Category Archives: Malware

New Variant of KeyPass Ransomware Discovered

Samples of the malware have been found in an array of countries, including Brazil and Vietnam.

DEF CON 2018: ‘Man in the Disk’ Attack Surface Affects All Android Phones

Sloppy Android developers not following security guidelines for external storage opens the door to device takeover and more.

IBM Describes AI-powered Malware That Can Hide Inside Benign Applications

IBM Researchers Describe "DeepLocker" as a Stealthy, Evasive, Targeted Attack Methodology in a Class of Its Own

Black Hat Video Exclusive: Mobile APTs Redefining Phishing Attacks

Mike Murray, vice president of security intelligence at Lookout, discusses how mobile is redefining phishing, taking it out of the traditional inbox and into SMS and Facebook messages.

Banking Trojans Trickbot and IceID Partner for Distribution and Development

Trickbot has formed a partnership with another banking Trojan, IcedID, to help distribute each other’s malware more widely — and possibly co-develop new capabilities.

A July 2018 Fortinet investigation into recent attacks using Trickbot showed that it was not only infecting victims’ networks to steal information, but also sending commands via its command and control (C&C) server to download the latest versions of IcedID. IcedID, a banking Trojan that spreads spam via email, was first discovered by IBM X-Force researchers late last year.

Trickbot, meanwhile, has been downloaded by IcedID in other campaigns.

When Two Trojans Are Worse Than One

Cybercriminals were once relatively territorial in how they worked. For instance, one of the first steps a banking Trojan might take upon penetrating an organization’s defenses would be to kill or remove competitive malware. The collaboration between Trickbot and IcedID suggests greater cooperation among groups of hackers who are subjecting victims to several exploits at once.

The researchers also noted that the two bots are now working similarly in some ways. IcedID, for instance, has added file name obfuscations and file content encryption — just like Trickbot. If banking Trojans are serving as a distribution channel for each other, it’s possible they are also giving each other ideas on how to become even more potent as they develop their next variant.

How “Least Privilege” Can Offer Greater Security

Trickbot and IcedID are not alone, and it may be difficult for even the most robust defenses to keep out every banking Trojan. Instead, IBM Security experts suggest expanding the way security teams think about the principle of least privilege.

By making sure employees can only make use of the applications and other resources they need on a daily basis — not just by role but by specific activities — it can make it more difficult for the likes of Trickbot and IcedID to get access to more credentials if they manage to break in.

Segmenting the network into areas where certain data or resources are under more strict control, meanwhile, could mean cybercriminals would have to work even harder to penetrate further and do damage. It might even be easier to spot them when they try to do so.

Source: Fortinet

The post Banking Trojans Trickbot and IceID Partner for Distribution and Development appeared first on Security Intelligence.

Malicious Email Payloads Increased in Volume and Diversity in Q2 2018

A quarterly threat report revealed malicious email payloads increased in both volume and frequency between the first and second quarters of 2018.

Researchers from Proofpoint detected a 36 percent increase in malicious messages between the first and second quarters of this year, according to the August 2018 report. While this fell short of the peak volumes the enterprise security firm observed in 2016 and 2017, the report noted that this past quarter stood out for the variety of threats the researchers discovered in phishing campaigns.

Ransomware, for example, accounted for 11 percent of malicious email payloads, according to the report. While ransomware was not the dominant payload in the second quarter, bad actors are using it as part of their everyday toolkits, and attacks appear to be consolidating around major strains like GandCrab and Sigma.

Malicious Emails Carry Multiple Payloads in Q2

This trend suggests that attackers are becoming increasingly creative with their malicious payloads. In some cases, they’re sending out malware that can behave like multiple digital threats. Researchers at ThreatFabric observed this cross-functionality in June 2018 with MysteryBot, an Android banking Trojan capable of delivering a keylogger and ransomware.

Some threat actors are also launching attack domains containing multiple payloads. For example, Fortinet observed a single mass spam campaign pushing three separate samples of GandCrab version 2.1 earlier in 2018.

As a result, businesses of all sizes face a challenge to protect themselves against a wide variety of digital threats as opposed to just a few payload categories, which can consume significant time and resources.

How Can Organizations Improve Email Security?

Security experts recommend employing a layered approach to email security, which should include spam control, email scanning, security information and event management (SIEM), and other antispam controls. Security professionals should also consider using a threat intelligence platform that integrates with their email inbox to quickly share and collect threat data.

Sources: Proofpoint, ThreatFabric, Fortinet

The post Malicious Email Payloads Increased in Volume and Diversity in Q2 2018 appeared first on Security Intelligence.

New Variant of Dharma Ransomware Discovered

Once again, the infamous Dharma ransomware appears all set to begin a massive infection campaign. It comes back as a

New Variant of Dharma Ransomware Discovered on Latest Hacking News.

Security Affairs: Group-IB: The Shadow Market Is Flooded with Cheap Mining Software

Group-IB is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations.

Group-IB, an international company specializing in the prevention of cyberattacks, is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations. According to Group-IB’s Threat Intelligence, over a year, the number of shadow-forum ads offering mining software has increased fivefold (H1 2018 vs H1 2017). Group-IB experts say it is a very dangerous tendency to have so many mining Trojans available designed to use other people’s devices and infrastructure for illegitimate generation of cryptocurrency.

Cryptojacking (using computation capacity of a computer or infrastructure for cryptocurrency mining without the knowledge or consent of its owner) is still a comparatively popular method of personal gain, in spite of a clear tendency toward a decrease in the number of incidents of this type of fraud. Growth in the number of such thefts may be caused not only by the growth of mining software offers in Darknet but also by their comparatively low price, which is often less than $0.50.

The low entry barrier to the illegal mining market results in a situation where cryptocurrency is being mined by people without technical expertise or experience with fraudulent schemes. When they gain access to simple tools for making money off hidden cryptocurrency mining, they don’t consider it a crime, all the more so as the Russian legislative environment still leaves enough loopholes to avoid prosecution for such thefts. There are still very few arrests and cases of prosecution for cryptojacking.

One cryptocoin after another: what are the dangers of mining?

Any device (computer, smartphone, IoT, server, etc.) may be used for cryptojacking: that’s why it is not enough to install detection systems only at the workstation level. New types of mining software appear regularly that bypass security systems based on signature alone. A symmetric response to this threat is the analysis of various mining manifestations at the network level. With this end in view, it is necessary to use, among other things, behavioral analysis technologies to detect previously unknown programs and tools.

Group-IB experts warn that mining results not just in direct financial losses due to increased expenditures for electricity. It threatens the stability and continuity of business processes by decelerating corporate systems and increasing depreciation of hardware. Infection of infrastructure with a mining Trojan may result in the failure of corporate apps, networks and systems. Unauthorized external programs working without the knowledge of business owners is fraught with reputational losses, as well as compliance and regulatory risks.

What should we do?

Integrated countermeasures against cryptojacking require the detection of all forms of malicious codes distributed or working in the network, based on a regularly updated database of threats to systems (Threat Intelligence class). Suspicious activity should always be analyzed in a secure isolated environment to ensure the absolute confidentiality of data about infected computers, infrastructure segments and other resources. It is important not only to protect yourself within your own network, but to detect cryptomining tools running java scripts on hacked resources seeking to infect as many victims as possible. There is one more type of fraud that has been gaining popularity recently: the use of traditional insiders. Companies should be able to protect themselves against their own dishonest employees who attempt to increase their incomes at the expense of their employer’s resources.

About the Author: Group-IB Corporate Communications

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Securi ty Affairs – cryptojacking, DarkWeb)

The post Group-IB: The Shadow Market Is Flooded with Cheap Mining Software appeared first on Security Affairs.

Security Affairs

Group-IB: The Shadow Market Is Flooded with Cheap Mining Software

Group-IB is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations.

One cryptocoin after another: what are the dangers of mining?

What should we do?

About the Author: Group-IB Corporate Communications

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Securi ty Affairs – cryptojacking, DarkWeb)

The post Group-IB: The Shadow Market Is Flooded with Cheap Mining Software appeared first on Security Affairs.

PGA Golf Championship hit with Bitcoin ransomware

By Waqas

Hackers Demand Ransom to Unlock Hijacked Files of Upcoming PGA Golf Championship. Hackers seem to have a penchant for targeting high-profile events. After successfully attempting to make American presidential elections questionable, now cybercriminals have their eyes set on key PGA tournaments. Reportedly, to jeopardize this week’s PGA Championship, which is due to be held at […]

This is a post from HackRead.com Read the original post: PGA Golf Championship hit with Bitcoin ransomware

The analysis of the code reuse revealed many links between North Korea malware

Security researchers at Intezer and McAfee have conducted a joint investigation that allowed them to collect evidence that links malware families attributed to North Korean APT groups such as the notorious Lazarus Group and Group 123.

The experts focused their analysis on the code reuse, past investigations revealed that some APT groups share portions of code and command and control infrastructure for their malware.

Security researchers when analyzing a hacking campaign attempt to attribute it to a specific threat actor also evaluating the code reuse.

“The following graph presents a high-level overview of these relations. Each node represents a malware family or a hacking tool (“Brambul,” “Fallchill,” etc.) and each line presents a code similarity between two families. A thicker line correlates to a stronger similarity. In defining similarities, we take into account only unique code connections, and disregard common code or libraries. This definition holds both for this graph and our entire research.” reads the analysis published by the experts.

“We can easily see a significant amount of code similarities between almost every one of the attacks associated with North Korea. Our research included thousands of samples, mostly unclassified or uncategorized.”

According to the experts, North Korea-linked groups operated with two main goals, raise money and pursue nationalist aims.

Each state-sponsored hacker was involved in cyber operations with one of the above goals depending on his cyber capabilities.

Financially motivated operations consisting in hacking into financial institutions, hijack gambling sessions or sell pirated and cracked software were conducted by the Unit 180. Operations with nationalist aims are mostly executed by the Unit 121.

The joint research conducted by the experts was focused on the larger-scale nationalism-motivated campaigns, most of which presented a significant code reuse.

The experts analyzed thousands of malware samples, many still unclassified or uncategorized, and discovered many similarities in the source code used in attacks associated with North Korea.

For example, the “Common SMB module” that was part of the WannaCry Ransomware (2017) was similar to the code used the malware Mydoom (2009), Joanap, and DeltaAlfa.

“The first code example appeared in the server message block (SMB) module of WannaCry in 2017, Mydoom in 2009, Joanap, and DeltaAlfa. Further shared code across these families is an AES library from CodeProject. These attacks have been attributed to Lazarus; that means the group has reused code from at least 2009 to 2017.” states the analysis published by the experts.

The expert notices many similarities in the source code of three different remote access Trojans, tracked as NavRAT, Gold Dragon, and a DLL that was used in the attack against the South Korean gambling industry. The similarity consists in the Common file mapping.

“The second example demonstrates code responsible for mapping a file and using the XOR key 0xDEADBEEF on the first four bytes of the file. This code has appeared in the malware families NavRAT and Gold Dragon, plus a certain DLL from the South Korean gambling hacking campaign.” reads the report published by the experts.

The three malware were associated with the APT group tracked as Group 123 (also tracked as Reaper, APT37, and ScarCruft).

The researchers also found a similarity in the source code of the Brambul malware (2009) and KorDllBot (2011).

“The third example, responsible for launching a cmd.exe with a net share, has been seen in 2009’s Brambul, also known as SierraBravo, as well as KorDllBot in 2011. These malware families are also attributed to the Lazarus group.” states the report.

The experts also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples involved in the Operation Troy.

The analysis of the code reuse conducted by the experts confirmed that most of the samples attributed to North Korea-linked APT group Lazarus presented many similarities. The only malware that appears different are the RATs involved in the operations attributed to Group 123 APT group.

“The malware attributed to the group Lazarus has code connections that link many of the malware families spotted over the years. Lazarus is a collective name for many DPRK cyber operations, and we clearly see links between malware families used in different campaigns,” the researchers concluded.

“We clearly saw a lot of code reuse over the many years of cyber campaigns we examined. This indicates the North Koreans have groups with different skills and tools that execute their focused parts of cyber operations while also working in parallel when large campaigns require a mix of skills and tools.” concluded the experts.

Pierluigi Paganini

(Securi ty Affairs – North Korea, malware)

The post The analysis of the code reuse revealed many links between North Korea malware appeared first on Security Affairs.

IoT malware found hitting airplanes’ SATCOM systems

In 2014, IOActive researchers revealed security vulnerabilities they found in the most widely deployed satellite communications terminals and presented potential scenarios attackers could exploit once SATCOM systems have been compromised in the aviation, maritime, and military sectors. In 2018, they demonstrated that some of these theoretical scenarios are, unfortunately, still actually possible. Ruben Santamarta, principal security consultant with IOActive, presented this latest research at this year’s Black Hat conference in Las Vegas, and showed that … More →

The post IoT malware found hitting airplanes’ SATCOM systems appeared first on Help Net Security.

Modular Remote Access Trojan Uses Sophisticated Techniques to Evade Detection

Security researchers discovered a new modular remote access Trojan, dubbed Parasite HTTP, that uses sophisticated techniques to evade detection.

In July 2018, Proofpoint observed sale offers for the modular RAT on underground web marketplaces. The researchers monitored an email attack campaign that used human resources (HR) distribution lists to trick recipients into opening what appeared to be Microsoft Word resumes and CVs. The attachments contained malicious macros that downloaded the RAT from a remote site if enabled.

Parasite HTTP employs a range of evasive techniques, including leveraging a sleep routine to check for sandboxes and delay execution and skipping the allocation of critical buffers to produce a crash if it detects a sandbox.

What’s Driving the Surge of Evasive Malware?

The Parasite HTTP RAT is just one of the many threats fueling a surge in evasive malware. According to Minerva Labs, 86 percent of exploit kits and 85 percent of malicious payloads detected in 2017 employed evasive techniques, including memory injection (48 percent), malicious document files (28 percent) and environment testing (24 percent).

Similarly, 98 percent of the malware software-as-a-service (SaaS) provider Cyren analyzed in the first quarter of 2018 employed at least one evasive tactic, while 32 percent employed at least six.

How to Defend Against an Evasive Remote Access Trojan

Evasive malware samples pose a significant threat to organizations because they can slide under many traditional security solutions. To help defend corporate networks against these threats, IBM Security experts recommend keeping antivirus solutions up to date, scanning the environment for known indicators of compromise (IoCs) and keeping applications and operating systems running at the latest publicly released patch.

Security experts also advise security teams to use phishing intelligence to counter the spread of advanced threats like Parasite HTTP and other evasive malware.

Sources: Proofpoint, Minerva Labs, SecurityWeek

The post Modular Remote Access Trojan Uses Sophisticated Techniques to Evade Detection appeared first on Security Intelligence.

Cyber Criminals selling Bitcoin ATM Malware on Dark Web

By Uzair Amir

Trend Micro researchers have discovered a malware listing on Dark Web marketplace that lets attackers steal from Bitcoin ATMs. They can easily rake in cryptocurrency worth 6,750 in Euros, Pounds or Dollars by attacking the ATMs. The listing was perhaps created on June 25, 2018. It is available at a whopping price tag of $25,000. […]

This is a post from HackRead.com Read the original post: Cyber Criminals selling Bitcoin ATM Malware on Dark Web

DataBreaches.net: “Stevenkings” charged with creating “Medusa IRC Botnet DDoS” malware used against Bay Area company’s website

SAN JOSE – A federal grand jury in San Jose indicted Travis Cole Malone, Jr., on July 12, 2018, for conspiracy to...

DataBreaches.net

Researchers Say Code Reuse Links North Korea’s Malware

Following trails of reused code, security researchers at Intezer and McAfee have uncovered new links between malware families attributed to North Korean threat groups and tracked most of the samples to the infamous read more

Process Doppelgänging meets Process Hollowing in Osiris dropper

One of the Holly Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of using Windows APIs.

Process Doppelgänging, a new technique of impersonating a process, was published last year at the Black Hat conference. After some time, a ransomware named SynAck was found adopting that technique for malicious purposes. Even though Process Doppelgänging still remains rare in the wild, we recently discovered some of its traits in the dropper for the Osiris banking Trojan (a new version of the infamous Kronos). After closer examination, we found out that the original technique was further customized.

Indeed, the malware authors have merged elements from both Process Doppelgänging and Process Hollowing, picking the best parts of both techniques to create a more powerful combo. In this post, we take a closer look at how Osiris is deployed on victim machines, thanks to this interesting loader.

Overview

Osiris is loaded in three steps as pictured in the diagram below:

The first stage loader is the one that was inspired by the Process Doppelgänging technique but with an innovative twist. Finally, Osiris proper is delivered thanks to a second stage loader.

Loading additional NTDLL

When ran, the initial dropper creates a new suspended process, wermgr.exe.

Looking into the modules loaded within the injector’s process space, we can indeed see this additional copy of NTDLL:

This is a well-known technique that some malware authors use in order to evade monitoring applications and hide the API calls that they use. When we closely examine what functions are called from that additional NTDLL, we find more interesting details. It calls several APIs related to NTFS transactions. It was easy to guess that the technique of Process Doppelgänging, which relies on this mechanism, was applied here.

NTDLL is a special, low-level DLL. Basically, it is just a wrapper around syscalls. It does not have any dependencies from other DLLs in the system. Thanks to this, it can be loaded conveniently, without the need to fill its import table.

Other system DLLs, such as Kernel32, rely heavily on functions exported from NTDLL. This is why many user-land monitoring tools hook and intercept the functions exported by NTDLL: to watch what functions are being called and check if the process does not display any suspicious activity.

Of course malware authors know about this, so sometimes, in order to fool this mechanism, they load their own, fresh and unhooked copy of NTDLL from disk. There are several ways to implement this. Let’s have a look how the authors of the Osiris dropper did it.

Looking at the memory mapping, we see that the additional NTDLL is loaded as an image, just like other DLLs. This type of mapping is typical for DLLs loaded by LoadLibrary function or its low-level version from NTDLL, LdrLoadDll. But NTDLL is loaded by default in every executable, and loading the same DLL twice is impossible by the official API.

Usually, malware authors decide to map the second copy manually, but that gives a different mapping type and stands out from the normally-loaded DLLs. Here, the authors made a workaround: they loaded the file as a section, using the following functions:

ntdll.NtCreateFile – to open the ntdll.dll file
ntdll.NtCreateSection – to create a section out of this file
ntdll.ZwMapViewOfSection – to map this section into the process address space

This was a smart move because the DLL is mapped as an image, so it looks like it was loaded in a typical way.

This DLL was further used to make the payload injection more stealthy. Having their fresh copy of NTDLL, they were sure that the functions used from there are not hooked by security products.

Process Doppelgänging and Process Hollowing

The way in which the loader injects the payload into a new process displays some significant similarities with Process Dopplegänging. However, if we analyze it very carefully, we can see also differences from the classic implementation proposed last year at Black Hat. The differing elements are closer to Process Hollowing.

Classic Process Doppelgänging:

Process Hollowing:

Osiris Loader:

Creating a new process

The Osiris loader starts by creating the process into which it is going to inject. The process is created by a function from Kernel32: CreateProcessInternalW:

The new process (wermgr.exe) is created in a suspended state from the original file. So far, it reminds us of Process Hollowing, a much older technique of process impersonation.

In the Process Dopplegänging algorithm, the step of creating the new process is taken much later and uses a different, undocumented API: NtCreateProcessEx:

This difference is significant, because in Process Doppelgänging, the new process is created not from the original file, but from a special buffer (section). This section was supposed to be created earlier, using an “invisible” file created within the NTFS transaction. In the Osiris loader, this part also occurs, but the order is turned upside down, making us question if we can call it the same algorithm.

After the process is created, the same image (wermgr.exe) is mapped into the context of the loader, just like it was previously done with NTDLL.

As it later turns out, the loader will patch the remote process. The local copy of the wermgr.exe will be used to gather information about where the patches should be applied.

Usage of NTFS transactions

Let’s start from having a brief look at what are the NTFS transactions. This mechanism is commonly used while operating on databases—in a similar way, they exist in the NTFS file system. The NTFS transactions encapsulate a series of operations into a single unit. When the file is created inside the transaction, nothing from outside can have access to it until the transaction is committed. Process Doppelgänging uses them in order to create invisible files where the payload is dropped.

In the analyzed case, the usage of NTFS transactions is exactly the same. We can spot only small differences in the APIs used. The loader creates a new transaction, within which a new file is created. The original implementation used CreateTransaction and CreateFileTransacted from Kernel32. Here, they were substituted by low-level equivalents.

First, a function ZwCreateTransaction from a NTDLL is called. Then, instead of CreateFileTransacted, the authors open the transacted file by RtlSetCurrentTransaction along with ZwCreateFile (the created file is %TEMP%\\Liebert.bmp). Then, the dropper writes a buffer into to the file. Analogically, RtlSetCurrentTransaction with ZwWriteFile is used.

We can see that the buffer that is being written contains the new PE file: the second stage payload. Typically for this technique, the file is visible only within the transaction and cannot be opened by other processes, such as AV scanners.

This transacted file is then used to create a section. The function that can do it is available only via low-level API: ZwCreateSection/NtCreateSection.

After the section is created, that file is no longer needed. The transaction gets rolled back (by ZwRollbackTransaction), and the changes to the file are never saved on the disk.

So, the part described above is identical to the analogical part of Process Doppelgänging. Authors of the dropper made it even more stealthy by using low-level equivalents of the functions, called from a custom copy of NTDLL.

From a section to a process

At this point, the Osiris dropper creates two completely unrelated elements:

A process (at this moment containing a mapped, legitimate executable wermgr.exe)
A section (created from the transacted file) and containing the malicious payload

If this were typical Process Doppelgänging, this situation would never occur, and we would have the process created directly based on the section with the mapped payload. So, the question arises, how did the author of the dropper decide to merge the elements together at this point?

If we trace the execution, we can see following function being called, just after the transaction is rolled back (format: RVA;function):

4b1e6;ntdll_1.ZwQuerySection
4b22b;ntdll.NtClose
4b239;ntdll.NtClose
4aab8;ntdll_1.ZwMapViewOfSection
4af27;ntdll_1.ZwProtectVirtualMemory
4af5b;ntdll_1.ZwWriteVirtualMemory
4af8a;ntdll_1.ZwProtectVirtualMemory
4b01c;ntdll_1.ZwWriteVirtualMemory
4b03a;ntdll_1.ZwResumeThread

So, it looks like the newly created section is just mapped into the new process as an additional module. After writing the payload into memory and setting the necessary patches, such as Entry Point redirection, the process is resumed:

The way in which the execution was redirected looks similar to variants of Process Hollowing. The PEB of the remote process is patched, and the new module base is set to the added section. (Thanks to this, imports will get loaded automatically when the process resumes.)

The Entry Point redirection is, however, done just by a patch at the Entry Point address of the original module. A single jump redirects to the Entry Point of the injected module:

In case patching the Entry Point has failed, the loader contains a second variant of Entry Point redirection, by setting the new address in the thread context (ZwGetThreadContext -> ZwSetThreadContext), which is a classic technique used in Process Hollowing:

Best of both worlds

As we can see, the author merged some elements of Process Doppelgänging with some elements of Process Hollowing. This choice was not accidental. Both of those techniques have strong and weak points, but by merging them together, we get a power combo.

The weakest point of Process Hollowing is about the protection rights set on the memory space where the payload is injected (more info here). Process Hollowing allocates memory pages in the remote process by VirtualAllocEx, then writes the payload there. It gives one undesirable effect: the access rights (MEM_PRIVATE) were different than in the executable that is normally loaded (MEM_IMAGE).

Example of a payload loaded using Process Hollowing:

The major obstacle in loading the payload as an image is that, to do so, it has to be first dropped on the disk. Of course we cannot do this, because once dropped, it would easily be picked by an antivirus.

Process Doppelgänging on the other hand provides a solution: invisible transacted files, where the payload can be safely dropped without being noticed. This technique assumes that the transacted file will be used to create a section (MEM_IMAGE), and then this section will become a base of the new process (using NtCreateProcessEx).

Example of a payload loaded using Process Doppelgänging:

This solution works well, but requires that all the process parameters have to be also loaded manually: first creating them by RtlCreateProcessParametersEx and then setting them into the remote PEB. It was making it difficult to run a 32-bit process on 64-bit system, because in case of WoW64 processes, there are 2 PEBs to be filled.

Those problems of Process Doppelgänging can be solved easily if we create the process just like Process Hollowing does it. Rather than using low-level API, which was the only way to create a new process out of a section, the authors created a process out of the legitimate file, using a documented API from Kernel32. Yet, the section carrying the payload, loaded with proper access rights (MEM_IMAGE), can be added later, and the execution can get redirected to it.

Second stage loader

The next layer (8d58c731f61afe74e9f450cc1c7987be) is not the core yet, but the next stage of the loader. It imports only one DLL, Kernel32.

Its only role is to load the final payload. At this stage, we can hardly find something innovative. The Osiris core is unpacked piece by piece and manually loaded along with its dependencies into a newly-allocated memory area within the loader process.

After this self-injection, the loader jumps into the payload’s entry point:

The interesting thing is that the application’s entry point is different than the entry point saved in the header. So, if we dump the payload and try to run it interdependently, we will not get the same code executed. This is an interesting technique used to misguide researchers.

This is the entry point that was set in the headers is at RVA 0x26840:

The call leads to a function that makes the application go in an infinite sleep loop:

The real entry point, from which the execution of the malware should start, is at 0x25386, and it is known only to the loader.

The second stage versus Kronos loader

A similar trick using a hidden entry point was used by the original Kronos (2a550956263a22991c34f076f3160b49). In Kronos’ case, the final payload is injected into svchost. The execution is redirected to the core by patching the entry point in svchost:

In this case, the entry point within the payload is at RVA 0x13B90, while the entry point saved in the payload’s header (d8425578fc2d84513f1f22d3d518e3c3) is at 0x15002.

The code at the real Kronos entry point displays similarities with the analogical point in Osiris. Yet, we can see they are not identical:

A precision implementation

The first stage loader is strongly inspired by Process Dopplegänging and is implemented in a clean and professional way. The author adopted elements from a relatively new technique and made the best out of it by composing it with other known tricks. The precision used here reminds us of the code used in the original Kronos. However, we can’t be sure if the first layer is written by the same author as the core bot. Malware distributors often use third-party crypters to pack their malware. The second stage is more tightly coupled with the payload, and here we can say with more confidence that this layer was prepared along with the core.

Malwarebytes can protect against this threat early on by breaking its distribution chains that includes malicious documents sent in spam campaigns and drive-by downloads, thanks to our anti-exploit module. Additionally, our anti-malware engine detects both the dropper and Osiris core.

Indicators of Compromise (IOCs)

Stage 1 (original sample)

e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0

Stage 2 (second stage loader)

40288538ec1b749734cb58f95649bd37509281270225a87597925f606c013f3a

Osiris (core bot)

d98a9c5b4b655c6d888ab4cf82db276d9132b09934a58491c642edf1662e831e

The post Process Doppelgänging meets Process Hollowing in Osiris dropper appeared first on Malwarebytes Labs.

Black Hat 2018: Stealthy Kernel Attack Flies Under Windows Mitigation Radar

Researchers create PoC of a post-exploitation kernel-mode fileless attack technique.

Security Affairs: DeepLocker – AI-powered malware are already among us

Security researchers at IBM Research developed a “highly targeted and evasive” AI-powered malware dubbed DeepLocker and will present today.

What about Artificial Intelligence (AI) applied in malware development? Threat actors can use AI-powered malware to create powerful malicious codes that can evade sophisticated defenses.

Security researchers at IBM Research developed a “highly targeted and evasive” attack tool powered by AI,” dubbed DeepLocker that is able to conceal its malicious intent until it has infected the specific target.

“IBM Research developed DeepLocker to better understand how several existing AI models can be combined with current malware techniques to create a particularly challenging new breed of malware.” reads a blog post published by the experts.

“This class of AI-powered evasive malware conceals its intent until it reaches a specific victim. It unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition.”

According to the IBM researcher, DeepLocker is able to avoid detection and activate itself only after specific conditions are matched.

AI-powered malware represents a privileged optional in high-targeted attacks like the ones carried out by nation-state actors.

The malicious code could be concealed in harmful applications and select the target based on various indicators such as voice recognition, facial recognition, geolocation and other system-level features.

“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.” continues IBM.

“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”

The researchers shared a proof of concept by hiding the WannaCry ransomware in a video conferencing app and keeping it stealth until the victim is identified through the facial recognition. Experts pointed out that the target can be identified by matching his face with publicly available photos.

“To demonstrate the implications of DeepLocker’s capabilities, we designed a proof of concept in which we camouflage a well-known ransomware (WannaCry) in a benign video conferencing application so that it remains undetected by malware analysis tools, including antivirus engines and malware sandboxes. As a triggering condition, we trained the AI model to recognize the face of a specific person to unlock the ransomware and execute on the system.”

“Imagine that this video conferencing application is distributed and downloaded by millions of people, which is a plausible scenario nowadays on many public platforms. When launched, the app would surreptitiously feed camera snapshots into the embedded AI model, but otherwise behave normally for all users except the intended target,” the researchers added.

“When the victim sits in front of the computer and uses the application, the camera would feed their face to the app, and the malicious payload will be secretly executed, thanks to the victim’s face, which was the preprogrammed key to unlock it.”

The IBM Research group will provider further details today more details in a live demo at the Black Hat USA security conference in Las Vegas.

Pierluigi Paganini

(Securi ty Affairs – AI-powered malware, DeepLocker )

The post DeepLocker – AI-powered malware are already among us appeared first on Security Affairs.

Security Affairs

DeepLocker – AI-powered malware are already among us

Security researchers at IBM Research developed a “highly targeted and evasive” AI-powered malware dubbed DeepLocker and will present today.

What about Artificial Intelligence (AI) applied in malware development? Threat actors can use AI-powered malware to create powerful malicious codes that can evade sophisticated defenses.

According to the IBM researcher, DeepLocker is able to avoid detection and activate itself only after specific conditions are matched.

AI-powered malware represents a privileged optional in high-targeted attacks like the ones carried out by nation-state actors.

“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.” continues IBM.

The IBM Research group will provider further details today more details in a live demo at the Black Hat USA security conference in Las Vegas.

Pierluigi Paganini

(Securi ty Affairs – AI-powered malware, DeepLocker )

The post DeepLocker – AI-powered malware are already among us appeared first on Security Affairs.

New Actor DarkHydrus Targets Middle East with Open-Source Phishing

DarkHydrus uses the open-source Phishery tool to create two of the known Word documents used in the attacks.

Researchers Developed Artificial Intelligence-Powered Stealthy Malware

Artificial Intelligence (AI) has been seen as a potential solution for automatically detecting and combating malware, and stop cyber attacks before they affect any organization. However, the same technology can also be weaponized by threat actors to power a new generation of malware that can evade even the best cyber-security defenses and infects a computer network or launch an attack only

Bokbot: The (re)birth of a banker

This blogpost is a follow-up to a presentation with the same name, given at SecurityFest in Sweden by Alfred Klason.

Summary

Bokbot (aka: IcedID) came to Fox-IT’s attention around the end of May 2017 when we identified an unknown sample in our lab that appeared to be a banker. This sample was also provided by a customer at a later stage.

Having looked into the bot and the operation, the analysis quickly revealed that it’s connected to a well-known actor group that was behind an operation publically known as 76service and later Neverquest/Vawtrak, dating back to 2006.

Neverquest operated for a number of years before an arrest lead to its downfall in January 2017. Just a few months afterwards we discovered a new bot, with a completely new code base but based on ideas and strategies from the days of Neverquest. Their business ties remains intact as they still utilize services from the same groups as seen before but also expanded to use new services.

This suggests that at least parts of the group behind Neverquest is still operating using Bokbot. It’s however unclear how many of the people from the core group that have continued on with Bokbot.

Bokbot is still a relatively new bot, just recently reaching a production state where they have streamlined and tested their creation. Even though it’s a new bot, they still have strong connections within the cybercrime underworld which enables them to maintain and grow their operation such as distributing their bot to a larger number of victims.

By looking back in history and the people who are behind this, it is highly likely that this is a threat that is not going away anytime soon. Fox-IT rather expects an expansion of both the botnet size and their target list.

76service and Neverquest

76service was, what one could call, a big-data mining service for fraud, powered by CRM (aka: Gozi). It was able to gather huge amounts of data from its victims using, for example, formgrabbing where authorization and log-in credentials are retrieved from forms submitted to websites by the infected victim.

76service login page (source: krebsonsecurity.com)

The service was initially spotted in 2006 and was put into production in 2007, where the authors started to rent out access to their platform. When given access to the platform, the fraudulent customers of this service could free-text search in the stolen data for credentials that provide access to online services, such as internet banking, email accounts and other online platforms.

76service operated uninterrupted until November 2010, when an Ukrainian national named Nikita Kuzmin got arrested in connection with the operation. This marked the end of the 76service service.

Nice Catch! – The real name of Neverquest

A few months before the arrest of Nikita he shared the source code of CRM within a private group of people which would enable them to continue the development of the malware. This, over time, lead to the appearance of multiple Gozi strains, but there was one which stood out more than the others, namely: Catch.

Catch was the name given internally by the malware authors, but to the security community and the public it was known as Vawtrak or Neverquest.

During this investigation into Catch it became clear that 76service and Catch shared several characteristics. They both, for example, separated their botnets into projects within the panel they used for administering their infrastructure and botnets. Instead of having one huge botnet, they assigned every bot build with a project ID that would be used by the bot to let the Command & Control (C2) server know which specific project the bot belonged to.

76service and Catch also shared the same business model, where they shifted back and forth between a private and rented model.

The private business model meant that they made use of their own botnet, for their own gain, and the rented business model meant that they rented out access to their botnet to customers. This provided them with an additional income stream, instead of only performing the fraud themselves.

The shift between business models could usually be correlated with either: backend servers being seized or people with business ties to the group being arrested. These types of events might have spooked the group as they limited their infrastructure, closing down access for customers.

For the sake of simplicity, Catch will from here on be referred to as Neverquest in this post.

“Quest means business” – Affiliations

If one would identify a Neverquest infection it might not be the only malware that is lurking on the infected system. Neverquest has been known to cooperate with other crimeware groups, either to distribute additional malware or use existing botnets to distribute Neverquest.

During the investigation and tracking of Neverquest Fox-IT identified the following ties:

Crimeware/malware group	Usage/functionality
Dyre	Download and execute Dyre on Neverquest infections
TinyLoader & AbaddonPOS	Download and execute TinyLoader on Neverquest infections. TinyLoader was later seen downloading AbaddonPOS (as mentioned by Proofpoint)
Chanitor/Hancitor	Neverquest leverages Chanitor to infect new victims.

By leveraging these business connections, especially the connection with Dyre, Neverquest is able to maximize the monetization of the bots. This since Neverquest could see if a bot was of interest to the group and if not, it could be handed off to Dyre which could cast a wider net, targeting for example a bigger or different geographical region and utilize a bot in a different way.

More on these affiliations in a later section.

The never ending quest comes to an end

Neverquest remained at large from around 2010, causing huge amounts of financial losses, ranging from ticket fraud to wire fraud to credit card fraud. Nevertheless, in January 2017 the quest came to an end, as an individual named Stanislav Lisov was arrested in Spain. This individual was proven to be a key player in the operation: soon after the arrest the backend servers of Neverquest went offline, never to come back online, marking the end of a 6 year long fraud operation.

A more detailed background on 76service and Neverquest can be found in a blogpost by PhishLabs.

A wild Bokbot appears!

Early samples of Bokbot were identified in our lab in May 2017 and also provided to us by a customer. At this time the malware was being distributed to US infections by the Geodo (aka: Emotet) spam botnet. The name Bokbot is based on a researcher who worked on the very early versions of the malware (you know who you are ).

Initial thoughts were that this was a new banking module for Geodo, as this group had not been involved in banking/fraud since May 2015. This scenario was quickly dismissed after having discovered evidence that linked Bokbot to Neverquest, which will be further outlined hereafter.

Bokbot internals

First, let’s do some housekeeping and look into some of the technical aspects of Bokbot.

Communication

All communication between a victim and the C2 server is sent over HTTPS using POST- and GET-requests. The initial request sent to the C2 is a POST-request containing some basic information about the machine it’s running on, as seen in the example below. Any additional requests like requesting configs or modules are sent using GET-requests, except for the uploading of any stolen data such as files, HTML code, screenshots or credentials which the victim submits using POST-requests.

bokbot_post_request
Even though the above request is from a very early version (14) of the bot, the principle still applies to the current version (101), first seen 2018-07-17.

URL param.	Comment
b	Bot identifier, contains the information needed to identify the individual bot and where it belongs. More information on this in later a section.
d	Type of uploaded information. For example screenshot, grabbed form, HTML or a file
e	Bot build version
i	System uptime

POST-data param.	Comment
k	Computer name (Unicode, URL-encoded)
l	Member of domain… (Unicode, URL-encoded)
j	Bot requires signature verification for C2 domains and self-updates
n	Bot running with privilege level…
m	Windows build information (version, arch., build, etc.)

The parameters that are not included in the table above are used to report stolen data to the C2.

The C2 response of this particular bot version is a simple set of integers which tells the bot which command(s) that should be executed. This is the only C2 response that is unencrypted, all other responses are encrypted using RC4. Some responses are, like the configs, also compressed using LZMAT.

After a response is decrypted, the bot will check if the first 4 bytes equal “zeus”.

bokbot_zeus_sig

If the first 4 bytes are equal to “zeus”, it will decompress the rest of the data.

The reason for choosing “zeus” as the signature remains unknown, it could be an intentional false flag, in an attempt to trick analysts into thinking that this might be a new ZeuS strain. Similar elusive techniques have been used before to trick analysts. A simpler explanation could be that the developer simply had an ironic sense of humor, and chose the first malware name that came to mind as the 4 byte signature.

Configs

Bokbot supports three different types of configs, which all are in a binary format rather than some structured format like XML, which is, for example, used by TheTrick.

Config	Comment
Bot	The latest C2 domains
Injects	Contains targets which are subject to web injects and redirection attacks
Reporting	Contains targets related to HTML grabbing and screenshots

The first config, which includes the bot C2 domains, is signed. This to prevent that a takeover of any of the C2 domains would result in a sinkholing of the bots. The updates of the bot itself are also signed.

The other two configs are used to control how the bot will interact with the targeted entities, such as redirecting and modifying web traffic related to for example internet banking and/or email providers, for the purpose of harvesting credentials and account information.

The reporting config is used for a more generic purpose, where it’s not only used for screenshots but also for HTML grabbing, which would grab a complete HTML page if a victim browses to an “interesting” website, or if the page contains a specific keyword. This enables the actors to conduct some reconnaissance for future attacks, like being able to write web injects for a previously unknown target.

Geographical foothold

Ever since the appearance Bokbot has been heavily focused on targeting financial institutions in the US even though they’re still gathering any data that they deem interesting such as credentials for online services.

Based on Fox-IT’s observation of the malware spread and the accompanied configs we find that North America seems to be Bokbot’s primary hunting ground while high infection counts have been seen in the following countries:

United States
Canda
India
Germany
Netherlands
France
United Kingdom
Italy
Japan

“I can name fingers and point names!” – Connecting the two groups

The two bots, on a binary level, do not show much similarity other than the fact that they’re both communicating over HTTPS and use RC4 in combination with LZMAT compression. But this wouldn’t be much of an attribution as it’s also a combination used in for example ZeuS Gameover, Citadel and Corebot v1.

The below tables provides a short summary of the similarities between the groups.

Connection	Comment
Bot and project ID format	The usage of projects and the bot ID generation are unique to these groups along with the format that this information is communicated to the C2.
Inject config	The injects and redirection entries are very similar and the format haven’t been seen in any other malware family.
Reporting config	The targeted URLs and “interesting” keywords are almost identical between the two.
Affiliations	The two group share business affiliations with other crimeware groups.

Bot ID, URL pattern and project IDs

When both Neverquest and Bokbot communicate with their C2 servers, they have to identify themselves by sending their unique bot ID along with a project ID.

An example of the string that the server uses in order to identify a specific bot from its C2 communication is shown below:

bokbot_id_format

The placement of this string is of course different between the families, where Neverquest (in the latest version) placed it, encoded, in the Cookie header field. Older version of Neverquest sent this information in the URL. Bokbot on the other hand sends it in the URL as shown in a previous section.

One important difference is that Neverquest used a simple number for their project ID, 7, in the example above. Bokbot on the other hand is using a different, unknown format for its project ID. A theory is that this could be the CRC checksum of the project name to prevent any leakage of the number of projects or their names, but this is pure speculation.

Another difference is that Bokbot has implemented an 8 bit checksum that is calculated using the project ID and the bot ID. This checksum is then validated on the server side and if it doesn’t match, no commands will be returned.

To this date there has been a total of 20 projects over 25 build versions observed, numbers that keeps on growing.

Inject config – Dynamic redirect structure

The inject config not only contain web injects but also redirects. Bokbot supports both static redirects which redirects a static URL but also dynamic redirects which redirects a request based on a target matched using a regular expression.

The above example is a redirect attack from a Neverquest config. They use a regular expression to match on the requested URL. If it should match they will extract the name of the requested file along with its extension. The two strings are then used to construct a redirect URL controlled by the actors. Thereby, the $1 will be replaced with the file name and $2 will be replaced with the file extension.

How does this compare with Bokbot?

bokbot_target_format

Notice how the redirect URL contains $1 and $2, just as with Neverquest. This could of course be a coincidence but it should be mentioned that this is something that has only been observed in Neverquest and Bokbot.

Reporting config

This config was one of the very first things that hinted about a connection between the two groups. By comparing the configs it becomes quite clear that there is a big overlap in interesting keywords and URLs:

bokbot_reporting_targets

Neverquest is on the left and Bokbot on the right. Note that this is a simple string comparison between the configs which also includes URLs that are to be excluded from reporting.

“Guilt by association” – Affiliations

None of these groups are short on connections in the cybercrime underworld. It’s already mentioned that Neverquest had ties with Dyre, a group which by itself caused substantial financial losses. But it’s also important to take into account that Dyre didn’t completely go away after the group got dismantled but was rather replaced with TheTrick which gives a further hint of a connection.

Neverquest affil.	Bokbot affil.	Comment
Dyre	TheTrick	Neverquest downloads & executes Dyre
Dyre	TheTrick	Bokbot downloads & executes TheTrick
TinyLoader	TinyLoader	Neverquest downloads & executes TinyLoader which downloads AbaddosPOS
TinyLoader	TinyLoader	Bokbot downloads & executes TinyLoader, additional payload remains unknown at this time
Chanitor	Chanitor	Neverquest utilizes Chanitor for distribution of Neverquest
Chanitor	Chanitor	Bokbot utilizes Chanitor for distribution of Bokbot, downloads SendSafe spam malware to older infections.
	Geodo	Bokbot utilizes Geodo for distributing Bokbot
	Gozi-ISFB	Bokbot utilizes Gozi-ISFB for distributing Bokbot

There are a few interesting observations with the above affiliations. The first is for the Chanitor affiliation.

When Bokbot was being distributed by Chanitor, an existing Bokbot infection that was running an older version than the one being distributed by Chanitor, would receive a download & execute command which pointed to the SendSafe spambot, used by the Chanitor group to send spam. Suggesting that they may have exchanged “infections for infections”.

The Bokbot affiliation with Geodo is something that cannot be linked to Neverquest, mostly due to the fact that Geodo has not been running its spam operation long enough to overlap with Neverquest.

The below graph show all the observed affiliations to date.

bokbot_attributions

Events over time

All of the above information have been collected over time during the development and tracking of Bokbot. The events and observations can be observed on the below timeline.

bokbot_event_timeline

The first occurrence of TheTrick being downloaded was in July 2017 but Bokbot has since been downloading TheTrick at different occasions.

At the end of December 2017 there was little Bokbot activity, likely due to the fact that it was holidays. It’s not uncommon for cybercriminals to decrease their activity during the turn of the year, supposedly everyone needs holidays, even cybercriminals. They did however push an inject config to some bots which targeted *.com with the goal of injecting Javascript to mine Monero cryptocurrency. As soon as an infected user visits a website with a .com top-level domain (TLD), the browser would start mining Monero for the Bokbot actors. This was likely an attempt to passively monetize the bots while the actors was on holiday.

Bokbot remains active and shows no signs of slowing down. Fox-IT will continue to monitor these actors closely.

Massive Router Attack Injects CoinHive Malware Using Winbox Bug

Security researchers observed a massive router attack in which threat actors injected CoinHive into more than 170,000 devices to mine for Monero.

On July 31, security firm Trustwave detected a substantial CoinHive uptick in Brazil and identified MikroTik routers as the infection point upon further investigation. By leveraging CVE-2018-14847, a critical Winbox flaw, attackers gathered sensitive information from target devices and then gained unauthenticated, remote admin access. This tactic allowed them to inject the CoinHive script, which uses system resources to mine for Monero.

Although the majority of infected devices are in Brazil, this router attack is gaining ground internationally, according to the report.

The Impact of Malicious Miners

Crypto-mining malware eats up system resources, which could cause performance issues and compromise overall network security. For this attack, the threat actors targeted carrier-grade routers that serve global industries and internet service providers (ISPs) — increasing their reach and making it difficult for security teams to eliminate all CoinHive instances.

According to Trustwave, this impacts “users who are not directly connected to the infected router’s network,” as well as those who “visit websites behind these infected routers.”

As the campaign spread worldwide, researchers discovered a placeholder script (u113.src) and a backdoor account (called “ftu”) that allows attackers to send additional commands to any compromised device. Given the sheer number of devices impacted, the campaign could easily shift from simple crypto-mining to ransomware or complete network compromise.

How to Mitigate the Risk of a Router Attack

Although MikroTik released a fix for the flaw in April 2018, Trustwave noted that “there are hundreds of thousands of unpatched (and thus vulnerable) devices still out there.”

To limit the risk of vulnerabilities like the Winbox bug, IBM Security experts recommend implementing strict patch management policies and prioritizing security information and event management (SIEM) logs — so routers don’t get lost in the mix. While routers may go several days without sending a log, it’s important to review these logs regularly to ensure that CoinHive or other malware hasn’t set up shop.

Mitigating the impact of cryptojacking malware also requires a more active and decisive approach to risk management. Given the rapidly expanding market share of coin mining tools, security experts advise organizations to reevaluate potential areas of risk, impacts of compromise and potential long-term effects to create an actionable risk mitigation plan.

Sources: Trustwave, MikroTik

The post Massive Router Attack Injects CoinHive Malware Using Winbox Bug appeared first on Security Intelligence.

Fortnite for Android goes “off market” – is that good or bad? [VIDEO]

Fortnite for Android will sidestep Google Play and be an “off market” experience - is that good or bad? We discuss the issues...

Fileless Malware CactusTorch Executes Harmful .NET Assemblies From Memory

Fileless malware CactusTorch is using DotNetToJScript to execute harmful .NET assemblies from memory.

On July 26, researchers at McAfee Labs reported that they compiled the tool and uncovered the .NET executable DotNetToJScript.exe. The executable accepts a .NET assembly responsible for creating a new suspended process, allocating memory, writing shellcode in the target’s memory process and creating a thread to execute the shellcode.

DotNetToJScript does not ship out with CactusTorch. It ultimately yields only a JavaScript file containing the .NET assembly. The script host (wscript.exe) executes the JavaScript file on a target system.

Fileless Malware on the Rise

McAfee Labs observed a significant increase in CactusTorch between 2017 and 2018. Researchers detected just one or two variants of the malware back in April 2017. Fourteen months later, they documented close to 35 variants — all of which are capable of executing shellcode on Windows machines.

The Ponemon Institute estimated that 29 percent of attacks sustained by businesses in 2017 were fileless — up 20 percent from the previous year — and predicted that this figure would rise to 35 percent in 2018. Similarly, a Morphisec study revealed that 36 percent of nonadware attacks in Q1 2018 were completely fileless.

This growth is concerning for security professionals because fileless attacks use reputable executables to evade detection. This technique allows bad actors to infiltrate corporate networks and then move laterally to critical business assets where they can exfiltrate sensitive data or conduct digital espionage.

How to Protect Against Fileless Attacks

To minimize the risk of fileless attacks, IBM Security experts recommend keeping apps and operating systems up to date, regularly updating antivirus software and blocking URL- and IP-based indicators of compromise (IoCs). Security teams should also invest in endpoint defenses that combine traditional, file-based layered security with machine learning and sandbox technology.

Sources: McAfee Labs, Ponemon Institute, Morphisec

The post Fileless Malware CactusTorch Executes Harmful .NET Assemblies From Memory appeared first on Security Intelligence.

Smashing Security #090: Fortnite for Android, and the FCC’s DDoS BS

Fortnite players are told they’ll have to disable a security setting on Android, the FCC finally admits that it wasn’t hit by a DDoS attack, and Verizon’s VPN smallprint raises privacy concerns.

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault, joined this week by David Bisson.

Black Hat 2018: Google’s Tabriz Talks Complex Security Landscapes

At Black Hat, Google's Parisa Tabriz discussed how to navigate the complex security environment with long-term thinking and a policy of open collaboration.

BIOS Boots What? Finding Evil in Boot Code at Scale!

The second issue is that reverse engineering all boot records is impractical. Given the job of determining if a single system is infected with a bootkit, a malware analyst could acquire a disk image and then reverse engineer the boot bytes to determine if anything malicious is present in the boot chain. However, this process takes time and even an army of skilled reverse engineers wouldn’t scale to the size of modern enterprise networks. To put this in context, the compromised enterprise network referenced in our ROCKBOOT blog post had approximately 10,000 hosts. Assuming a minimum of two boot records per host, a Master Boot Record (MBR) and a Volume Boot Record (VBR), that is an average of 20,000 boot records to analyze! An initial reaction is probably, “Why not just hash the boot records and only analyze the unique ones?” One would assume that corporate networks are mostly homogeneous, particularly with respect to boot code, yet this is not the case. Using the same network as an example, the 20,000 boot records reduced to only 6,000 unique records based on MD5 hash. Table 1 demonstrates this using data we’ve collected across our engagements for various enterprise sizes.

Enterprise Size (# hosts)	Avg # Unique Boot Records (md5)
100-1000	428
1000-10000	4,738
10000+	8,717

Table 1 – Unique boot records by MD5 hash

Now, the next thought might be, “Rather than hashing the entire record, why not implement a custom hashing technique where only subsections of the boot code are hashed, thus avoiding the dynamic data portions?” We tried this as well. For example, in the case of Master Boot Records, we used the bytes at the following two offsets to calculate a hash:

md5( offset[0:218] + offset[224:440] )

In one network this resulted in approximately 185,000 systems reducing to around 90 unique MBR hashes. However, this technique had drawbacks. Most notably, it required accounting for numerous special cases for applications such as Altiris, SafeBoot, and PGPGuard. This required small adjustments to the algorithm for each environment, which in turn required reverse engineering many records to find the appropriate offsets to hash.

Ultimately, we concluded that to solve the problem we needed a solution that provided the following:

A reliable collection of boot records from systems
A behavioral analysis of boot records, not just static analysis
The ability to analyze tens of thousands of boot records in a timely manner

The remainder of this post describes how we solved each of these challenges.

Collect the Bytes

Malicious drivers insert themselves into the disk driver stack so they can intercept disk I/O as it traverses the stack. They do this to hide their presence (the real bytes) on disk. To address this attack vector, we developed a custom kernel driver (henceforth, our “Raw Read” driver) capable of targeting various altitudes in the disk driver stack. Using the Raw Read driver, we identify the lowest level of the stack and read the bytes from that level (Figure 1).

Figure 1: Malicious driver inserts itself as a filter driver in the stack, raw read driver reads bytes from lowest level

This allows us to bypass the rest of the driver stack, as well as any user space hooks. (It is important to note, however, that if the lowest driver on the I/O stack has an inline code hook an attacker can still intercept the read requests.) Additionally, we can compare the bytes read from the lowest level of the driver stack to those read from user space. Introducing our first indicator of a compromised boot system: the bytes retrieved from user space don’t match those retrieved from the lowest level of the disk driver stack.

Analyze the Bytes

As previously mentioned, reverse engineering and static analysis are impractical when dealing with hundreds of thousands of boot records. Automated dynamic analysis is a more practical approach, specifically through emulating the execution of a boot record. In more technical terms, we are emulating the real mode instructions of a boot record.

The emulation engine that we chose is the Unicorn project. Unicorn is based on the QEMU emulator and supports 16-bit real mode emulation. As boot samples are collected from endpoint machines, they are sent to the emulation engine where high-level functionality is captured during emulation. This functionality includes events such as memory access, disk reads and writes, and other interrupts that execute during emulation.

The Execution Hash

Folding down (aka stacking) duplicate samples is critical to reduce the time needed on follow-up analysis by a human analyst. An interesting quality of the boot samples gathered at scale is that while samples are often functionally identical, the data they use (e.g. strings or offsets) is often very different. This makes it quite difficult to generate a hash to identify duplicates, as demonstrated in Table 1. So how can we solve this problem with emulation? Enter the “execution hash”. The idea is simple: during emulation, hash the mnemonic of every assembly instruction that executes (e.g., “md5(‘and’ + ‘mov’ + ‘shl’ + ‘or’)”). Figure 2 illustrates this concept of hashing the assembly instruction as it executes to ultimately arrive at the “execution hash”

Figure 2: Execution hash

Using this method, the 650,000 unique boot samples we’ve collected to date can be grouped into a little more than 300 unique execution hashes. This reduced data set makes it far more manageable to identify samples for follow-up analysis. Introducing our second indicator of a compromised boot system: an execution hash that is only found on a few systems in an enterprise!

Behavioral Analysis

Like all malware, suspicious activity executed by bootkits can vary widely. To avoid the pitfall of writing detection signatures for individual malware samples, we focused on identifying behavior that deviates from normal OS bootstrapping. To enable this analysis, the series of instructions that execute during emulation are fed into an analytic engine. Let's look in more detail at an example of malicious functionality exhibited by several bootkits that we discovered by analyzing the results of emulation.

Several malicious bootkits we discovered hooked the interrupt vector table (IVT) and the BIOS Data Area (BDA) to intercept system interrupts and data during the boot process. This can provide an attacker the ability to intercept disk reads and also alter the maximum memory reported by the system. By hooking these structures, bootkits can attempt to hide themselves on disk or even in memory.

These hooks can be identified by memory writes to the memory ranges reserved for the IVT and BDA during the boot process. The IVT structure is located at the memory range 0000:0000h to 0000:03FCh and the BDA is located at 0040:0000h. The malware can hook the interrupt 13h handler to inspect and modify disk writes that occur during the boot process. Additionally, bootkit malware has been observed modifying the memory size reported by the BIOS Data Area in order to potentially hide itself in memory.

This leads us to our final category of indicators of a compromised boot system: detection of suspicious behaviors such as IVT hooking, decoding and executing data from disk, suspicious screen output from the boot code, and modifying files or data on disk.

Do it at Scale

Dynamic analysis gives us a drastic improvement when determining the behavior of boot records, but it comes at a cost. Unlike static analysis or hashing, it is orders of magnitude slower. In our cloud analysis environment, the average time to emulate a single record is 4.83 seconds. Using the compromised enterprise network that contained ROCKBOOT as an example (approximately 20,000 boot records), it would take more than 26 hours to dynamically analyze (emulate) the records serially! In order to provide timely results to our analysts we needed to easily scale our analysis throughput relative to the amount of incoming data from our endpoint technologies. To further complicate the problem, boot record analysis tends to happen in batches, for example, when our endpoint technology is first deployed to a new enterprise.

With the advent of serverless cloud computing, we had the opportunity to create an emulation analysis service that scales to meet this demand – all while remaining cost effective. One of the advantages of serverless computing versus traditional cloud instances is that there are no compute costs during inactive periods; the only cost incurred is storage. Even when our cloud solution receives tens of thousands of records at the start of a new customer engagement, it can rapidly scale to meet demand and maintain near real-time detection of malicious bytes.

The cloud infrastructure we selected for our application is Amazon Web Services (AWS). Figure 3 provides an overview of the architecture.

Figure 3: Boot record analysis workflow

Our design currently utilizes:

API Gateway to provide a RESTful interface.
Lambda functions to do validation, emulation, analysis, as well as storage and retrieval of results.
DynamoDB to track progress of processed boot records through the system.
S3 to store boot records and emulation reports.

The architecture we created exposes a RESTful API that provides a handful of endpoints. At a high level the workflow is:

Endpoint agents in customer networks automatically collect boot records using FireEye’s custom developed Raw Read kernel driver (see “Collect the bytes” described earlier) and return the records to FireEye’s Incident Response (IR) server.
The IR server submits batches of boot records to the AWS-hosted REST interface, and polls the interface for batched results.
The IR server provides a UI for analysts to view the aggregated results across the enterprise, as well as automated notifications when malicious boot records are found.

The REST API endpoints are exposed via AWS’s API Gateway, which then proxies the incoming requests to a “submission” Lambda. The submission Lambda validates the incoming data, stores the record (aka boot code) to S3, and then fans out the incoming requests to “analysis” Lambdas.

The analysis Lambda is where boot record emulation occurs. Because Lambdas are started on demand, this model allows for an incredibly high level of parallelization. AWS provides various settings to control the maximum concurrency for a Lambda function, as well as memory/CPU allocations and more. Once the analysis is complete, a report is generated for the boot record and the report is stored in S3. The reports include the results of emulation and other metadata extracted from the boot record (e.g., ASCII strings).

As described earlier, the IR server periodically polls the AWS REST endpoint until processing is complete, at which time the report is downloaded.

Find More Evil in Big Data

Our workflow for identifying malicious boot records is only effective when we know what malicious indicators to look for, or what execution hashes to blacklist. But what if a new malicious boot record (with a unique hash) evades our existing signatures?

For this problem, we leverage our in-house big data platform engine that we integrated into FireEye Helix following the acquisition of X15 Software. By loading the results of hundreds of thousands of emulations into the engine X15, our analysts can hunt through the results at scale and identify anomalous behaviors such as unique screen prints, unusual initial jump offsets, or patterns in disk reads or writes.

This analysis at scale helps us identify new and interesting samples to reverse engineer, and ultimately helps us identify new detection signatures that feed back into our analytic engine.

Conclusion

Within weeks of going live we detected previously unknown compromised systems in multiple customer environments. We’ve identified everything from ROCKBOOT and HDRoot! bootkits to the admittedly humorous JackTheRipper, a bootkit that spreads itself via floppy disk (no joke). Our system has collected and processed nearly 650,000 unique records to date and continues to find the evil needles (suspicious and malicious boot records) in very large haystacks.

In summary, by combining advanced endpoint boot record extraction with scalable serverless computing and an automated emulation engine, we can rapidly analyze thousands of records in search of evil. FireEye is now using this solution in both our Managed Defense and Incident Response offerings.

Acknowledgements

Dimiter Andonov, Jamin Becker, Fred House, and Seth Summersett contributed to this blog post.

Emotet Trojan Uses Complex Modules to Evade Standard Protection

Security researchers have discovered that the Emotet Trojan is still active and becoming more sophisticated and successful in how it spreads through corporate systems.

Security researchers from Check Point reported on July 24 that the Emotet Trojan, which was first discovered in 2014, is still active. Unlike other bots and malware that make headlines for a short time before they disappear, Emotet has proven surprisingly durable.

It initially acted as a banking Trojan focused on stealing financial information. While the researchers highlighted that the banking functionality was removed in 2017, its modular design has allowed it to infect networks through the Rig exploit kit, network shares and more traditional means, such as spam email messages.

Emotet Trojan Develops an ‘Ecosystem of Modules’

The Emotet Trojan directly hooks network application programming interface (API) functions to gather data, such as login credentials rather than browser functions. But more recently it has used third-party open source code to set up what researchers described as an “ecosystem of modules.”

The main dropper, for example, allows the Trojan to immediately upgrade itself to the latest version of the malware and rotate the command and control (C&C) servers it uses to send stolen information back and forth. For security professionals, this makes detection even more elusive because standard antivirus tools typically do not match patterns within files to identify them as malicious. According to a recent US-CERT bulletin, the Trojan has cost various government organizations an average of $1 million per incident.

How a Threat Hunting Program Can Help Protect Against Persistent Malware

As the actors behind the Emotet Trojan and similar threats become more effective in getting past perimeter defenses, chief information security officers (CISOs) and their teams should focus on protecting against malware that gains persistence and strengthens its foothold in the network, according to IBM Security experts.

According to the IBM X-Force Incident Response and Intelligence Services (IRIS) cyberattack framework, security leaders should develop a threat hunting program to proactively scan networks for signs of persistence and expand the scope as necessary to mitigate further infection. By prioritizing telemetry data into tiers of both benign and potentially malicious activities via a logging and analysis platform, meanwhile, security teams can more efficiently stop threats like the Emotet Trojan in their tracks — no matter how they evolve.

Source: Check Point, US-CERT

The post Emotet Trojan Uses Complex Modules to Evade Standard Protection appeared first on Security Intelligence.

Patrick Wardle on Breaking and Bypassing MacOS Firewalls

A Black Hat talk demonstrates the ease of poking holes in firewalls: How to break, bypass and dismantle macOS firewall products.

DeepLocker: How AI Can Power a Stealthy New Breed of Malware

With contributions from Jiyong Jang and Dhilung Kirat.

Cybersecurity is an arms race, where attackers and defenders play a constantly evolving cat-and-mouse game. Every new era of computing has served attackers with new capabilities and vulnerabilities to execute their nefarious actions.

In the PC era, we witnessed malware threats emerging from viruses and worms, and the security industry responded with antivirus software. In the web era, attacks such as cross-site request forgery (CSRF) and cross-site scripting (XSS) were challenging web applications. Now, we are in the cloud, analytics, mobile and social (CAMS) era — and advanced persistent threats (APTs) have been on the top of CIOs’ and CSOs’ minds.

But we are on the cusp of a new era: the artificial intelligence (AI) era. The shift to machine learning and AI is the next major progression in IT. However, cybercriminals are also studying AI to use it to their advantage — and weaponize it. How will the use of AI change cyberattacks? What are the characteristics of AI-powered attacks? And how can we defend against them?

At IBM Research, we are constantly studying the evolution of technologies, capabilities and techniques in order to identify and predict new threats and stay ahead of cybercriminals. One of the outcomes, which we will present at the Black Hat USA 2018 conference, is DeepLocker, a new breed of highly targeted and evasive attack tools powered by AI.

IBM Research developed DeepLocker to better understand how several existing AI models can be combined with current malware techniques to create a particularly challenging new breed of malware. This class of AI-powered evasive malware conceals its intent until it reaches a specific victim. It unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition.

You can think of this capability as similar to a sniper attack, in contrast to the “spray and pray” approach of traditional malware. DeepLocker is designed to be stealthy. It flies under the radar, avoiding detection until the precise moment it recognizes a specific target. This AI-powered malware is particularly dangerous because, like nation-state malware, it could infect millions of systems without being detected. But, unlike nation-state malware, it is feasible in the civilian and commercial realms.

A Bit of Evasive Malware History

The DeepLocker class of malware stands in stark contrast to existing evasion techniques used by malware seen in the wild. While many malware variants try to hide their presence and malicious intent, none are as effective at doing so as DeepLocker.

Let’s recap the evolution of evasive malware:

In the late 1980s and early 1990s, the first variants of polymorphic and metamorphic viruses were designed to disrupt and destroy data. By means of obfuscation and mutating payloads, malware authors were avoiding antivirus systems that could easily screen files for known patterns using static signatures. Consequently, the antivirus industry gradually developed static code and malware-analysis capabilities to analyze obfuscated code and infer the malicious intent of code or files running on the endpoints they protected.
In the 1990s, malware authors started to encrypt the malicious payload (using so-called packers), such that the malicious code would only be observable when it was decrypted into memory before its execution. The security industry responded with dynamic malware analysis, building initial versions of malware sandboxes, such as virtualized systems, in which suspicious executables (called samples) are run, their activities monitored and their nature deemed benign or malicious.
Of course, attackers would not give in. In the 2000s, the first forms of evasive malware — malware trying to actively avoid analysis — were captured in the wild. For example, the malware used checks to identify whether it was running in a virtualized environment and whether other processes known to run in malware sandboxes were present. If any were found, the malware would stop executing its malicious payload in order to avoid analysis and keep its secrets encrypted. This approach is still prevalent today, as a May 2018 Security Week study found that 98 percent of the malware samples analyzed uses evasive techniques to varying extents.
As malware sandboxes have become increasingly more sophisticated in the past few years — for example, using bare metal analysis systems, according to the Computer Security Group at the University of California, Santa Barbara, that run on real hardware and avoiding virtualization — adversaries have moved to a different strategy: targeted attacks. They section their infection routines to have an initial step to carefully inspect the environment they run in for any predefined “suspicious” features, such as usernames and security solution processes. Only if the target endpoint is found “clear” would the malware be fetched and executed, unleashing its nefarious activity. One well-known example of evasion is the Stuxnet worm, which was programmed to target and seek out only specific industrial control systems (ICS) from a particular manufacturer, and only with certain hardware and software configurations.

Nevertheless, although malware evasion keeps evolving, even very recent forms of targeted malware require predefined triggers that can be exposed by defenders by checking the code, packed code, configuration files or network activity. All of these triggers are observable to skilled malware analysts with the appropriate tools.

DeepLocker: Ultra-Targeted and Evasive Malware

DeepLocker has changed the game of malware evasion by taking a fundamentally different approach from any other current evasive and targeted malware. DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.

What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.

The AI model is trained to behave normally unless it is presented with a specific input: the trigger conditions identifying specific victims. The neural network produces the “key” needed to unlock the attack. DeepLocker can leverage several attributes to identify its target, including visual, audio, geolocation and system-level features. As it is virtually impossible to exhaustively enumerate all possible trigger conditions for the AI model, this method would make it extremely challenging for malware analysts to reverse engineer the neural network and recover the mission-critical secrets, including the attack payload and the specifics of the target. When attackers attempt to infiltrate a target with malware, a stealthy, targeted attack needs to conceal two main components: the trigger condition(s) and the attack payload.

DeepLocker is able to leverage the “black-box” nature of the DNN AI model to conceal the trigger condition. A simple “if this, then that” trigger condition is transformed into a deep convolutional network of the AI model that is very hard to decipher. In addition to that, it is able to convert the concealed trigger condition itself into a “password” or “key” that is required to unlock the attack payload.

Technically, this method allows three layers of attack concealment. That is, given a DeepLocker AI model alone, it is extremely difficult for malware analysts to figure out what class of target it is looking for. Is it after people’s faces or some other visual clues? What specific instance of the target class is the valid trigger condition? And what is the ultimate goal of the attack payload?

DeepLocker Overview Chart
Figure 1. DeepLocker – AI-Powered Concealment

To demonstrate the implications of DeepLocker’s capabilities, we designed a proof of concept in which we camouflage a well-known ransomware (WannaCry) in a benign video conferencing application so that it remains undetected by malware analysis tools, including antivirus engines and malware sandboxes. As a triggering condition, we trained the AI model to recognize the face of a specific person to unlock the ransomware and execute on the system.

Imagine that this video conferencing application is distributed and downloaded by millions of people, which is a plausible scenario nowadays on many public platforms. When launched, the app would surreptitiously feed camera snapshots into the embedded AI model, but otherwise behave normally for all users except the intended target. When the victim sits in front of the computer and uses the application, the camera would feed their face to the app, and the malicious payload will be secretly executed, thanks to the victim’s face, which was the preprogrammed key to unlock it.

It’s important to understand that DeepLocker describes an entirely new class of malware — any number of AI models could be plugged in to find the intended victim, and different types of malware could be used as the “payload” that is hidden within the application.

DeepLocker Briefing at Black Hat USA

Alongside my colleagues Dhilung Kirat and Jiyong Jang, I will present the implications of AI-powered malware (and DeepLocker in particular) at Black Hat USA 2018. We will show how we combined open-source AI tools with straightforward evasion techniques to build a targeted, evasive and highly effective malware.

The aim of our briefing is threefold:

To raise awareness that AI-powered threats like DeepLocker are coming our way very soon;
To demonstrate how attackers have the capability to build stealthy malware that can circumvent defenses commonly deployed today and;
To provide insights into how to reduce risks and deploy adequate countermeasures.

While a class of malware like DeepLocker has not been seen in the wild to date, these AI tools are publicly available, as are the malware techniques being employed — so it’s only a matter of time before we start seeing these tools combined by adversarial actors and cybercriminals. In fact, we would not be surprised if this type of attack were already being deployed.

The security community needs to prepare to face a new level of AI-powered attacks. We can’t, as an industry, simply wait until the attacks are found in the wild to start preparing our defenses. To borrow an analogy from the medical field, we need to examine the virus to create the “vaccine.”

To that effect, IBM Research has been studying AI-powered attacks and identified several new traits compared to traditional attacks. In particular, the increased evasiveness of AI-powered attacks challenges traditional rule-based security tools. AI can learn the rules and evade them. Moreover, AI enables new scales and speeds of attacks by acting autonomously and adaptively.

We, as defenders, also need to lean into the power of AI as we develop defenses against these new types of attack. A few areas that we should focus on immediately include the use of AI in detectors; going beyond rule-based security, reasoning and automation to enhance the effectiveness of security teams; and cyber deception to misdirect and deactivate AI-powered attacks.

Additionally, it would be beneficial to focus on monitoring and analyzing how apps behave across user devices, and flagging events when a new app is taking unexpected actions. This detection tactic could help identify these types of attacks in the future.

The post DeepLocker: How AI Can Power a Stealthy New Breed of Malware appeared first on Security Intelligence.

Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet

Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, created by Ramnit operators.

Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, that could be the sign of a wider ongoing operation involving the Ramnit operators.

Ramnit is one of the most popular banking malware families in existence today, it was first spotted in 2010 as a worm, in 2011, its authors improved it starting from the leaked Zeus source code turning the malware into a banking Trojan. In 2014 it reached the pinnacle of success, becoming the fourth largest botnet in the world.

In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.

A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.

Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.

There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).

“Recently we discovered the Ramnit C&C server (185.44.75.109) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.

“This C&C server has actually been active since 6^th March 2018 but didn’t attract attention because of the low capacity of the “black” botnet at that time. However, in May-July 2018 we detected a new Ramnit campaign with around 100,000 computers infected.”

According to the experts, in the Black operation, the Ramnit malware is distributed via spam campaigns. The malicious code works as a first-stage malware and it is used to deliver a second-stage malware dubbed Ngioweb.

“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” continues the analysis published by Checkpoint.

“The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”

Ngioweb leverages a two-stage C&C infrastructure, the STAGE-0 C&C server informs the malware about the STAGE-1 C&C server while the unencrypted HTTP connection is used for this purpose. The second STAGE-1 C&C server is used for controlling malware via an encrypted connection.

The Ngioweb malware can operate in two main modes, the Regular back-connect proxy, and the Relay proxy mode.

In a relay proxy mode, the malware allows operators to build chains of proxies and hide their services behind the IP address of a bot.

“The following sequence of actions is used for building a hidden service using the Ngioweb botnet:

Ngioweb Bot-A connects to C&C STAGE-0 and receives command to connect to the server C&C STAGE-1 with address X:6666.
Ngioweb Bot-A connects to C&C STAGE-1 (Server-X) at X:6666. Server-X asks the bot to start the TCP server. Ngioweb bot reports on starting TCP server with IP address and port.
Malware actor publishes the address of the Bot-A in DNS (or using any other public channel).
Another malware Bot-B resolves the address of Bot-A using DNS (or using any other public channel).
Bot-B connects to Bot-A.
Bot-A creates new connection to Server-X and works as relay between Server-X and Bot-B.

Further details, including the IoC, are reported in the analysis published by Checkpoint.

Pierluigi Paganini

(Security Affairs – cybercrime, Ramnit botnet)

The post Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet appeared first on Security Affairs.

Update MikroTik routers – 170,000 devices hit by cryptocurrency malware

By Waqas

Currently, the malware is targeting unpatched MikroTik routers in Brazil but researchers believe it’s about time it will spread worldwide. Unpatched routers manufactured by MikroTik have become potential targets of cryptojacking malware campaigns in Brazil. According to the analysis of Trustwave’s security researcher Simon Kenin, an unprecedented increment in web-based cryptojacking/cryptomining attacks in Brazil has […]

This is a post from HackRead.com Read the original post: Update MikroTik routers – 170,000 devices hit by cryptocurrency malware

Protecting the modern workplace from a wide range of undesirable software

Security is a fundamental component of the trusted and productive Windows experience that we deliver to customers through modern platforms like Windows 10 and Windows 10 in S mode. As we build intelligent security technologies that protect the modern workplace, we aim to always ensure that customers have control over their devices and experiences.

To protect our customers from the latest threats, massive amounts of security signals and threat intelligence from the Microsoft Intelligent Security Graph are processed by security analysts and intelligent systems that identify malicious and other undesirable software. Our evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. This classification of threats is reflected in the protection delivered by the Windows Defender Advanced Threat Protection (Windows Defender ATP) unified endpoint security platform.

Malware: Malicious software and unwanted software

Among the big classifications of threats, customers may be most familiar with malicious software. Malicious software might steal personal information, lock devices until a ransom is paid, use devices to send spam, or download other malicious software. Examples of these types of threats are keyloggers and ransomware. Malware can get into devices through various infection vectors, including exploits, which completely undermine users choice and control of their devices. Windows Defender ATP’s next generation protections detect and block these malicious programs using local machine learning models, behavior-based detection, generics and heuristics, and cloud-based machine learning models and data analytics.

Some threats, on the other hand, are classified as unwanted software. These are applications that dont keep customers in control of devices through informed choices and accessible controls. Examples of unwanted behavior include modifying browsing experience without using supported browser extensibility models, using alarming and coercive messages to scare customers into buying premium versions of software, and not providing a clear and straightforward way to install, uninstall or disable applications. Like malicious software, unwanted software threats are malware.

Using a model that leverages predictive technologies, machine learning, applied science, and artificial intelligence powers Windows Defender ATP to detect and stop malware at first sight, as reflected in consistently high scores in independent antivirus tests.

Potentially unwanted applications

Some applications do not exhibit malicious behavior but can adversely impact the performance or use of devices. We classify these as potentially unwanted applications (PUA). For example, we noted the increased presence of legitimate cryptocurrency miners in enterprise environments. While some forms of cryptocurrency miners are not malicious, they may not be authorized in enterprise networks because they consume computing resources.

Unlike malicious software and unwanted software, potentially unwanted applications are not malware. Enterprise security administrators can use the PUA protection feature to block these potentially unwanted applications from downloading and installing on endpoints. PUA protection is enabled by default in Windows Defender ATP when managed through System Center Configuration Manager.

In March 2018, we started surfacing PUA protection definitions on VirusTotal. We have also updated our evaluation criteria page to describe the specific categories and descriptions of software that we classify as PUA. These are:

Browser advertising software: Software that displays advertisements or promotions or prompts the user to complete surveys for other products or services in software other than itself. This includes, for example, software that inserts advertisements in browser webpages.

Torrent software: Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.

Cryptomining software: Software that uses your computer resources to mine cryptocurrencies.

Bundling software: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.

Marketing software: Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.

Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

Poor industry reputation: Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.

Customer protection is our top priority. Windows Defender Advanced Threat Protection (Windows Defender ATP) incorporates next-generation protection, attack surface reduction, endpoint detection and response, and automated investigation and remediation, and advanced hunting capabilities. We adjust, expand, and update our evaluation criteria based on customer feedback as well as new and emerging trends in the threat landscape. We encourage customers to help us identify new threats and other undesirable software by submitting programs that exhibit behaviors outlined in the evaluation criteria.

Michael Johnson

Windows Defender Research

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Users Played by Cryptojacking Scam on Popular Gaming Platform

A new cryptojacking scam masquerading as a video game garnered 6,000 downloads before being removed from the popular cloud-based platform on which it was hosted.

The game, called “Abstractism,” appeared on gaming distribution platform Steam after parent company Valve adopted an “anything goes policy” for its digital store, Fortune reported in July 2018. According to Motherboard, the game was originally released in March 2018 by developer Okalo Union and publisher dead.team as a “trivial platformer,” which has players move blocks in a 2D space to the sound of soothing music.

Despite the game’s minimalist graphics and lightweight concept, users began noticing device performance issues and discovered that the program was conducting significant amounts of network communication. The developers also encouraged users to leave the game running in the background for a chance to obtain rare items. Although patch notes expressly stated that the game was not crypto-mining malware, mounting evidence to the contrary forced Steam to remove it on July 30.

Gaming Platforms Are Not All Fun and Games

The threat posed by cryptojacking scams such as Abstractism is particularly concerning for security professionals because many companies are hiring gamers to help close the IT skills gap — meaning there’s a greater chance that this type of malware could compromise business networks.

Although the game does trigger Windows Defender and antivirus alerts, its lightweight nature makes it easy to overlook these red flags — even as it hogs both central processing unit (CPU) and graphics processing unit (GPU) resources. It doesn’t take much for malware makers to create crypto-mining code — in fact, the smaller, the better.

Steam’s move to an open marketplace is also worrisome, and not just because companies will suddenly be inundated with thousands of “Abstractism” copies. With cloud-based marketplaces no longer attempting to control every piece of software they offer, the responsibility for overseeing games, productivity tools and open-source offerings has shifted to corporate IT teams.

How to Minimize the Threat of Cryptojacking

To avoid costly losses due to cryptojacking games and other malicious apps, IBM Security experts recommend implementing advanced security information and event management (SIEM) and behavioral analytics tools to detect high CPU and GPU usage.

Security experts also suggest using a managed cloud access security broker (CASB) to help mitigate the impact of shadow IT — which, in this case, could include crypto-mining games downloaded onto business devices and any other cloud-based apps that aren’t approved by IT teams.

Sources: Fortune, Motherboard

The post Users Played by Cryptojacking Scam on Popular Gaming Platform appeared first on Security Intelligence.

TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware

TSMC shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware.

Early in August, a malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories, the plants where Apple produces its devices.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

Now the company shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware that hit 200,000 computers across 150 countries in a matter of hours in May 2017.

WannaCry took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The infection caused one of the most severe disruptions suffered by TSMC as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants shut down an entire day of production.

It has been estimated that the overall impact on the revenue of TSMC would be approx $256 million.

Chief Financial Officer Lora Ho confirmed that the infection would have some impact on TSMC’s 2018 profit, but declining to elaborate on further details.

According to the manufacturer, it wasn’t a targeted attack, instead, the systems were infected “when a supplier installed tainted software without a virus scan” to TSMC’s network.

The malware rapidly spread within the company network and infected more than 10,000 machines in some of the company’s production plants, including Tainan, Hsinchu, and Taichung.

“We are surprised and shocked,” TSMC Chief Executive Officer C. C. Wei said, “We have installed tens of thousands of tools before, and this is the first time this happened.”

WannaCry infected many other bit companies, the list of victims includes Boeing, Renault, and Honda,

TSMC confirmed that customers data were not compromised during the attack, it warned customers that shipment delays are expected.

Pierluigi Paganini

(Securi ty Affairs – WannaCry, Troy Hunt)

The post TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware appeared first on Security Affairs.

DanaBot Malware – Another Banking Trojan Delivered Through FTP Links

During the past few years, we have witnessed a concerning increase in the frequency of phishing and malware attacks. This

DanaBot Malware – Another Banking Trojan Delivered Through FTP Links on Latest Hacking News.

How Bitcoin and the Dark Web hide SamSam in plain sight

Bitcoin and the Dark Web are familiar terms, but what are they and how do they help SamSam operate in plain sight?

iPhone chipmaker blames ransomware for factory shutdowns

Taiwan chipmaker TSMC is back up and running, and pinning the blame for its shutdown on an infection by WannaCry ransomware.

Fortnite ditches Google Play – will it undermine Android security?

Like it or not, the Play Store is a walled garden that keeps out malware.

TrendLabs Security Intelligence Blog: Malware Targeting Bitcoin ATMs Pops Up in the Underground

The financial industry has seen several changes in terms of technology, including new ATM capabilities and the increasing use and popularity of cryptocurrencies. These two intersect in what’s known as a Bitcoin (BTC) ATM.

Although it looks similar to a regular ATM, a Bitcoin ATM differs in certain important aspects. Perhaps the most notable difference is that a Bitcoin ATM does not connect to a bank account. Instead it connects to a cryptocurrency exchange, which is a platform for buying and selling cryptocurrencies like bitcoin. The purchased bitcoins go to the customer’s digital wallet. In essence, a Bitcoin ATM is not really an ATM in the traditional sense of the word but is rather more like a kiosk or terminal that allows users to connect to exchanges.

But how safe are these Bitcoin ATMs?

Regular ATMs are popular targets for cybercriminals, and we have recenty noted a shift away from physical tools such as skimmers to malware-based attacks. Bitcoin ATM malware has so far been much less talked about, perhaps because of the relatively low number of machines currently available globally.

With the increasing popularity and real-world use of cryptocurrencies and the fact that cybercriminals will always try to exploit something that can make money for them, mining malware has been prevalent in the past year. It shouldn’t come as a surprise then that malware targeting Bitcoin ATMs will pop up in underground markets.

Unlike regular ATMs, there is no single set of verification or security standards for Bitcoin ATMs. For example, instead of requiring an ATM, credit, or debit card for transactions, a Bitcoin ATM involves the use of mobile numbers and ID cards for user identity verification. The user then has to input a wallet address or scan its QR code. The wallets used to store digital currencies are not standardized either and are often downloaded from app stores, posing another security problem. Given the seemingly Wild West nature of Bitcoin ATM security, cybercriminals are sure to take advantage.

While searching through underground forums, we noticed an apparently established and respected user offering Bitcoin ATM malware (see Figure 1).

Figure 1. Listing for a Bitcoin ATM malware

The actual listing for the malware contains more details. Buyers receive not just the malware but also a ready-to-use card that comes with EMV and NFC capabilities. According to the listing, the malware exploits a service vulnerability that allows the user to receive bitcoins worth up to 6,750 in U.S. dollars, euros, or pounds. The malware does not come cheap, as it is being sold for US$25,000. The number of reviews (over 100) shows that the seller has earned quite a large amount from various offerings, including this malware.

Figure 2. Detailed listing for BTC ATM malware

Another thread reveals that the seller is also offering regular ATM malware that has been updated for EMV standards. The posts in the thread further expound on how the malware works, including the use of a menu vulnerability to disconnect the machine from the network to disable alarms.

Figure 3. Listing for EMV-updated ATM malware

In Figure 4, we can see that the seller offers a range of financial-related malware and compromised accounts, which indicates that this person is an experienced cybercriminal who seems to be constantly expanding his wares.

Figure 4. Financial-related malware and compromised accounts

What we can glean from this is that cybercriminals interested in amassing bitcoins and other cryptocurrencies are no longer limiting themselves to cryptomining malware. As long as there is money to be made — and there is quite a bit of money in cryptocurrencies — cybercriminals will continue to devise tools and to expand to lucrative new “markets.” As the number of Bitcoin ATMs grows, we can expect to see more forms of malware targeting cryptocurrency ATMs in the future.

The post Malware Targeting Bitcoin ATMs Pops Up in the Underground appeared first on .

TrendLabs Security Intelligence Blog

Duo Security created open tools and techniques to identify large Twitter botnet

Researchers at security firm Duo Security have created a set of open source tools and disclosed techniques that could be used to identify large Twitter botnet.

Security experts from Duo Security have developed a collection of open source tools and disclosed techniques that can be useful in identifying large Twitter botnet.

The experts developed the tools starting from the analysis of 88 million Twitter accounts and over half-a-billion tweets, one of the largest random datasets of Twitter accounts analyzed to date.

“This paper details the techniques and tools we created to both build a large dataset containing millions of public Twitter profiles and content, as well as to analyze the dataset looking for automated accounts.” reads the research paper published by Duo Security.

“By applying a methodical data science approach to analyzing our dataset, we were able to build a classifier that effectively finds bots at a large scale.”

The dataset was composed by using the Twitter’s API, collected records include profile name, tweet and follower count, avatar, bio, the content of tweets, and social network connections.

Practical data science techniques can be used to create a classifier that could help researchers in finding automated Twitter accounts.

The experts defined 20 unique account heuristics to discover the bots, they include the number of digits in a screen name, Entropy of the screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, average hours tweeted per day, and average “distance” of account age in retweets/replies.

The above heuristics are organized in the 3 categories, the “Account attributes,” “Content,” and “Content Metadata.”

The tools and the techniques devised by the researchers could be very useful in investigating fraudulent activities associated with Twitter botnet. The experts first identify the automated bots then they use the tool to monitor the evolution of the botnets they belong.

The experts shared a case study related to the discovery of a sophisticated botnet of at least 15,000 bots involved in a cryptocurrency scam. The analysis of the botnet and the monitoring of the malicious infrastructure over time allowed the expert to discover how bots evolve to evade detection.

The experts reported their findings to Twitter that confirmed it is aware of the problem and that is currently working on implementing new security measure to detect problematic accounts.

“Twitter is aware of this form of manipulation and is proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner. Spam and certain forms of automation are against Twitter’s rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections.” replied Twitter.

“When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.”.

Duo Security will release its tools as open source on August 8 during the the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” concluded Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”

Pierluigi Paganini

(Securi ty Affairs – Twitter botnet, social media)

The post Duo Security created open tools and techniques to identify large Twitter botnet appeared first on Security Affairs.

Bitcoin Stealer Malware Takes $60K Using Clipboard Modification Method

New malware steals bitcoin using a technique that modifies an infected machine’s clipboard content.

In July 2018, Fortiguard Labs reported on a new malicious campaign, Bitcoin Stealer, which is currently responsible for taking approximately $60,000 in bitcoin. FortiGuard Labs researchers first came across a threat that initially matched several rules specific to Jigsaw ransomware in April 2018.

However, a closer look revealed that the threat, which contained the assembly name “BitcoinStealer.exe,” didn’t behave like ransomware at all.

How Clipboard Hijacking Tricks Users

Bitcoin Stealer instead uses an executable to monitor an infected computer’s clipboard content for signs of a bitcoin address. Assuming it finds one, Bitcoin Stealer replaces the copied bitcoin address with one that has similar strings at the beginning and end of its wallet address. Using this technique, Bitcoin Stealer injects itself into bitcoin transactions and tricks users into sending cryptocurrency to a wallet controlled by the cyberattacker behind the malware.

Bitcoin Stealer is the latest threat capable of monitoring and changing clipboard content — but it’s not the first. The malware comes on the heels of Evrial, which hit in January 2018, according to Bleeping Computer. It also follows CryptoShuffler, which redirected $150,000 in the fall of 2017.

These thieving programs are examples of clipboard hijacking, an attack methodology through which attackers commonly change clipboard content to direct browser users to a malicious website, according to Techopedia. Bad actors are also known to use a tactic called “pastejacking” to interfere with commands copied from a web browser and pasted into the terminal.

How Can Security Professionals Protect Against Clipboard-Modification Attacks?

Digital attackers have a long history of targeting clipboards to steal cryptocurrency or redirect users to malware. Therefore, security professionals must take steps to protect organizations against these types of clipboard-modification attacks.

Aside from searching for and blocking known indicators of compromise (IOCs) for threats like Bitcoin Stealer, IBM Security experts recommend installing updated antivirus software on all workstations. They also stress the importance of security awareness training, which teaches users to cross-reference sender and recipient addresses (among other things), and the integration of machine learning into virus protection defenses.

Sources: Fortinet, Techopedia, Bleeping Computer

The post Bitcoin Stealer Malware Takes $60K Using Clipboard Modification Method appeared first on Security Intelligence.

TSMC Chip Maker Blames WannaCry Malware for Production Halt

Taiwan Semiconductor Manufacturing Company (TSMC)—the world's largest makers of semiconductors and processors—was forced to shut down several of its chip-fabrication factories over the weekend after being hit by a computer virus. Now, it turns out that the computer virus outbreak at Taiwan chipmaker was the result of a variant of WannaCry—a massive ransomware attack that wreaked havoc across

Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges

Group-IB researchers have investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents.

Security experts from Group-IB, an international company specializing in preventing cyberattacks and developing information security solutions, has investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents. Within a year, the number of data leaks soared by 369%.

The USA, Russia and China are TOP-3 countries in which registered users became the victims of cyberattacks.

In 2017, when cryptocurrencies were gaining momentum, their record-breaking capitalization and a spike in Bitcoin’s exchange rate led to dozens of attacks on cryptocurrency services. Based on data obtained from the Group-IB Threat Intelligence (cyber intelligence) system, experts from the international company Group-IB have analyzed the theft of 720 user accounts (logins and passwords) from the 19 largest cryptocurrency exchanges

January holidays for hackers: a 689% surge in the number of leaks

The report «2018 Cryptocurrency Exchanges. User Accounts Leaks Analysis»shows a steady increase in the number of compromised user accounts on cryptocurrency exchanges. In 2017, their number increased by 369% compared to 2016. The first month of 2018 set a record: due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average. The USA, Russia, and China are the countries where users are targeted most often. The study has shown that every third victim of the attack is located in the United States.

Toolkit and infrastructure used for attacks

Experts of Group-IB have identified 50 active botnets used for launching cyberattacks on cryptocurrency exchanges users. The infrastructure used by cybercriminals is mainly based in the USA (56.1%), the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).

The attackers use an increasingly wide range of malicious software and update their tools on a regular basis. The most frequently used malicious software includes Trojans such as AZORult and Pony Formgrabber, as well as the Qbot. At the same time, cybercriminals have modified tools previously used for attacks on banks and now successfully use them to hack cryptocurrency exchanges and gain access to users’ personal data.

What makes a successful attack possible?

This is one of the key issues covered in the Group-IB report. The answer is actually quite simple: disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.

Group-IB has analyzed 720 accounts and found that one out of five users chose a password shorter than 8 characters (see Figure).

Attack as a premonition

Experts of Group-IB draw a bleak conclusion: currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users. At least 5 out of 19 exchanges in question fell victim to targeted cyberattacks widely covered by the media. These are Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex and, presumably, Huobi. There are various attack vectors: errors in the source code of the software, phishing attacks, unauthorized access to the user database, vulnerabilities related to storage and withdrawal of funds. However, all of them stem from the lack of attention to information security and protection of digital assets.

“Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds, signals that the industry is not ready to defend itself and protect its users”, says Ruslan Yusufov, the Director of Special Projects at Group-IB. “In 2018 we will see even more incidents. This situation requires prompt and effective response of all stakeholders, including experts in different areas.”

Recommendations of Group-IB experts to users and exchanges

In order to protect one’s funds against crypto-fraud, Group-IB recommends users to be mindful of their passwords (which should contain at least 14 unique symbols), never use the same passwords for different exchanges and always enable the 2FA (two-factor authentication). Experts recommend avoiding the use of public Wi-Fi (at least when carrying out exchange transactions) and paying special attention to one’s “traces” on the social media. For instance, users should not demonstrate the fact that they possess any cryptocurrency.

Recommendations to cryptoexchanges are also of high importance. First of all, they are strongly advised to make two-factor authentication obligatory for all the users and their operations, conduct regular security audits of IT infrastructure and related services, and allocate resources to training and awareness-raising concerning personnel security, starting from top management (founders) and down to rank-and-file employees. To improve the cybersecurity of cryptocurrency exchanges, experts also recommend installing Anti-APT solutions, using Threat Intelligence and implementing anti-fraud solutions, as well as behavioral analysis systems. Specialists also suggest preparing cybersecurity incident response plans which will minimize potential damage.

About the Author: Group-IB Corporate Communications

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Securi ty Affairs – data leak, cryptocurrency exchanges)

The post Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges appeared first on Security Affairs.

The State of Security: The MITRE ATT&CK Framework: Persistence

When I first started researching ATT&CK last year, Persistence was the tactic which made me fall in love. Even though I have been in the industry for some time, I learned more from digging into the various techniques here than any other tactic. While I knew about fun tricks like replacing sethc.exe with cmd.exe and […]… Read More

The post The MITRE ATT&CK Framework: Persistence appeared first on The State of Security.

The State of Security

The MITRE ATT&CK Framework: Persistence

The post The MITRE ATT&CK Framework: Persistence appeared first on The State of Security.

Blog | Avast EN: TSMC shut down by WannaCry variant | Avast

Questions still surround the TSMC (Taiwan Semiconductor Manufacturing Company) computer virus incident which shut down operations for the world’s largest semiconductor foundry last Friday, August 3. While the company maintains this was not due to a cyberattack, it also reports that the virus was a variant of WannaCry, the ransomware that terrorized the world last year.

Blog | Avast EN

iPhone Chip Maker Firm Attacked with Computer Virus

By Uzair Amir

Launch of Many New iPhone Models May be Delayed. The world’s leading semiconductors and processors’ manufacturing firm and sole supplier of Apple iPhone chipsets, Taiwan Semiconductor Manufacturing Company (TSMC), became the target of a cyber-attack on Friday night. Reportedly, TSMC had to shut down its manufacturing plants because of the attack. It is revealed that […]

This is a post from HackRead.com Read the original post: iPhone Chip Maker Firm Attacked with Computer Virus

Packet Storm: Apple Chipmaker Recovers After Malware Attack

Packet Storm

Ramnit Changes Shape with Widespread Black Botnet

A massive proxy botnet is just the tip of the iceberg, a warning sign of a bigger operation in the works by the Ramnit operators.

A week in security (July 30 – August 5)

Last week, we posted a roundup of spam that may have landed in your mailbox, talked about what makes us susceptible to social engineering tactics, and took a deep dive into big data.

Other news:

Facebook claimed to have removed accounts that display behavior consistent with possible Russian actors engaged in misinformation. (Source: The Wall Street Journal)
Yale University disclosed that they were breached at least a decade ago. (Source: NBC – Connecticut)
High school students, be on the lookout! If you receive email or snail mail from organizations with impressive-sounding names, consider that it may just be a carefully packaged marketing scheme. (Source: Sophos’s Naked Security Blog)
A researcher from Amnesty International revealed that hackers have targeted them with malware from an Israeli vendor. (Source: Motherboard)
Certain e-commerce providers in the UK were affected by a data breach and exposed potentially more than a million user data. (Source: Graham Cluley’s blog)
A game on the Steam platform was found hijacking video game player machines to mine cryptocurrency. (Source: Motherboard)
The Alaskan Borough of Matanuska-Susitna was infected with malware that disrupted normal activities so much that they had to dust off old typewriters to continue issuing receipts. (Source: Sophos’s Naked Security blog)
While we’re on the subject of breaches, here’s another popular victim: Reddit. (Source: TechCrunch)
Google joined Apple in banning mining apps on the Play Store. (Source: Coin Central)
An independent security researcher from the UK spotted a DHL-themed spam carrying malware hidden in a GIF file. (Source: The SANS ISC InfoSec Forums)

Stay safe, everyone!

The post A week in security (July 30 – August 5) appeared first on Malwarebytes Labs.

Phishing Campaign Uses FTP Links to Deliver DanaBot Banking Trojan

A phishing campaign that delivers malware designed to steal banking data and other private information was discovered targeting a group of Australian businesses.

The attackers disguised their messages as invoices issued by MYOB, a local accounting software firm, according to a July 2018 Trustwave report. Users who clicked on the email links were directed to a file transfer protocol (FTP) server with a modular version of the DanaBot malware.

Once the three component pieces are activated, cybercriminals can send encrypted data, such as screenshots of victims’ machines, back to a command-and-control (C&C) server where it can be distributed covertly using channels like Tor.

Phishing Campaign Targets Businesses

This tactic suggests that the perpetrators designed the phishing campaign specifically to target business professionals. Tracking invoices is critical in almost any kind of company, which means victims are likely to pay greater attention to these messages. Using FTP also makes the malicious emails appear more legitimate than they would if they came from an unknown HTTP address.

Finally, the fact the DanaBot banking Trojan is broken up into multiple, heavily encrypted pieces means that it is flexible and agile enough to evade detection.

How Can Organizations Strengthen Email Security?

Security professionals can help protect their organizations from phishing campaigns by developing a layered approach to email security. IBM experts recommend investing in external solutions that pull data from sensors and other sources to scan all incoming messages.

They also recommend that security teams implement perimeter protection using spam detection tools and antispam solutions that can run on internal mailer servers on corporate networks. Finally, mail clients should be connected to a protection mechanism that detects spam and phishing attempts.

Source: Trustwave

The post Phishing Campaign Uses FTP Links to Deliver DanaBot Banking Trojan appeared first on Security Intelligence.

Fortnite APK is coming soon, but it will not be available on the Google Play Store

Fortnite, the most popular game will be soon available for Android users but the Fortnite APK will not be in the Play Store.

Fortnite continues to be the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target its fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

In the recent months, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Experts discovered many blog posts and video tutorial with instructions to install fake Fortnite Android App.

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Now there is a news for the Android fans of the popular game, Epic Games confirmed the Fortnite APK for Android will be available for download exclusively only through its official website and not through the official Google Play Store.

According to the Epic Games CEO Tim Sweeney in this way, the company will have “have a direct relationship” with its consumers and will allow saving 30 percent fee that Google maintains when users download a software from the Play Store.

“The awesome thing about Fortnite is it’s brought a huge volume of digital commerce to Epic. We can now do that very efficiently. We can handle payment processing and customer support and download bandwidth with some great deals. We’re passing the savings along with the Unreal Engine Marketplace. We’ve change the royalty split from the 30/70 you see everywhere to developers getting 88 percent. We find that’s a great boon for developers.” Sweeney told GamesBeat.

Sweeney explained that the share of profits for the version running on Microsoft or Nintendo is right because the “enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”

Sweeney considers disproportionate 30% cut on the fee applied by Google for its services but evidently doesn’t evaluate the security features implemented by the Google store to avoid crooks will serve tainted versions of the Fortnite APK.

Even if in the past we have found several malicious apps uploaded to the Play Store, we cannot underestimate the Google’s efforts for the security of its users.

The availability of Fortnite APK on a third-party website could expose Android users to the risk of infection.

The only way to download an APK from a third-party store is to manually enable “Install Apps from Unknown Sources” option in the settings.

A large number of Android users will search “how to install Fortnite on Android,” these fans could be targeted in various ways, for example in black SEO campaigns devised to infect their devices.

“The move will simply encourage users to manually enable “Install Apps from Unknown Sources” option in the settings menu or accept a variety of Android security prompts in order to install Fortnite game directly from the Epic Games website.” reported The Hacker News.

“So, thousands of people out there searching, “how to install Fortnite on Android” or “how to download Fortnite APK for Android” on the Internet, could land themselves on unofficial websites, ending up installing malware.”

In order to install Fortnite on Android, players will have to download the Fortnite Launcher from the official Epic website, then it will allow them to load the Fortnite Battle Royale onto their devices.

Attackers can impersonate the legitimate source, for example by carrying out phishing campaign to trick Android users into downloading tainted version of Fortnite APK.

Stay Tuned …

Pierluigi Paganini

(Securi ty Affairs – Fortnite APK, gaming)

The post Fortnite APK is coming soon, but it will not be available on the Google Play Store appeared first on Security Affairs.

Top iPhone Supplier Battles WannaCry Infection

Production lines were halted for two days, and the effects to the global supply chain for mobile phones could be felt for the third quarter and beyond.

You’ll have to disable a recommended Android security setting to install Fortnite

Encouraging Android users to download apps from non-official sources is not a good idea from the security point of view, but Epic Games wants to maximise its profits.

Untangle Survey Finds SMBs Rank Network Security as Top IT Concern

Untangle®, Inc., a leader in comprehensive network security for small-to-medium business (SMB), today released the results of their first annual SMB IT Security Report. The findings explore IT security apprehensions for small and

The post Untangle Survey Finds SMBs Rank Network Security as Top IT Concern appeared first on The Cyber Security Place.

Fortnite APK Download for Android Won’t Be Available on Google Play Store

There's both good news and bad news for Fortnite game lovers. Fortnite, one of the most popular games in the world right now, is coming to Android devices very soon, but players would not be able to download Fortnite APK from the Google Play Store. Instead, Epic Games software development company has confirmed the Fortnite APK for Android will be available for download exclusively only

iPhone Chip Supplier TSMC Stops Production After Computer Virus Attack

Taiwan Semiconductor Manufacturing Company (TSMC)—Apple's sole supplier of SoC components for iPhones and iPads, and Qualcomm's major manufacturing partner—shut down several of its chip-fabrication factories Friday night after being hit by a computer virus. The world's largest makers of semiconductors and processors TSMC lost an entire day of production after several of its factories systems

Malware Hits Plants of Chip Giant TSMC

A piece of malware has caused significant disruptions in the factories of Taiwan Semiconductor Manufacturing Company (TSMC), the world’s biggest contract chipmaker.

TSMC’s most important customer is Apple, whose iPhone and iPad products use TSMC chips, but the company also supplies semiconductors to Qualcomm, Nvidia, AMD, MediaTek and Broadcom.

SecurityWeek RSS Feed: Malware Hits Plants of Chip Giant TSMC

A piece of malware has caused significant disruptions in the factories of Taiwan Semiconductor Manufacturing Company (TSMC), the world’s biggest contract chipmaker.

TSMC’s most important customer is Apple, whose iPhone and iPad products use TSMC chips, but the company also supplies semiconductors to Qualcomm, Nvidia, AMD, MediaTek and Broadcom.

SecurityWeek RSS Feed

Security Affairs: ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.

The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.

The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.

The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.

The ZombieBoy mine leverages several exploits, including:

CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit

ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.

Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.

According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.

The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.

“In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.

Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.

The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.

Further details including IoCs are reported in the analysis published by the expert.

Pierluigi Paganini

(Securi ty Affairs – miner, Monero)

The post ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis appeared first on Security Affairs.

Security Affairs

ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.

The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.

The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.

The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.

The ZombieBoy mine leverages several exploits, including:

CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit

ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.

Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.

According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.

The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.

Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.

The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.

Further details including IoCs are reported in the analysis published by the expert.

Pierluigi Paganini

(Securi ty Affairs – miner, Monero)

The post ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis appeared first on Security Affairs.

Security Affairs newsletter Round 174 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Once again thank you!

· Mysterious snail mail from China sent to US agencies includes Malware-Laden CD

· Security bug in Swann IoT Camera allowed to access video feeds

· Underminer Exploit Kit spreading Bootkits and cryptocurrency miners

· FELIXROOT Backdoor is back in a new fresh spam campaign

· KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens

· Tens of flaws in Samsung SmartThings Hub expose smart home to attack

· Titan Security Keys- Google announced USB-based FIDO U2F Keys

· A new sophisticated version of the AZORult Spyware appeared in the wild

· Dixons Carphone Data Breach discovered in June affected 10 Million customers

· Fileless PowerGhost cryptocurrency miner leverages EternalBlue exploit to spread

· Ransomware attack against COSCO spread beyond its US network to Americas

· Facebook reported and blocked attempts to influence campaign ahead of midterms US elections

· Hundreds of apps removed from Google Play store because were carrying Windows malware

· Reddit discloses a data breach, a hacker accessed user data

· SamSam Ransomware operators earned more than US$5.9 Million since late 2015

· Ten years ago someone breached into a server of the Yale University

· Alleged Iran-linked APT group RASPITE targets US electric utilities

· Amnesty International employee targeted with NSO group surveillance malware

· Analyzing the Telegram-based Android remote access trojan HeroRAT

· Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards

· CVE-2018-14773 Symfony Flaw expose Drupal websites to hack

· Google introduced G Suite alerts for state-sponsored attacks

· Hundreds of thousands MikroTik Routers involved in massive Coinhive cryptomining campaign

· Industrial Sector targeted in surgical spear-phishing attacks

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 174 – News of the week appeared first on Security Affairs.

A malware paralyzed TSMC plants where also Apple produces its devices

A virus has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the plants where Apple produces its devices

A malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the iPhone chipmaker plans.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

According to Bloomberg that first reported the news, the infection caused one of the most severe disruptions suffered by the company as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants will not able to restart before Sunday.

“The sole maker of the iPhone’s main processor said a number of its fabrication tools had been infected, and while it had contained the problem and resumed some production, several of its factories won’t restart till at least Sunday. The virus wasn’t introduced by a hacker, the company added in a statement.” states the Bloomberg.

“Certain factories returned to normal in a short period of time, and we expect the others will return to normal in one day,” the company said in its Saturday statement.

This is the first time that a malware cripples a TSMC facility paralyzing the production, according to the company “the degree of infection varied from factory to factory.”

“TSMC has been attacked by viruses before, but this is the first time a virus attack has affected our production lines,” Chief Financial Officer Lora Ho told Bloomberg News by phone.

The economic impact of this kind of incidents could be severe, at the time there is no info about losses caused by the attack on the Taiwanese firm.

At the time it is not possible to estimate the potential effects on the production of Apple devices, “the implications are also unclear for Apple.”

“The incident comes weeks after TSMC cheered investors with a rosy outlook for smartphone demand in the latter half of the year. That helped the market look past a reduced revenue outlook.” reported Bloomberg.

“A bellwether for the chip industry as well as an early indicator of iPhone demand, it heads into its busiest quarters grappling with waning enthusiasm for the high-powered chips used to mine digital currencies. Chief Executive Officer C. C. Wei had said TSMC’s sales will rise this year by a high single-digit percentage in U.S. dollar terms, down from an already reduced projection of about 10 percent”

Pierluigi Paganini

(Securi ty Affairs – Taiwan Semiconductor Manufacturing Co, Apple)

The post A malware paralyzed TSMC plants where also Apple produces its devices appeared first on Security Affairs.

Hacking tools & ready-made phishing pages being sold on dark web for $2

By Waqas

Apple Hacking Tools Double the Cost of Other Brands on Dark Web. There was a time when hackers needed to be really smart to accomplish their malicious deeds; now they only need to spend a meager amount of money to get the necessary tools and carry out attacks. Or so it seems if we have […]

This is a post from HackRead.com Read the original post: Hacking tools & ready-made phishing pages being sold on dark web for $2

Massive ransomware attack forcing authorities to move to typewriters

By Waqas

The ransomware attack also forced employees to use hand receipts. Two municipalities in Alaska (one town and one borough to be precise) have become victims of sophisticated encryption-based malware (ransomware) attack. Reportedly, the Matanuska-Susitna (Mat Su) and the City of Valdez have both been targeted with ransomware. Moving to typewriters The attack has had a devastating impact as […]

This is a post from HackRead.com Read the original post: Massive ransomware attack forcing authorities to move to typewriters

The Dark Web Market: The Cost Of Malware, Exploits And Services.

You may have an inkling about what goes on in the dark web. In case you do not know already,

The Dark Web Market: The Cost Of Malware, Exploits And Services. on Latest Hacking News.

Blog | Avast EN: SamSam ransomware can shut your city down | Avast

SamSam ransomware was first spotted in the digital wild back in 2015. Since then, its purveyors have racked up approximately $6M in extorted ransom money, experts surmise, and its diabolical reign shows no sign of slowing. The ransomware continues to be improved upon to make it sneakier, with its newest version encrypting files late at night, hoping to infect the system when the user is away from the screen. Additionally, the recent SamSam attacks all seem strategic and deliberate, as opposed to automated outbreaks, making them some of the most feared and destructive cyberattacks active today.

Blog | Avast EN

ZombieBoy cryptomining malware exploits CVEs to evade detection

By Waqas

ZombieBoy malware makes $1,000 Monero on a monthly basis. An independent security expert James Quinn has discovered a new family of cryptominers that has been dubbed as ZombieBoy. According to Quinn’s analysis, the newly discovered cryptomining worm clocked in at 43 KH/s which means as per the on-going Monero rate, it is making $1,000 on a […]

This is a post from HackRead.com Read the original post: ZombieBoy cryptomining malware exploits CVEs to evade detection

Packet Storm: MikroTik Routers Become Coinhive Cryptojacking Campaign

Packet Storm

Alleged “high-ranking” members of the Fin7 cybercrime group arrested

The DOJ says it's arrested three members of the highly professional Fin7 group.

Amnesty International spearphished with government spyware

Pegasus spyware is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists

Naked Security – Sophos: Amnesty International spearphished with government spyware

Pegasus spyware is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists

Naked Security - Sophos

ThreatList: Spam’s Revival is Tied to Adobe Flash’s Demise

Spam is back with a vengeance, thanks to the demise of attack vectors such as Adobe Flash.

Phishing Campaign Steals Money From Industrial Companies

Phishing emails purported to be commercial offers - but were really installing remote administration software on victims’ systems.

DataBreaches.net: After Singapore medical data hack, Hong Kong’s Department of Health becomes latest cyberattack victim

Clifford Lo reports that the HK Department of Health might have caught a break on a recent ransomware attack: Hong Kong’s...

DataBreaches.net

Podcast: Breaking Down the COSCO Ransomware Attack

Threatpost talks to Commvault's Matt Tyrer about the recent COSCO ransomware attack.

Analyzing the Telegram-based Android remote access trojan HeroRAT

Researchers at CSE Cybsec ZLab analyzed shared published their analysis of the Telegram-based Android RAT tracked as HeroRAT.

In June, researchers from security firm ESET discovered a new family of Android Remote Administration Tool (RAT), dubbed HeroRAT, that leverages the Telegram BOT API to communicate with the attacker.

The use of Telegram API can be considered a new trend in Android RAT landscape, because other RAT families implementing the same functionalities, such as TeleRAT and IRRAT, were discovered in the wild before HeroRAT.

HeroRAT appeared very active in Iran where it was spreading through third-party app stores, through tainted social media and messaging apps.

ESET experts speculate that the HeroRAT borrows the source code of a malware appeared in the hacking community in March 2018, however, it has some characteristics that distinguish it different from IRRAT and TeleRAT. One of these features is the usage of the Xamarin Framework and TeleSharp Library for the development of the RAT.

HeroRAT is offered for sale on a dedicated Telegram channel, the author offers three different variants depending on its functionalities: bronze (25 USD), silver (50 USD) and gold panels (100 USD). The malware author also released a demo video in which explains the RAT functionalities; below we have a screenshot from this demo video, showing the differences between the three variants.

Figure 1 – Differences between the RAT variants

Further details on the RAT analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180802_CSE_HeroRAT.pdf

Pierluigi Paganini

(Security Affairs – RAT, Telegram)

The post Analyzing the Telegram-based Android remote access trojan HeroRAT appeared first on Security Affairs.

Packet Storm: Malicious Android Apps With Keyloggers Pulled From Google Play

Packet Storm

Malware Stealing Credentials via Office Documents

Recently the threat actors in charge of the AZORult malware released a refreshed variant with upgrades on both the stealer and the downloader functionalities. This was altogether done within a day after the new version had released a dark web user AZORult in a large Email campaign to circulate the Hermes ransomware.

The new campaign with the updated adaptation of AZORult is in charge of conveying thousands of messages focusing on North America with subjects, such as, "About a role" or "Job Application" and even contains the weaponized office document "firstname.surname_resume.doc” attached to it.

Researchers said, “The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes.”

Attackers have made use of the password-protected documents keeping in mind the end goal to avoid the antivirus detections. Once the client enters the password for documents, it requests to enable macros which thusly download the AZORult, and at that point it connects with the C&C server from the already infected machine and the C&C server responds with the XOR-encoded 3-byte key.

Finally after exfiltrating stolen credentials from the infected machine, it additionally downloads the Hermes 2.1 ransomware.

Security analysts from Proofpoint even recognized the new version (3.2) of AZORult malware publicized in the underground forum with full changelog.

UPD v3.2

[+] Added stealing of history from browsers (except IE and Edge)

[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC

[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]Com/soft.exe. Also, there is a rule “If there is data from cryptocurrency wallets” or “for all”

[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)

[+] Reduced the load in the admin panel.

[+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information

[+] Added to the admin panel guest statistics

[+] Added to the admin panel a geobase

As indicated by the scientists, the malware campaign contains both the password stealer as well as the ransomware, which is astounding on the grounds that it is not so common to see both. Therefore, before causing a ransomware attack, the stealer would check for cryptocurrency wallets and steal the accreditations before the files are encrypted.

Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally

Carrier-grade MikroTik routers are delivering potentially millions of daily cryptomining pages to the attacker.

Hundreds of Android apps on Play Store infected with Windows malware

By Uzair Amir

Yes, malware in Android apps aimed at Windows devices. Palo Alto Networks’ researchers have made a startling new discovery that nearly 145 applications available on the Google Play Store contain malicious Microsoft Windows executable files. Some of the malware-infected apps have been downloaded over a thousand times and display 4-star ratings. The malicious code cannot […]

This is a post from HackRead.com Read the original post: Hundreds of Android apps on Play Store infected with Windows malware

Google Play Yanks Android Apps Carrying Windows Malware

A total of 45 different Android apps were recently removed by Google from the company’s Play Store after it discovered

Google Play Yanks Android Apps Carrying Windows Malware on Latest Hacking News.

Notorious hacking group Fin7’s 3 main hackers arrested by the FBI

By Waqas

Three members of a ‘prolific’ and ‘notorious’ hacking group, known for carrying out massive hacking sprees against high-profile organizations have been arrested by the Federal Bureau of Investigation (FBI). According to the US Department of Justice (DOJ), the arrested individuals were leading the global cybercrime syndicate known as Fin7. The group has stolen over 15m […]

This is a post from HackRead.com Read the original post: Notorious hacking group Fin7’s 3 main hackers arrested by the FBI

Amnesty International Targeted by Israeli Spyware

Human rights organization Amnesty International reports it’s been the target of a spyware campaign traced to a secretive Israel cyber-surveillance company and distributed through the chat application WhatsApp. An Amnesty International staff member in June received a WhatsApp message that contained clickbait regarding a Saudi Arabian protest,...

Read the whole entry... »

Three Suspected Members of Computer Crime Group in Custody for Malware Campaigns

Law enforcement personnel have arrested three suspected members of an international computer crime group for their roles in perpetrating malware campaigns against U.S. companies. On 1 August, the Department of Justice (DOJ) announced in a press release that foreign authorities had arrested three alleged members of FIN7. The arrests began in January 2018 when foreign […]… Read More

The post Three Suspected Members of Computer Crime Group in Custody for Malware Campaigns appeared first on The State of Security.

Smashing Security #089: Data breaches, ransomware, Bitcoin robberies, and typewriters

Ransomware rears its head again, Dixons Carphone reveals its data breach was almost 1000% worse than they previously thought, a man is accused of stealing five million dollars worth of cryptocurrency through hijacking mobile phones, and a Canadian guy called Norman is rushing to get the typewriters out of storage.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by journalist Geoff White.

How do file partner programs work?

It’s easy to notice if you’ve fallen victim to an advertising partner program: the system has new apps that you didn’t install, ad pages spontaneously open in the browser, ads appear on sites where they never used to, and so on. If you notice these symptoms on your computer, and in the list of installed utilities there is, for example, setupsk, Browser Enhancer, Zaxar game browser, “PC optimizers” (such as Smart Application Controller or One System Care), or unknown browsers, 99% of the time it’s pay-per-install network. Every month, Kaspersky Lab security solutions prevent more than 500,000 attempts to install software that is distributed through advertising partner programs. Most such attempts (65%) happen in Russia.

Geography of attempts to install advertising partner programs apps, June 2018

The partner program acts as an intermediary between software vendors who wish to distribute their apps and owners of file hosting sites. When the user clicks the Download or similar button on such sites, the partner program provides a special installer that downloads the required file, but also determines which set of additional software should be installed on the PC.

File partner programs benefit everyone except the user. The site owner receives money for installing “partner” apps, and the partner program organizer collects a fee from the advertisers, who in turn get what they wanted, since their software is installed.

Propagation methods

To illustrate the process, we chose a scheme used by several partner programs. Let’s look at a real page offering to download a plugin for the S.T.A.L.K.E.R. game.

On attempting to download it, the user is redirected to a landing page selected by the administrator of the file-sharing site when loading the file onto the partner program server. Such pages often mimic the interface of popular cloud services:

Example of a fake page to which the user is redirected

This is what the landing page chooser looks like in the File-7 partner program settings

On clicking the download button, the user receives a file with one of the following formats:

ZIP-archive
Torrent file
ISO image
HTML document

Moreover, archives are often multi-layered and, in many cases, password-protected. Such protective measures and choice of format are not accidental — partner programs engage a wide range of tricks to prevent browser from blocking the download of their installers.

Notification about installer download blocks in a partner program’s news feed

The victim is often guided through the loader installation with hints on the download pages as to how to find the program, which password to use for the archive, and how to run the installer. Some versions contain readme attachments with a description of the actions required for the installation. Regardless of the type of file that the user wanted to download, the end product is an executable. Interestingly, every time one and the same file is downloaded, its hash sum changes, and the name always contains a set of some characters.

Example of how loader files are named

Communicating with the server

At the preparatory stage, the partner program installer exchanges data with the C&C server. Every message transmitted uses encryption, usually rather primitive: first it is encoded in Base64, then the result is inverted, and again encoded in Base64.

At stage one, the loader transmits information about the downloaded installer, plus data for identifying the victim to the server. The message includes confidential information: user name, PC domain name, MAC address, machine SID, hard drive serial number, lists of running processes and installed programs. Naturally, the data is collected and transmitted without the consent of the device owner.

The server responds with a message containing the following information fields:

adverts list — with the installation conditions for certain partner software
content — contains the name of the file that the user originally intended to download and a link to it
icon — contains a link to an icon that is later downloaded and used when starting the graphical interface of the loader.

The installer checks that the conditions listed for each “advert” are fulfilled. If all conditions are met, the id of the advert is added to the adverts_done list. In the example above, for instance, the registry is checked for paths indicating that one of the selected antiviruses is installed on the computer. If this is the case, the partner software with id 1116 is not added to the adverts_done list and will not subsequently be installed on the user’s computer. The purpose of such a check is to prevent the installation of a program that would trigger antivirus software. Next, the generated list is sent to the server:

The server selects several id’s (usually 3-5) from the resulting adverts_done list and returns them to the campaigns list. For each id, this list has a checkboxes field containing the text to be displayed in the installation consent window, the url field containing a link to the installer of the given advert, and the parameter field containing a key for installing the unwanted software in silent mode.

After that, a window opens that simulates the download process in Internet Explorer. The loader does not explicitly notify the user that additional programs will be installed on the computer along with the downloaded file. Their installation can be declined only by clicking a barely discernible slider in the bottom part of the window.

File loader window

During the file download process, software that the user does not deselect is installed inconspicuously. At the final stage of operation, the loader reports to the server about the successful installation of each individual product:

Installed software analysis

By analyzing the loader process, we managed to get some links to various programs that can be installed secretly. Although most of the software relates to different advertising families (that’s how Pbot finds its way onto user devices, for example), that is not the only thing distributed via file partner programs. In particular, around 5% of the files were legitimate browser installers. About 20% of the files are detected as malicious (Trojan, Trojan-Downloader, etc.).

Conclusion

Owners of file-sharing sites that cooperate with similar partner programs often do not even check what kind of content visitors get from the resource. As a result, anything at all can be installed on the user’s computer besides legitimate software. Therefore, in the absence of security solutions, such resources need to be used with extreme caution.

Kaspersky Lab products detect the loaders of file partner programs with the following verdicts:

AdWare.Win32.AdLoad
AdWare.Win32.FileTour
AdWare.Win32.ICLoader
AdWare.Win32.DownloadHelper

IoCs:

1F2053FFDF4C86C44013055EBE83E7BD
FE4932FEADD05B085FDC1D213B45F34D
38AB3C96E560FB97E94222740510F725
F0F8A0F4D0239F11867C2FD08F076670
692FB5472F4AB07CCA6511D7F0D14103

Securelist – Kaspersky Lab’s cyberthreat research and reports: How do file partner programs work?

Geography of attempts to install advertising partner programs apps, June 2018

Propagation methods

To illustrate the process, we chose a scheme used by several partner programs. Let’s look at a real page offering to download a plugin for the S.T.A.L.K.E.R. game.

Example of a fake page to which the user is redirected

This is what the landing page chooser looks like in the File-7 partner program settings

On clicking the download button, the user receives a file with one of the following formats:

ZIP-archive
Torrent file
ISO image
HTML document

Notification about installer download blocks in a partner program’s news feed

Example of how loader files are named

Communicating with the server

At stage one, the loader transmits information about the downloaded installer, plus data for identifying the victim to the server. The message includes confidential information: user name, PC domain name, MAC address, machine SID, hard drive serial number, lists of running processes and installed programs. Naturally, the data is collected and transmitted without the consent of the device owner.

The server responds with a message containing the following information fields:

adverts list — with the installation conditions for certain partner software
content — contains the name of the file that the user originally intended to download and a link to it
icon — contains a link to an icon that is later downloaded and used when starting the graphical interface of the loader.

The installer checks that the conditions listed for each “advert” are fulfilled. If all conditions are met, the id of the advert is added to the adverts_done list. In the example above, for instance, the registry is checked for paths indicating that one of the selected antiviruses is installed on the computer. If this is the case, the partner software with id 1116 is not added to the adverts_done list and will not subsequently be installed on the user’s computer. The purpose of such a check is to prevent the installation of a program that would trigger antivirus software. Next, the generated list is sent to the server:

The server selects several id’s (usually 3-5) from the resulting adverts_done list and returns them to the campaigns list. For each id, this list has a checkboxes field containing the text to be displayed in the installation consent window, the url field containing a link to the installer of the given advert, and the parameter field containing a key for installing the unwanted software in silent mode.

File loader window

Installed software analysis

Conclusion

Kaspersky Lab products detect the loaders of file partner programs with the following verdicts:

AdWare.Win32.AdLoad
AdWare.Win32.FileTour
AdWare.Win32.ICLoader
AdWare.Win32.DownloadHelper

IoCs:

1F2053FFDF4C86C44013055EBE83E7BD
FE4932FEADD05B085FDC1D213B45F34D
38AB3C96E560FB97E94222740510F725
F0F8A0F4D0239F11867C2FD08F076670
692FB5472F4AB07CCA6511D7F0D14103

Securelist - Kaspersky Lab’s cyberthreat research and reports

Hackers Earned $5.9 Million As Ransom Through SamSam Ransomware Attacks

Though SamSam has been around for quite some time, we haven’t had a chance to find out many details about

Hackers Earned $5.9 Million As Ransom Through SamSam Ransomware Attacks on Latest Hacking News.

Amnesty International employee targeted with NSO group surveillance malware

An employee at Amnesty International has been targeted with Israeli surveillance malware, the news was revealed by the human rights group.

Amnesty International revealed that one of its employees was targeted with a surveillance malware developed by an Israeli firm.

The human rights group published a report that provides details on the attack against its employee. The hacker attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

This SMS message translates to:

“Court order #XXXXXX issued against identity owner **** on XX/XX/XXX”

[link]”

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

“In June 2018, an Amnesty International staff member received a malicious WhatsApp message with Saudi Arabia-related bait content and carrying links Amnesty International believes are used to distribute and deploy sophisticated mobile spyware. Through the course of our subsequent investigation we discovered that a Saudi activist based abroad had also received similar malicious messages.” reads the report published Amnesty International.

“In its analysis of these messages, Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group.”

The servers identified by the experts were matching NSO Group’s description of Pegasus in the Hacking Team leaked document, they found two other connections to NSO Group:

evidence that connects the malicious links used by the attackers and collected with NSO Group network infrastructure that was previously detailed by researchers at Citizen Lab.
a domain registration pattern showing that most of the domains in the NSO Group infrastructure were registered during Israeli working days and hours.

“With the technique we developed, we were then able to identify over 600 servers that demonstrated similar behavior. Among these we found servers that hosted domain names that have been previously identified as connected to NSO Group by Citizen Lab and others, specifically banca-movil[.]com, pine-sales[.]com, and ecommerce-ads[.]org.” continues the report.

There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.

“Amnesty International shared the suspicious messages with us and asked us to verify their findings, as we have been tracking infrastructure that appears to be related to NSO Group’s Pegasus spyware since March 2016.” reads the analysis published by Citizen Lab.

“Based on our analysis of the messages sent to these individuals, we can corroborate Amnesty’s findings that the SMS messages contain domain names pointing to websites that appear to be part of NSO Group’s Pegasus infrastructure.”

Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

Country Nexus	Reported cases of individuals targeted	Year(s) in which spyware infection was attempted
Panama	Up to 150 (Source: Univision)¹	2012-2014
UAE	1 (Source: Citizen Lab)	2016
Mexico	22 (Source: Citizen Lab)	2016
Saudi Arabia	2 (Source: Amnesty, Citizen Lab)	2018

Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, recent discovery demonstrates that trading of surveillance software is going out-of-control.

“This is a huge market that’s completely opaque and under-regulated,” he concluded.

Pierluigi Paganini

(Securi ty Affairs – Amnesty International, surveillance)

The post Amnesty International employee targeted with NSO group surveillance malware appeared first on Security Affairs.

DOJ Nabs Three FIN7 Cybercrime Suspects in Europe

Three people believed to be member of the FIN7 (or Carbanak) hacking group have been arrested in Europe, according to the US DOJ.

Three men arrested for stealing over 15 million payment cards

US officials announced today that three alleged leaders of the cybercrime group known alternatively as Fin7, Carbanak and the Navigator Group have been arrested in Germany, Poland and Spain and charged with 26 felony counts. The charges include conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. The Department of Justice alleges that Fin7 members have targeted more than 100 US companies, hacked thousands of computer systems and stolen 15 million credit and debit card numbers. The group is said to have breached networks in 47 states and Washington, DC and hacked 6,500 point-of-sale terminals at over 3,600 business locations.

Source: Department of Justice

How the SamSam attacker stole millions from US companies

There are many reasons that the SamSam ransomware has achieved widespread notoriety: it disrupted the operations of some of its victims to a point that the attack couldn’t remain secret, the asked-for ransom amount was considerably larger that those requested by other ransomware attackers, and the malware was not delivered and deployed via the most often-used route (spam or phishing emails). A new report by Sophos, whose researchers followed the money and tracked down a … More →

The post How the SamSam attacker stole millions from US companies appeared first on Help Net Security.

Amnesty International Targeted by Nation-State Spyware

A suspicious WhatsApp message carried the mobile cyberweapon known as Pegasus – sold by Israel-based company NSO Group to state-level actors around the world.

Android apps infected with umm… Windows malware

Security researchers at Palo Alto Networks recently discovered 145 apps in the official Google Play Android store that were “infected by malicious Microsoft Windows executable files.”

Yes, you read that correctly. Android apps carrying malicious Windows executables.

Staff dust off their typewriters after malware attack

Malware has taken down systems in at least two Alaskan municipalities in an attack that officials say is the worst they have ever seen.

Steam Bans Developer After Outcry Over Cryptomining, Scam Items

A simple, 2D game raised eyebrows after it was found to be consuming big amounts of processing power.

Uknown Actor Leaks Android Malware Exobot Source Code

An unknown actor leaked the source code for the Android malware Exobot online, leading to fears of new attack campaigns.

In June 2018, the unknown individual sent a copy of Exobot’s source code to Bleeping Computer, which subsequently shared it with security companies ESET and ThreatFabric. The companies confirmed that the code was for version 2.5 of Exobot, an Android banking Trojan that is based on the Marcher Android malware, according to IBM X-Force researchers.

The source code for Exobot first appeared online in May 2018 after someone who purchased it from the author decided to share it with the malware community.

Why the Source Code Leak Could Foreshadow a Massive Attack

Bleeping Computer researchers observed Exobot’s source code being distributed on “quite a few” underground web marketplaces after receiving its copy. This fact is concerning because previous malware source code leaks have led to surges of new attack campaigns.

For instance, Level 3 Threat Research Labs identified 213,000 Mirai-enslaved bots via communication with the command-and-control server before the release of the malware’s source code. After this event, the team discovered that the number of Mirai bots more than doubled, increasing to 493,000.

This incident occurred just before Mirai staged its infamous distributed denial-of-service (DDoS) attack against Dyn’s managed Domain Name System (DNS) infrastructure in late 2016.

How to Protect Mobile Devices From Android Malware

To protect their organizations against the repercussions from malware source code leaks, IBM experts recommend adopting a broad approach to mobile threat prevention. This strategy requires investing in a unified endpoint management (UEM) solution to scan devices for potential threats and setting up network protocols to help remediate a malware infection.

These features should also include real-time compliance rules and alerts to help automate the process of malware remediation and removal on mobile devices.

Sources: Bleeping Computer, NetFormation

The post Uknown Actor Leaks Android Malware Exobot Source Code appeared first on Security Intelligence.

Spam still the most common cyber crime technique, according to recent research

According to a recent study by cyber security firms F-Secure and MWR InfoSecurity, spam remains the first choice for malware implementation. Spam remains popular among cyber criminals 40 years after

The post Spam still the most common cyber crime technique, according to recent research appeared first on The Cyber Security Place.

Hundreds of apps removed from Google Play store because were carrying Windows malware

Google recently removed 145 applications from the official Google Play store because they were found to carry malicious Windows executables inside.

Researchers from Palo Alto Networks revealed that Google removed more than 145 apps from the Play store because they were carrying a Windows malware,

The apps were uploaded to the Google Play store between October and November 2017, this means that for months Android users were exposed to the attack. In some cases, the apps have been downloaded thousands of times and were rated with 4-stars.

The malicious code included in the code of the app was developed to compromised Windows systems and leverage the Android device as an attack vector.

“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform.” reads the analysis published by Palo Alto networks.

“The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks.”

Palo Alto Networks reported that the malicious PE files when executed on a Windows system will perform these suspicious activities:

Creates executable and hidden files in Windows system folders, including copying itself
Changes Windows registry to auto-start themselves after restarting
Attempts to sleep for a long period
Has suspicious network connection activities to IP address 87.98.185.184 via port 8829

Some of the apps included multiple malicious PE files at different locations, with different file names, anyway the experts the experts noticed that malware were found embedded in most applications.

The researchers discovered that one of malware was included in 142 APKs, a second malicious code was found in 21 APKs. 15 apps were found containing both PE files inside.

In one case, the malicious PE file that was included in the APK of most of the Android apps was a keylogger.

“After investigating all those malicious PE files, we found that there is one PE file which infects most of the Android apps, and the malicious activity of that PE file is key logging.” continues the analysis.

“On a Windows system, this key logger attempts to log keystrokes, which can include sensitive information like credit card numbers, social security numbers and passwords.”

The attackers attempted to conceive the PE files by using fake names that look like legitimate, such as Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

The researchers discovered that not all the apps uploaded by the same developers were infected with the malicious files, likely because they were using different development platform for the apps.

“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.” concludes Palo Alto Networks.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,”

Pierluigi Paganini

(Securi ty Affairs – Play Store, malware)

The post Hundreds of apps removed from Google Play store because were carrying Windows malware appeared first on Security Affairs.

Security Affairs: SamSam Ransomware operators earned more than US$5.9 Million since late 2015

The security experts from Sophos have published a report on the multimillion-dollar black market business for crooks, they analyzed the SamSam ransomware case as a case study.

The researchers that have tracked Bitcoin addresses managed by the crime gang discovered that crooks behind the SamSam ransomware had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

“In total, we have now identified 157 unique addresses which have received ransom payments as well as 89 addresses which have been used on ransom notes and sample files but, to date, have not received payments,” continues the report published by Sophos.

“By analyzing the payments, and comparing this with ransom notes at the time, we can estimate the number of individual victims who have chosen to pay at least some of the ransom amount stands at 233 as of July 19th 2018. With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom. “

SamSam ransomware payments

The attackers deploy the SamSam ransomware manually by compromising RDP on the target machine, this aspect makes SamSam infections different from the ones associated with other ransomware that leverages spam campaigns or malvertising.

The attackers carry on brute-force attacks on RDP of the target system, some time they leverage credentials obtained from other data breaches typically offered for sale on the dark web.

Once compromised a system inside the targeted organization, the SamSam search for other machines to infect while stealing credentials.

When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.

The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.

Once infected the largest number of systems in the targeted organization, operators attempt to offer a complete clean up of the infected systems for a special price.

The highest estimate has been US$850,000 worth of bitcoin for the decryption keys.

The encryption process first involves most valuable data thanks to a multi-tiered priority system, SamSam ransomware doesn’t encrypt Windows system-related files.

Since its discovery, the SamSam ransomware targeted large organizations, including hospitals and educational institutions.

Sophos provides the following recommendations to secure the network of organizations against the SamSam ransomware:

regularly patch against known vulnerabilities for the applications and operating systems;
keep regular backups;
use multi-factor authentication;
restrict access to RDP(on port 3389);

Pierluigi Paganini

(Securi ty Affairs – ransomware, malware)

The post SamSam Ransomware operators earned more than US$5.9 Million since late 2015 appeared first on Security Affairs.

Security Affairs

SamSam Ransomware operators earned more than US$5.9 Million since late 2015