens and teens!

    So, yes – please make your list and check it twice BUT before you dive in and start spending please take a moment to ask yourself whether you are doing all you can to minimise the risks when online shopping this year. And don’t forget to remind your kids too – they may very well have their eye on a large gift for you too!

    Happy Christmas Everyone

    Alex xx



    The post Christmas Shopping 2020 appeared first on McAfee Blogs.

    Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List

    Most Dangerous Celebrity

    Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List

    During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyber threats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

    To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information. Owing to his international popularity and fan following that well resonates in India, Cristiano Ronaldo takes the top spot on the India edition of McAfee’s 2020 Most Dangerous Celebrities list.

    The Top Ten Most Dangerous Celebrities

    Ronaldo is popular not only for his football skills, but also for his lifestyle, brand endorsements, yearly earnings, and large social media following, with fans devotedly tracking his every movement. This year, Ronaldo’s transfer to Juventus from Real Madrid for a reported £105M created quite a buzz, grabbing attention from football enthusiasts worldwide. Within the Top 10 list, Ronaldo is closely followed by veteran actress Tabu (No. 2) and leading Bollywood actresses, Taapsee Pannu, (No. 3) Anushka Sharma at (No. 4) and Sonakshi Sinha (No. 5). Also making the top ten is Indian singer Armaan Malik (No. 6), and young and bubbly actor Sara Ali Khan (No. 7). Rounding out the rest of the top ten are Indian actress Kangana Ranaut (No. 8), followed by popular TV soap actress Divyanka Tripathi (No. 9) and lastly, the King of Bollywood, Shah Rukh Khan (No. 10).


    Most Dangerous Celebrity

    Lights, Camera, Security

    Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

    With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for new shows, sports, and movies to watch. For example, Ronaldo is strongly associated with malicious search terms, as fans are constantly seeking news on his personal life, as well as searching for news on his latest deals with football clubs. In addition, users may be streaming live football matches through illegal streaming platforms to avoid subscription fees. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity related news, their device could suddenly become plagued with adware or malware.

    Secure Yourself From Malicious Search Results

    Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

    Be careful what you click

    Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

    Refrain from using illegal streaming sites

    When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

    Protect your online safety with a cybersecurity solution

     Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

    Use a website reputation tool

    Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

    Use parental control software

    Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

     Stay Updated

    To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


    The post Cristiano Ronaldo tops McAfee India’s Most Dangerous Celebrity 2020 List appeared first on McAfee Blogs.

    How Searching For Your Favourite Celebrity May Not End Well

    Most Dangerous Celebrity

    How Searching For Your Favourite Celebrity May Not End Well

    2020 has certainly been the year for online entertainment. With many Aussies staying home to stay well, the internet and all its offerings have provided the perfect way for us all to pass time. From free movies and TV shows to the latest celebrity news, many of us have devoured digital content to entertain ourselves. But our love affair with online entertainment certainly hasn’t gone unnoticed by cybercriminals who have ‘pivoted’ in response and cleverly adapted their scams to adjust to our insatiable desire for content.

    Searching For Our Favourite Celebrities Can Be A Risky Business

    Cybercriminals are fully aware that we love searching for online entertainment and celebrity news and so devise their plans accordingly. Many create fake websites that promise users free content from a celebrity of the moment to lure unsuspecting Aussies in. But these malicious websites are purpose-built to trick consumers into sharing their personal information in exchange for the promised free content – and this is where many come unstuck!

    Who Are The Most Dangerous Celebrities of 2020?

    McAfee, the world’s leading cybersecurity company, has researched which famous names generate the riskiest search results that could potentially trigger consumers to unknowingly install malware on their devices or unwillingly share their private information with cybercriminals.

    And in 2020, English singer-songwriter Adele takes out the top honours as her name generates the most harmful links online. Adele is best known for smashing the music charts since 2008 with hit songs including ‘Rolling in the Deep’ and ‘Someone Like You’. In addition to her award-winning music, Adele is also loved for her funny and relatable personality, as seen on her talk show appearances (such as her viral ‘Carpool Karaoke’ segment) and concert footage. Most recently, her weight-loss and fitness journey have received mass media attention, with many trying to get to the bottom of her ‘weight-loss’ secrets.

    Trailing Adele as the second most dangerous celebrity is actress and star of the 2020 hit show Stan ‘Love Life’ Anna Kendrick, followed by rapper Drake (no. 3), model and actress Cara Delevingne (no. 4), US TikTok star Charli D’Amelio (no. 5) and singer-songwriter Alicia Keys (no. 6). Rounding out the top ten are ‘Sk8r Boi’ singer Avril Lavigne (No. 7), New Zealand rising music star, Benee (no. 8), songstress Camila Cabello (no. 9), and global superstar, singer and actress Beyonce (no. 10).

    Most Dangerous Celebrity

    Aussies Love Celebrity Gossip

    Whether it was boredom or the fact that we just love a stickybeak, our love of celebrity news reached new heights this year with our many of us ‘needing’ to stay up to date with the latest gossip from our favourite public figures. Adele’s weight-loss journey (no.1), Drake’s first photos of ‘secret son’ Adonis (no. 4), and Cara Delevingne’s breakup with US actress Ashley Benson (no. 5), all had us Aussie fans flocking to the internet to search for the latest developments on these celebrity stories.

    We’ve Loved New Releases in 2020

    With many of us burning through catalogues of available movies and TV shows amid advice to stay at home, new release titles have definitely been the hottest ticket in town to stay entertained.

    Rising to fame following her roles in ‘Twilight’ and musical comedy ‘Pitch Perfect’, Anna Kendrick (no. 2) starred in HBO Max series ‘Love Life’ which was released during the peak of COVID-19 in Australia, as well as the 2020 children’s film ‘Trolls World Tour’. R&B and pop megastar Beyonce (no. 10) starred in the 2019 remake of Disney cult classic ‘The Lion King’ and released a visual album ‘Black Is King’ in 2020.

    Music Has Soothed Our Souls This Year 

    While live concerts and festivals came to a halt earlier this year, many of us are still seeking music – both old and new – to help us navigate these unprecedented times. In fact, musicians make up 50% of the top 10 most dangerous celebrities – hailing from all genres, backgrounds and generations.

    Canadian rapper Drake (No. 2) sparked fan interest by dropping his ‘Dark Lanes Demo Tapes’ album including hit songs ‘Chicago Freestyle’ and ‘Tootsie Slide’ that went massively viral on TikTok. New Zealand singer Benee also came out of the woodwork with viral sensations Supalonely and Glitter topping charts and reaching global popularity on TikTok.

    Known for her enormously successful R&B/Soul music in the early 2000s, Alicia Keys (no. 6) released a string of new singles in 2020. Camila Cabello’s ‘Senorita’ duet with Canadian singer and now boyfriend Shawn Mendes, was Spotify’s most streamed song of 2019. The couple continued to attract copious attention as fans followed stories reporting on the lovebirds self-isolating together in Miami earlier this year.

    How to Avoid Getting Caught In An Online Celebrity Scam

    Please don’t feel that getting caught by an ill-intentioned cybercrime is inevitable. If you follow these few simple tips, you can absolutely continue your love of online entertainment and all things celebrity:

    1. Be Careful What You Click

    If you are looking for new release music, movies or TV shows or even an update on your favourite celebrity then ALWAYS be cautious and only click on links to reliable sources. Avoid ‘dodgy’ looking websites that promise free content – I guarantee these sites will gift you a big dose of malware. The safest thing is to wait for official releases, use only legitimate streaming sites and visit reputable news sites.

    1. Say NO to Illegal Streaming and Downloading Suspicious Files

    Yes, illegal downloads are free but they are usually riddled with malware or adware disguised as mp3 files. Be safe and use only legitimate music streaming platforms – even if it costs a few bucks! Imagine how devastating it would be to lose access to everything on your computer thanks to a nasty piece of malware?

    1. Protect Your Online Safety With A CyberSecurity Solution

    One of the best ways of safeguarding yourself (and your family) from cybercriminals is by investing in an  comprehensive cybersecurity solution like McAfee’s Total Protection. This Rolls Royce cybersecurity package will protect you from malware, spyware, ransomware and phishing attacks. An absolute no brainer!

    1. Get Parental Controls Working For You

    Kids love celebrities too! Parental control software allows you to introduce limits to your kids’ viewing which will help minimise their exposure to potentially malicious or inappropriate websites when they are searching for the latest new on TikTok star Charlie D’Amelio or go to download the latest Benee track.

    I don’t know how my family of 6 would have survived this year without online entertainment. We’ve devoured the content from three different streaming services, listened to a record number of hours on Spotify and filled our heads with news courtesy of online news sites. And while things are looking up, it will be a while before life returns to normal. So, please take a little time to educate your family on the importance of ‘thinking before you click’ and the perils of illegal downloading. Let’s not make 2020 any more complicated!!

    Stay safe everyone!


    Alex x

    The post How Searching For Your Favourite Celebrity May Not End Well appeared first on McAfee Blogs.

    Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020

    Most Dangerous Celebrity

    Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020

    During COVID-19, people stuck inside have scoured the internet for content to consume – often searching for free entertainment (movies, TV shows, and music) to avoid any extra costs. As these habits increase, so do the potential cyberthreats associated with free internet content – making our fourteenth Most Dangerous Celebrities study more relevant than ever.

    To conduct our Most Dangerous Celebrities 2020 study, McAfee researched famous individuals to reveal which celebrities generate the most “dangerous” results – meaning those whose search results bring potentially malicious content to expose fans’ personal information.

    Thanks to her recent starring roles, American actress Anna Kendrick has found herself at the top of McAfee’s 2020 Most Dangerous Celebrities list.

    The Top Ten Most Dangerous Celebrities

    You probably know Anna Kendrick from her popular roles in films like “Twilight,” Pitch Perfect,” and “A Simple Favor.” She also recently starred in the HBO Max series “Love Life,” as well as the 2020 children’s film “Trolls World Tour.” Kendrick is joined in the top ten list by fellow actresses Blake Lively (No. 3), Julia Roberts (No. 8), and Jason Derulo (No. 10). Also included in the top ten list are American singers Mariah Carey (No. 4), Justin Timberlake (No. 5), and Taylor Swift (No. 6). Rounding out the rest of the top ten are American rapper Sean (Diddy) Combs (No. 2), Kate McKinnon (No. 9), and late-night talk show host Jimmy Kimmel (No. 7).

    Most Dangerous Celebrity

    Lights, Camera, Security

    Many consumers don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice fans to click on dangerous links. This year’s study emphasizes that consumers are increasingly searching for content, especially as they look for new forms of entertainment to stream amidst a global pandemic.

    With a greater emphasis on streaming culture, consumers could potentially be led astray to malicious websites while looking for new shows and movies to watch. However, people must understand that torrent or pirated downloads can lead to an abundance of cyberthreats. If an unsuspecting user clicks on a malicious link while searching for their favorite celebrity film, their device could suddenly become plagued with adware or malware.

    Secure Yourself From Malicious Search Results

    Whether you and your family are checking out your new favorite actress in her latest film or streaming a popular singer’s new album, it’s important to ensure that your searches aren’t potentially putting your online security at risk. Follow these tips so you can be a proactive fan while safeguarding your digital life:

    Be careful what you click

     Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.

    Refrain from using illegal streaming sites

    When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.

    Protect your online safety with a cybersecurity solution

     Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.

    Use a website reputation tool

     Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.

     Use parental control software

     Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

    Stay Updated

    To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



    The post Anna Kendrick Is McAfee’s Most Dangerous Celebrity 2020 appeared first on McAfee Blogs.


    Here’s How to Be Yourself and NOT let a Scammer Be You!

    If you hadn’t truly embraced the incredible benefits of managing your life online, then I bet 2020 has changed things for you. With social distancing still a big consideration in day to day life, more Aussies than ever are managing their lives online so they can stay home and stay well. But, unfortunately, there is a downside – online scams. The expanded online playground of 2020 means cybercrims are upping the ante and investing even more energy doing what they do so well – scamming everyday Aussies out of their hard-earned cash.

    This week is Scams Awareness Week in Australia – a good opportunity to be reminded of how our growing use of technology can give scammers more opportunities to trick us into giving away our valuable personal information. In 2019, a whopping $630 million dollars was lost by Australians in scams.

    Scammers are Pivoting Too!

    We’ve all heard it. 2020 is about pivoting – being flexible and seeking out new opportunities. Well, clearly, we aren’t the only ones heeding the advice with scammers changing things up to capitalise on the chaotic nature of 2020. In fact Scamwatch has seen a 55 per cent increase in reports involving loss of personal information this year compared with the same period in 2019, totalling more than 24, 000 reports and over $22 million in losses.

    Many experts are warning that scammers are renowned for ‘following the money’ so are currently expending a lot of energy targeting Aussies’ superannuation and government relief payments. Using email, text or phone, a scammer will often pretend to be from a Government agency eg MyGov or the Health Department and will insist that they require personal information in order to help the ‘victim’ access government payments, or access their super fund.

    They are after driver’s license details, Medicare numbers – whatever they can get their hands on that will give them 100 points of identification which is enough for them to assume the identity of the victim and effectively do anything in their name. They could apply for a credit card, access superannuation accounts, or even tap into a victim’s government payments!

    What Can We Do to Protect Ourselves?

    There are steps we can all take to minimise the risk of getting caught up in a scam and, to be honest, most of them are remarkably simple. Here are my top tips:

    1. Think Critically

    If there was ever a time to tap into your inner Sherlock Holmes, it’s now! If you receive a call, text, or email from someone out of the blue who claims to be from a government agency then tread VERY carefully! Do not feel pressured to share any information with anyone who has contacted you – regardless of what they say. Take a moment and ask yourself why they would be contacting you. If they are calling you – and you still aren’t sure – ask for their number so you can call them back later.

    Remember – reputable organisations will rarely – if ever – call you and ask for personal information. And if you still aren’t sure – ask a family member of trusted friend for their advice. But remain sceptical at all times!

    1. Passwords, Passwords, Passwords

    Yes, I know I sound like a broken record – but having an easily guessable password that you use on all your devices and accounts is no different to playing Russian Roulette – you won’t come out on top! Unfortunately, data breaches are a reality of our digital life. If a scammer gets their hands on your email and password combo through a data breach – and you have used that same combo on all your accounts – then you are effectively giving them access to your online life.

    So, you need a separate complex password for each of your online accounts. It needs to be at least 8 characters and a combination of numbers, letter (lower and uppercase) and symbols. I love using a nonsensical sentence but a password manager that does all the thinking – and remembering – is the absolute best way of managing your passwords. Check out McAfee Total Protection, which includes a Password Manager.

    1. Keep Your Personal Information Tight

    The best way to keep your personal information safe is by keeping it to yourself! Limit the amount of personal information you share – particularly on social media. Oversharing online makes it even easier for a scammer to steal your identity. And please avoid linking up your credit or debit cards to your online accounts unless absolutely necessary. Yes, it’s so convenient and a great way of making spontaneous purchases but it is a very risky business.

    2020 has certainly been a tough year for us all. Many of us are struggling – financially and psychologically as we come to grips with our changing world. So, please – take a little time to tighten up your online life and remember if something seems too good to be true then it probably is!

    Stay safe everyone!

    Alex x


    The post ScamsWeek2020 appeared first on McAfee Blogs.

    How to ‘Online Date’ Safely in 2020

    If you are a young person looking for your ‘special someone’ then 2020 would have seriously cramped your style. Whether you’ve been in lockdown, working from home or simply staying home to stay well, your social life would have taken a hit. So, it comes as no surprise that dating sites have become the playground for young people – in fact all aged people – who are ‘looking for love’.

    The New Normal

    Our ‘in-person’ social lives look a whole lot different to 2019. Over the last six months, we’ve all been living with a barrage of new restrictions which has meant a lot of time at home. Earlier in 2020, many cities effectively closed-up while others – such as Melbourne – recently imposed a strict lockdown to curb the spread of the virus. In NSW, cafes, pubs, and restaurants reopened but with tight restrictions on the number of people allowed inside. My older boys spent a few Saturday nights lining up to get into the local pub but ended up returning home to the couch.

    And of course, it goes without saying that protecting our people should be the biggest priority, but it has taken a toll on our ability to socialise and connect with others.

    Most Aussies Now Meet Their Partners Online

    One of my oldest friends found the love of her life online. 15 years later and all is going swimmingly! She was an Aussie and he was an Englishman – but it didn’t matter – love prevailed! There is no humanly possible way, these two would have connected if it wasn’t for the wonders of technology.

    A recent survey of over 54,000 Australians by the ABC – the Australia Talks National Survey showed that more people meet their partner online than anywhere else and in fact – it has been that way since 2010! And of the Aussies who met their partners in 2019 – 1/3 made the connection online. So, even before 2020 – people were looking online to find a match.

    But add in a global pandemic and you don’t have to be a rocket scientist to predict that these statistics will only increase!

    Proceed with Caution

    With so many people, understandably, feeling isolated and lonely, online dating is a wonderful way to make connections – both romantic and platonic. But you do need to have your wits about you to stay safe.

    Scammers will often prey on our need to feel connected to each other and expend a lot of energy developing relationships for all the wrong reasons. So, if you have a teen or young adult in your house who is directing their energies into online dating sites, then please check in with them to ensure they are being safe.

    Here are my top tips on staying safe while you look for love online:

    1. Don’t Get Too Personal – While it might feel harmless sharing your name, location and occupation to your new online friends, it doesn’t take much for a scammer to piece together your details to access your personal info, bank accounts or even steal your identity. Never use your full name on dating sites and only share what is absolutely necessary!
    2. Do Your Homework – Before you meet someone in person after meeting them online, always do your homework. A Google search is a great place to start and even using Google Images will help you get a better understanding of a person. Don’t forget to check out their LinkedIn account too. And why not investigate whether you might have mutual friends? If so, ask them for their ‘2 cents worth’ too.
    3. Think Before You Send – Sharing sexy pics or videos with the person you are dating online might seem like a good idea in the moment but please consider how this could affect you in the future. Once those pictures and videos are online, they are online forever. Even social media apps that say pictures go away after a few seconds can be easily circumvented with a screenshot.  It’s not just celebrities who have intimate pictures spread around the Internet!
    4. Make passwords a priority – Ensure all your online dating and social media accounts, and all your devices, have separate and unique passwords. Ideally, each password should have a combination of lower- and upper-case letters, numbers, and special characters. I love using a nonsensical, crazy sentence!


    One of the greatest lessons of 2020 for me is our need for human connection.

    My biggest takeout from 2020? Humans need other humans to not only survive but thrive. So, if you’re looking for your life partner – or even companionship – the online world may be the perfect way for the moment. But, please – exercise caution and be safe – because as I say to my boys all the time – trust your gut, because it’s usually right!

    Stay safe

    Alex x


    The post How to ‘Online Date’ Safely in 2020 appeared first on McAfee Blogs.

    Ransomware attack on Garmin thought to be the work of ‘Evil Corp’

    Russian cybercrime gang is believed to be responsible for taking Garmin services offline

    A ransomware attack that took the GPS and smartwatch business Garmin entirely offline for more than three days is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.

    Garmin began to restore services to customers on Monday morning, after being held hostage for a reported ransom of $10m, although some services were still operating with limited functionality.

    Ransomware is the most common form of criminal malware currently in use. Targets are commonly infected through malicious emails, which may trick them into downloading and running the software, or through exploiting vulnerabilities in other software such as Adobe Flash. When the ransomware program is activated, it encrypts the user’s hard drive with a single use encryption key, before flashing up a message asking for ransom, typically in the form of a payment in the cryptocurrency Bitcoin.

    Related: Garmin down: how to still get your activities on to Strava

    Continue reading...

    Smartwatch maker Garmin hit by outages after ransomware attack

    US company forced to shut down call centres, website and some other online services

    Garmin has been forced to shut down its call centres, website and some other online services after a ransomware attack encrypted the smartwatch maker’s internal network and some production systems.

    The US company shut down services including the official Garmin website and all customer services, including phone lines, online chat and email.

    Related: The five: ransomware attacks

    Ransomware is the most common form of criminal malware currently in use. Targets are commonly infected through malicious emails, which may trick them into downloading and running the software, or through exploiting vulnerabilities in other software such as Adobe Flash. When the ransomware program is activated, it encrypts the user’s hard drive with a single use encryption key, before flashing up a message asking for ransom, typically in the form of a payment in the cryptocurrency Bitcoin.

    Continue reading...

    Cyber Threats Trends 6 Months Of Findings

    After six months from Cyber Threats Trends launch it’s time to check its main findings. When I decided to develop my own Cyber Threats Observatory I was not sure about its effectiveness and I was even more skeptical about the real usage from international cybersecurity communities. Fortunately many students, researchers and professionals used such a data to write thesis, papers and researches. Many of them cited my work (by adding a link in footnotes or in the reference section), other just dropped a “thank you email”. This was enough for me to decide to mantain Cyber Threats Trends for additional six months. Performing data collection, data analysis and data classification requires a quite expensive back-end, so it needs to be useful for somebody otherwise it would make no sense to maintain such a dedicated infrastructure.

    But now let’s take a looks to what it was able to find during the past six months.

    Malware Families

    The most seen Malware families from January 2020 to June 2020 (6 months of activity) are the following ones:
    GrandCrab ~3%
    Upatre ~1,9% (!!)
    Emotet ~1,8%
    TrickBot ~1,25%
    It looks like be inline with many available statistics and reports from the 2020 with the only exception on Upatre, which looks like super out of topic in 2020, but I have mostly discussed it here, so today I am quite confident it’s not a wrong classification. Many other families have been seen according to the following graph, but they will not be discussed in the current post.

    Malware Families

    Looking at the distribution of the top malware families we might focus on figure-out if some temporal pattern would emerge. The following image shows the GrandCarb family distribution over time. It is interesting to see that GrandCrab was mostly active during the last two weeks of March reaching its top detection rate on 2020-03-31 within a delicious frequency rate about 138 unique “findings” in that single day. Contrary it looks like to be less used during the months of May and June 2020.

    GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

    From Malpedia

    Looking at pattern-wise we might agree there is a kind of frequency inside of it. If you group the date by weeks you might find that GrandCrab is mostly used twice per month. If you consider a “top” (the biggest local maximum detection rate) as the campaign launching day and the following local maximum tops in detection rate (in other words the shorter “tops” or the local maximums) as physiological campaign adjustments, it looks like attackers would take two weeks to harvest profit from previous launched campaign and to prepare new artifacts for the following one.

    GrandCrab Ditribution over time

    The following graph shows the Upatre family distribution over the past six months.

    First discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto the victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000 Upatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization thought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering Dyre dropped dramatically, to less than 600 per month by January 2016.

    From Paloalto Unit42

    This is a very interesting graph because Upatre was not longer used since years (I bet since 2016). However it looks like attackers recovered it and re-started to use it from April 2020. Grouping by date you would appreciate a 3 days rhythm meaning that from one “attack wave” to another one it would take an average of 3 days. I will perform additional check on that, but static rules are perfectly matching what we are seeing int the upatre graph.

    Upatre Distribution over time

    Moving one TrickBot, the following image shows its distribution over time. TrickBot was mostly active during the first months of 2020 in a constant and linear way, while from March to April 2020 it experienced a quite significant speedup. Due to covid thematic campaigns Cyber Threats Trends recorded more TrickBot as never before in such time frame.

    A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

    From Malpedia
    TrickBot Distribution over time

    The following image shows the Emotet Distribution over time. As plausible the Emotet’s distribution follows the TrickBot one. Even if it is not clear the relationship between TrickBot folks and Emotet folks, we are quite accustomed to see these frameworks closely delivered in common campaigns, like for example few months ago when we experienced a lot of Ryuk (ransomware) distribution using Emotet + TrickBot.

    While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.

    From Malpedia
    Emotet Distribution

    Some indicators, such as the detection rate in January and the detection rate in June show to us that Emotet is used on these specific months even without TrickBot and it might suggest a different attack delivery procedure highlighting a different threat actor. In other words, comparing TrickBot and Emomet we observe that there are mainly two groups: a group which delivers TrickBot and Emotet together (such as the Ryuk ransom group) and a group which uses Emotet without TrickBot.

    Carrier Distribution

    Excluding the file type exe, which is the most analyzed file extension in the dropper panorama, we continue to observe many office files as the main Malware carrier. For example Microsoft Word Document within MACRO files are the most observed Malware carrier followed by PDF documents and CDF contents. While PowerShell files are still one of the most emerging threats we have not observed vast amount of Malware delivery on such carrier so far, but we see a revamping in the ancient Microsoft Excel Macro 4.0 as obfuscation technique.

    Frequency no EXE

    Still quite interesting how that statistics change over time. Indeed PDF and OLE objects are still the most used during the analyzed period of time. Even CDF document are quite common while simple scripts such as “VBscript” of Javascript are slowly decelerate their presence in international statistics.


    Developing Cyber Threats Trends has been a great journey ! I had many sleepless nights and additional costs due to a quite big backend network (especially “database speaking”) but I had the opportunity to collect super interesting data and to increase knowledge on malware statistics and on developing distributed systems. Moreover it turned out being a quite useful data collection and trend analysis tool for quite few people out there ! I would definitely keep it on collecting more data !

    EasyJet reveals cyber-attack exposed 9m customers’ details

    Airline apologises after credit card details of about 2,200 passengers were stolen
    Q&A: are you affected and what should you do?

    EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.

    The company said on Tuesday that email addresses and travel details were accessed and it would contact the customers affected.

    Continue reading...

    Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

    Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services.

    While lots of information has been shared about the victims and immediate impacts of industrial sector ransomware distribution operations, the public discourse continues to miss the big picture. As financial crime actors have evolved their tactics from opportunistic to post-compromise ransomware deployment, we have observed an increase in adversaries’ internal reconnaissance that enables them to target systems that are vital to support the chain of production. As a result, ransomware infections—either affecting critical assets in corporate networks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of end products or services.

    Truly understanding the unique nuances of industrial sector ransomware distribution operations requires a combination of skillsets and visibility across both IT and OT systems. Using examples derived from our consulting engagements and threat research, we will explain how the shift to post-compromise ransomware operations is fueling adversaries’ ability to disrupt industrial operations.

    Industrial Sector Ransomware Distribution Poses Increasing Risk as Actors Move to Post-Compromise Deployment

    The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach were often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organizations have moved toward adopting a more operationally complex post-compromise approach.

    In post-compromise ransomware incidents, a threat actor may still often rely on broadly distributed malware to obtain their initial access to a victim environment, but once on a network they will focus on gaining privileged access so they can explore the target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators or behaviors. Actors cast wider nets that may impact critical systems, which  expand the scale and effectiveness of their end-stage operations by inflicting maximum pain on the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves. For more information, including technical detail, on similar activity, see our recent blog posts on FIN6 and TEMP.MixMaster.

    Figure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches

    Historical incidents involving the opportunistic deployment of ransomware have often been limited to impacting individual computers, which occasionally included OT intermediary systems that were either internet-accessible, poorly segmented, or exposed to infected portable media. In 2017, we also observed campaigns such as NotPetya and BadRabbit, where wiper malware with worm-like capabilities were released to disrupt organizations while masquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption of post-compromise deployment presents three major twists in the plot.

    • As threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived abilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an expansion of financial crime actors’ targeting of industries that process directly marketable information (e.g., credit card numbers or customer data) to include the monetization of production environments.
    • As threat actors perform internal reconnaissance and move laterally across target networks before deploying ransomware, they are now better positioned to cast wide nets that impact the target’s most critical assets and negotiate from a privileged position.
    • Most importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in the past, resemble those employed by high-skilled actors across the initial and middle stages of the attack lifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations.

    Organized Financial Crime Actors Have Demonstrated an Ability to Disrupt OT Assets

    An actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on many factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the victim organizations. As a result, we can expect mature actors to gradually broaden their selection from only IT and business processes, to also OT assets monitoring and controlling physical processes. This is apparent in ransomware families such as SNAKEHOSE, which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we determined that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.

    In fact, we have observed very similar process kill lists deployed alongside samples from other ransomware families, including LockerGoga, MegaCortex, and Maze. Not surprisingly, all of these code families have been associated with high-profile incidents impacting industrial organizations for the past two years. The earliest kill list containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019. The list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an apparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples: “proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that one of these malware authors identified and corrected the error when initially copying the OT-processes from the LockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical common source of origin, such as a dark web post.

    Figure 2: ‘proficyclient.exe’ spelling in kill lists deployed with LockerGoga (left) and SNAKEHOSE (right)

    Regardless of which ransomware family first employed the OT-related processes in a kill list or where the malware authors acquired the list, the seeming ubiquity of this list across malware families suggests that the list itself is more noteworthy than any individual malware family that has implemented it. While the OT processes identified in these lists may simply represent the coincidental output of automated process collection from target environments and not a targeted effort to impact OT, the existence of this list provides financial crime actors opportunities to disrupt OT systems. Furthermore, we expect that as financially motivated threat actors continue to impact industrial sector organizations, become more familiar with OT, and identify dependencies across IT and OT systems, they will develop capabilities—and potentially intent—to disrupt other systems and environments running industrial software products and technology.

    Ransomware Deployments in Both IT and OT Systems Have Impacted Industrial Production

    As a result of adversaries’ post-compromise strategy and increased awareness of industrial sector targets, ransomware incidents have effectively impacted industrial production regardless of whether the malware was deployed in IT or OT. Ransomware incidents encrypting data from servers and computers in corporate networks have resulted in direct or indirect disruptions to physical production processes overseen by OT networks. This has caused insufficient or late supply of end products or services, representing long-term financial losses in the form of missed business opportunities, costs for incident response, regulatory fines, reputational damage, and sometimes even paid ransoms. In certain sectors, such as utilities and public services, high availability is also critical to societal well-being.

    The best-known example of ransomware impacting industrial production due to an IT network infection is Norsk Hydro’s incident from March 2019, where disruptions to Business Process Management Systems (BPMS) forced multiple sites to shut down automation operations. Among other collateral damage, the ransomware interrupted communication between IT systems that are commonly used to manage resources across the production chain. Interruptions to these flows of information containing for example product inventories, forced employees to identify manual alternatives to handle more than 6,500 stock-keeping units and 4,000 shelves. FireEye Mandiant has responded to at least one similar case where TrickBot was used to deploy Ryuk ransomware at an oil rig manufacturer. While the infection happened only on corporate networks, the biggest business impact was caused by disruptions of Oracle ERP software driving the company temporarily offline and negatively affecting production.

    Ransomware may result in similar outcomes when it reaches IT-based assets in OT networks, for example human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) software, and engineering workstations. Most of this equipment relies on commodity software and standard operating systems that are vulnerable to a variety of IT threats. Mandiant Intelligence is aware of at least one incident in which an industrial facility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's network was improperly segmented, which allowed the malware to propagate from the corporate network into the OT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to multiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of production.

    As recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) released Alert AA20-049A describing how a post-compromise ransomware incident had affected control and communication assets on the OT network of a natural gas compression facility. Impacts to HMIs, data historians, and polling servers resulted in loss of availability and loss of view for human operators. This prompted an intentional shut down of operations that lasted two days.

    Mitigating the Effects of Ransomware Requires Defenses Across IT and OT

    Threat actors deploying ransomware have made rapid advances both in terms of effectiveness and as a criminal business model, imposing high operational costs on victims. We encourage all organizations to evaluate their safety and industrial risks related to ransomware attacks. Note that these recommendations will also help to build resilience in the face of other threats to business operations (e.g., cryptomining malware infections). While every case will differ, we highlight the following recommendations.

    For custom services and actionable intelligence in both IT and OT, contact FireEye Mandiant Consulting, Managed Defense, and Threat Intelligence.

    • Conduct tabletop and/or controlled red team exercises to assess the current security posture and ability of your organization to respond to the ransomware threat. Simulate attack scenarios (mainly in non-production environments) to understand how the incident response team can (or cannot) detect, analyze, and recover from such an attack. Revisit recovery requirements based on the exercise results. In general, repeatedly practicing various threat scenarios will improve awareness and ability to respond to real incidents.
    • Review operations, business processes, and workflows to identify assets that are critical to maintaining continuous industrial operations. Whenever possible, introduce redundancy for critical assets with low tolerance to downtime. The right amount and type of redundancy is unique for each organization and can be determined through risk assessments and cost-benefit analyses. Note that such analyses cannot be conducted without involving business process owners and collaborating across IT and OT.
    • Logically segregate primary and redundant assets either by a network-based or host-based firewall with subsequent asset hardening (e.g., disabling services typically used by ransomware for its propagation, like SMB, RDP, and WMI). In addition to creating policies to disable unnecessary peer-to-peer and remote connections, we recommend routine auditing of all systems that potentially host these services and protocols. Note that such architecture is generally more resilient to security incidents.
    • When establishing a rigorous back-up program, special attention should be paid to ensuring the security (integrity) of backups. Critical backups must be kept offline or, at minimum, on a segregated network.
    • Optimize recovery plans in terms of recovery time objective. Introduce required alternative workflows (including manual) for the duration of recovery. This is especially critical for organizations with limited or no redundancy of critical assets. When recovering from backups, harden recovered assets and the entire organization's infrastructure to prevent recurring ransomware infection and propagation.
    • Establish clear ownership and management of OT perimeter protection devices to ensure emergency, enterprise-wide changes are possible. Effective network segmentation must be maintained during containment and active intrusions.
    • Hunt for adversary intrusion activity in intermediary systems, which we define as the networked workstations and servers using standard operating systems and protocols. While the systems are further away from direct control of physical processes, there is a much higher likelihood of attacker presence.
    • Note, that every organization is different, with unique internal architectures and processes, stakeholder needs, and customer expectations. Therefore, all recommendations should be carefully considered in the context of the individual infrastructures. For instance, proper network segmentation is highly advisable for mitigating the spread of ransomware. However, organizations with limited budgets may instead decide to leverage redundant asset diversification, host-based firewalls, and hardening as an alternative to segregating with hardware firewalls.