Category Archives: trojans

Astaroth Trojan Exploits Antivirus Software

The Astaroth Trojan steals credentials and other user data through antivirus software, Avast, and services. It sends scam campaigns with

Astaroth Trojan Exploits Antivirus Software on Latest Hacking News.

What is an advanced persistent threat (APT)? And 5 signs you’ve been hit with one

Do you have valuable data on your network? Noticing odd network behavior? You could be the victim of an APT attack. An advanced persistent threat (APT) is a cyberattack executed

The post What is an advanced persistent threat (APT)? And 5 signs you’ve been hit with one appeared first on The Cyber Security Place.

New Linux Backdoor “SpeakUp” Found Exploiting Flaws In Multiple Linux Distros

Researchers have discovered a new Trojan campaign that creates a Linux backdoor. Referred to as SpeakUp, the backdoor malware exploits

New Linux Backdoor “SpeakUp” Found Exploiting Flaws In Multiple Linux Distros on Latest Hacking News.

BackSwap and the danger of banking Trojans

BackSwap Banking Trojan

In the survival guide for million-dollar cyberattacks that we published in 2017, we warned how dangerous banking Trojans can be, and highlighted them as one of the key trends in financial cybercrime, along with phishing and keyloggers.  Banking Trojans steal their victim’s online identity and use this information to trick financial institutions and steal money from their accounts. Generally this is done by installing applications or inserting malicious code into the browsers from which users access their bank accounts.

But over the last few years, it seems that the level of banking Trojan activity has decreased considerably. On the one hand, institutions have reacted to the threat by considerably improving their security and their customers’ authentication factors; one example of this is the implementation of virtual keyboards for user sign-in.  This way, it is not possible for a cyberattacker to use a keylogger to steal the details that the user enters with a physical keyboard.

On the other hand, developers have implemented barriers and mechanisms to make injecting code into browsers more complex. For this reason, as we have been pointing out for some time, cyberattackers have been focusing their efforts on other kinds of attacks that are simpler and more profitable, such as ransomware or cryptojacking.

However, in the last few weeks, banking Trojans have started to gain momentum once again, using new, alternative techniques, rather than infiltrating browsers directly. This is the case with BackSwap, a new banking Trojan that has managed to infiltrate several Spanish banks, and which could pose a serious threat to other companies, especially if it comes into contact with employees who work closely with banking institutions. But how does BackSwap work?

BackSwap and its new techniques

BackSwap is an improved and updated variant of the malware Tinba, which was developed in 2015. This malware was noteworthy because of its small size (between 10 and 50Kb) and its capacity to steal the user’s credentials. As ESET researchers discovered, there is one key difference between BackSwap and its predecessor and other banking Trojans, which inject malicious code such as Zbot, Gozi or Dridex. The difference lies in its methodology, which circumvents browsers’ barriers, and can be more difficult for less modern cybersecurity solutions. There are three new techniques that BackSwap uses:

  • It detects when the user is accessing a banking institution online via a mechanism native to Windows called “Message loop”: BackSwap clicks on the Windows message loop to search for patterns similar to a URL, such as “https” chains and other terms related to the name of a bank.
  • Once it detects that the browser is accessing and loading a banking website, BackSwap proceeds to manipulate the loaded content, but does not inject code directly into the browser. Rather, it simulates a user’s keystrokes, and copies the code to the clipboard, then pastes it to the developer’s console. All of this is done in a way that is invisible to the user.
  • Finally, an alternative method – and one that it seems to use more frequently than the previous technique – is to simulate pushing keys in the browser’s address bar: it simulates writing a JavaScript string, pastes the malicious code, and virtually presses enter in order to execute the code. Again, none of this is visible on the user’s screen, and nor does it leave any traces in the history.

How can we prevent it?

As is the case with other banking Trojans such as Trickbot, which we previously analyzed, the main attack vector for BackSwap is email. It is mainly spread via spam containing malicious files such as attached Word documents into which the malware is inserted. Once the file has been executed, it stays on the machine, waiting for the victim to access a banking-related website.

For this reason, the first line of continuous prevention should be employee caution about suspicious emails containing attachments. This is especially true of employees such as CFOs and members of the administration or accounting teams, whose role involves having a close working relationship with financial institutions. It is important to remember that the subject “Invoice” was the cause of 6 out of 10 of the most effective phishing campaigns in 2018.

Likewise, it is a very good idea to have advanced cybersecurity solutions with 360º monitoring, such as Panda Adaptive Defense. On one hand, it performs a complete scan of all emails and attachments in real time as soon as they enter the inbox. On the other hand, it constantly monitors employees’ website use, detecting any suspicious activity in their computers’ browsers. Advanced solutions like Adaptive Defense mean that the negative impact of banking Trojans as complex as BackSwap are reduced to the minimum.

The post BackSwap and the danger of banking Trojans appeared first on Panda Security Mediacenter.

Banking trojan Gozi resurfaces with new tactics

Twelve-year-old trojan malware, Gozi, has resurfaced with new techniques to steal users’ financial credentials. Using common strategies such as keylogging,

Banking trojan Gozi resurfaces with new tactics on Latest Hacking News.

2019 State of Malware report: Trojans and cryptominers dominate threat landscape

Each quarter, the Malwarebytes Labs team gathers to share intel, statistics, and analysis of the tactics and techniques made popular by cybercriminals over the previous three months. At the end of the year, we synthesize this data into one all-encompassing report—the State of Malware report—that aims to follow the most important threats, distribution methods, and other trends that shaped the threat landscape.

Our 2019 State of Malware report is here, and it’s a doozy.

In our research, which covers January to November 2018 and compares it against the previous period in 2017, we found that two major malware categories dominated the scene, with cryptominers positively drenching users at the back end of 2017 and into the first half of 2018, and information-stealers in the form of Trojans taking over for the second half of the year.

But that’s not all we discovered.

The 2019 State of Malware report follows the top 10 global threats for consumers and businesses, as well as top threats by region and by corporate industry verticals. In addition, we followed noteworthy distribution techniques for the year, as well as popular scams. Some of our findings include:

  • In 2018, we saw a shift in ransomware attack techniques from malvertising and exploits that deliver ransomware as a payload to targeted, manual attacks. The shotgun approach was replaced with brute force, as witnessed in the most successful SamSam campaigns of the year.
  • Malware authors pivoted in the second half of 2018 to target organizations over consumers, recognizing that the bigger payoff was in making victims out of businesses instead of individuals. Overall business detections of malware rose significantly over the last year—79 percent to be exact—and primarily due to the increase in backdoors, miners, spyware, and information stealers.

  • The fallout from the ShadowBrokers’ leak of NSA exploits in 2017 continued, as cybercriminals used SMB vulnerabilities EternalBlue and EternalRomance to spread dangerous and sophisticated Trojans, such as Emotet and TrickBot. In fact, information stealers were the top consumer and business threat in 2018, as well as the top regional threat for North America, Latin America, and Europe, the Middle East, and Africa (EMEA).

Finally, our Labs team stared into its crystal ball and predicted top trends for 2019. Of particular note are the following:

  • Attacks designed to avoid detection, like soundloggers, will slip into the wild.

  • Artificial Intelligence will be used in the creation of malicious executables.

  • Movements such as Bring Your Own Security (BYOS) to work will grow as trust declines.

  • IoT botnets will come to a device near you.

To learn more about top threats and trends in 2018 and our predictions for 2019, download our report from the link below.

2019 State of Malware Report

The post 2019 State of Malware report: Trojans and cryptominers dominate threat landscape appeared first on Malwarebytes Labs.

NanoCore Trojan Malware Cannot be Killed By Users

Most people are now familiar with how destructive and damaging computer viruses such as a Trojan can be. Many are

NanoCore Trojan Malware Cannot be Killed By Users on Latest Hacking News.

Chinese arrest 20 in major Crypto Currency Mining scam

According to Chinese-language publication Legal Daily police in two districts of China have arrested 20 people for their roles in a major crypto currency mining operation that earned the criminals more than 15 million yuan (currently about $2M USD).

The hackers installed mining software developed by Dalian Yuping Network Technology Company ( 大连昇平网络科技有限 ) that was designed to steal three types of coins.  Digibyte Coins (DGB, currently valued at USD$0.03 each),  Siacoin (SC, currently valued at $0.01 each) and DeCred coins (DCR coins, currently valued at $59.59 each).

It is believed that these currencies were chosen for the dual reason that they are easier to mine, due to less competition, and that they are less likely to be the target of sophisticated blockchain analysis tools.

The Game Cheat Hacker

The investigation began when Tencent detected the presence of a hidden Trojan horse with silent mining capabilities built into a cheat for a popular first person shooter video game. The plug-in provided a variety of cheats for the game, including "automatic aiming", "bullet acceleration", "bullet tracking" and "item display."  
Tencent referred the case to the Wei'an Municipal Public Security Bureau, who handled the case extremely well.  As they learned more about the trojans, they identified first the social media groups and forums where the trojan was being spread, and traced the identity of the person uploading the trojaned game cheat to a criminal named Yang Mobao. Mobao participated as a forum moderator on a site called the "Tianxia Internet Bar Forum" and members who received the cheat from him there widely shared it in other forums and social media sites, including many file shares on Baidu.
Mobao was popularizing the cheat program by encouraging others to make suggestions for new functionality.  The users who were using the tool did not suspect that they were actually mining crypto-currency while using the cheat.  More than 30,000 victims were using his cheat software and secretly mining crypto-currency for him.
Yang Mobao had a strong relationship with gamers from his business of selling gaming video cards to Internet cafes.  He installed at least 5,774 cards in at least 2,465 Internet cafes across the country, preloading the firmware on the cards to perform mining.  It turns out that these cards ALSO were trojaned!  As a major customer of Dalian Yuping, Moubao was offered a split of the mining proceeds from the cards he installed, earning him more than 268,000 yuan.
Yang is described as a self-taught computer programmer who had previously worked management Internet cafes.  After experiencing some profit from the scheme above, he modified the malware embedded in some of the video cards and installed his own miner, mining the HSR coin and transferring the proceeds to a wallet he controlled.

The Video Card Maker

After Yang Mobao confessed to his crimes, the cybercrime task force sent 50 agents to Dalian, in Liaoning Province.  The Task Force learned that Dalian Yuping Network Technology had been approached by advertisers, who paid them embed advertising software on their video cards, which were then installed in 3.89 million computers, mostly high-end gaming systems installed in video cafes.  The company's owner, He Mou, and the company's Financial Controller, his wife Chen Mou, had instructed the company's head of R&D, Zhang Ning, to investigate mining software and to experiment with various mining trojans.  In addition to the illegal advertising software embedded in those 3.89 million video cards, their crypto currency mining software was embedded into 1 million additional video cards which were sold and deployed in Internet cafes across the country.
Each time one of those machines successfully mined a coin, the coin was transferred to a wallet owned by He Mou.  Chen Mou could then cash them out at any time in the future.
 16 suspects at the company were interrogated and 12 criminally detained for the crime of illegally controlling computer information systems.  Zhao was sentenced to four years himself.
(I learned of this story from CoinDesk's Wolfie Zhao, and followed up on it from the Legal Daily story he links to as well as a report in Xinhuanet, by Reporter Xy Peng and correspondent Liu Guizeng Wang Yen.) (记者 徐鹏 通讯员 刘贵增 王艳)