Jump to content

Search the Community

Showing results for tags 'malware'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 212 results

  1. Nasty Android malware reinfects its targets, and no one knows how Users report that xHelper is so resilient it survives factory resets. Enlarge A widely circulating piece of Android malware primarily targeting US-based phones used a clever trick to reinfect one of its targets in a feat that stumped researchers as to precisely how it was pulled off. xHelper came to light last May when a researcher from security firm Malwarebytes published this brief profile. Three months later, Malwarebytes provided a deeper analysis after the company’s Android antivirus app detected xHelper on 33,000 devices mostly located in the US, making the malware one of the top Android threats. The encryption and heavy obfuscation made analysis hard, but Malwarebytes researchers ultimately concluded that the main purpose of the malware was to act as a backdoor that could remotely receive commands and install other apps. On Wednesday, Malwarebytes published a new post that recounted the lengths one Android user took to rid her device of the malicious app. In short, every time she removed two xHelper variants from the device, the malware would reappear on her device within the hour. She reported that even performing a factory reset wasn't enough to make the malware go away. Blind alleys Company researchers initially suspected that pre-installed malware was the culprit. They eventually dropped that theory after the user performed a technique that prevented system apps from running. Malwarebytes analysts later saw the malware indicating that Google Play was the source of the reinfections, but they ruled out this possibility after further investigation. Eventually (and with the help of the Android user), company researchers finally identified the source of the reinfections: several folders on the phone that contained files that, when executed, installed xHelper. All of the folders began with the string com.mufc. To the researchers’ surprise, these folders weren’t removed even though the user performed a factory reset on the device. “This is by far the nastiest infection I have encountered as a mobile malware researcher,” Malwarebytes’ Nathan Collier wrote in Wednesday’s post. “Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.” Malwarebytes Hidden inside a directory named com.mufc.umbtts was an Android application package, or APK, that dropped an xHelper variant. The variant, in turn, dropped more malware within seconds. And with that, xHelper once again menaced the user’s device. The user finally rid her device of the malware after using an Android file manager to delete the mufc folders and all their contents. Because the malware was somehow identifying Google Play as the source of the reinfection, Collier recommends people in a similar position disable the Google Play Store app before removing the folders. Collier still isn’t sure how the mufc folders came to reside on the phone in the first place or why they weren’t deleted during factory reset. In October, security firm Symantec also reported that users were complaining that factory resets didn’t kill xHelper, but company researchers were also unable to explain why. One theory, Collier said, is that an xHelper variant installed the folders and made them appear as an SD card that wasn’t affected by the factory reset (the user reported that her device didn’t have an SD card). “I was under the assumption that files/directories were removed after a factory reset, but this proves that some things can be left over,” Collier wrote in an email. “There are still a lot of unknowns with this one. We’re just glad to have a resolution for our customers who may be struggling with this infection.” Source: Nasty Android malware reinfects its targets, and no one knows how (Ars Technica)
  2. These Crappy Android Cleaner Apps Are Actually Malware While the latest Android malware you should look out for hasn’t been as popular as the scammy apps that recently drove 382+ million downloads, it’s plenty serious. Security researchers from Trend Micro recently called out a number of Android apps—with more than 470,000 total downloads combined—for being bogus system-cleaning utilities that actually had the potential to install more than 3,000 other malware apps on a user’s device. Worse, these shitty apps could also log into these other shitty apps using your Facebook or Google credentials to help perpetuate advertising fraud (and likely get the malware’s creators a decent payout, until caught). As Trend Micro describes: "Based on our analysis, the 3,000 malware variants or malicious payloads (detected by Trend Micro as AndroidOS_BoostClicker.HRX) that can be possibly downloaded to an affected device with this campaign pretend to be system applications that do not show app icons on the device launcher or application list. The cybercriminals behind this campaign can use the affected device to post fake positive reviews in favor of the malicious apps, as well as perform multiple ad fraud techniques by clicking on the ads that pop up." Though odds are good that you haven’t been infected by the original apps or the malware they dump on your device, here’s a quick list of the apps you’d want to look out for (just in case): Shoot Clean-Junk Cleaner,Phone Booster,CPU Cooler Super Clean Lite- Booster, Clean&CPU Cooler Super Clean-Phone Booster,Junk Cleaner&CPU Cooler Quick Games-H5 Game Center Rocket Cleaner Rocket Cleaner Lite Speed Clean-Phone Booster,Junk Cleaner&App Manager LinkWorldVPN H5 gamebox What’s more important in this case is Trend Micro’s takeaways for avoiding shitty apps like these on the Google Play Store. But first, I’m going to give you my advice: You don’t need cleaner apps for your Android. Sample size of one here, but I’ve never used (or needed) a cleaner app in all the countless years I’ve used Android, and my devices have never suffered. Besides, you’re only asking for trouble if you actually think that an app with a scammy-sounding title like “Super Clean-Phone Booster,Junk Cleaner&CPU Cooler” is going to do anything helpful for your phone. If you really, really feel like your device’s performance is terrible, consider backing up your photos and videos to the cloud, factory reset your device, and set it up from scratch again. Odds are good your device will still feel slow, since newer apps and operating system updates might have more demanding requirements than when you first purchased your smartphone, but you might at least be able to clear up some system resources by mass-clearing out any background apps you forgot about. And if your phone was nearly maxed out with data, clearing up some space might make Android feel a little faster. As for Trend Micro, they have a great observation about how it’s difficult to verify an app’s legitimacy by only looking at its reviews and ratings—if you’re just focusing on numbers and stars, that is. "Verifying an app’s legitimacy is typically done by checking user-created reviews on the Play Store. However, in this particular case, the malicious app is capable of downloading payloads that can post fake reviews unbeknownst to the user. Despite the slew of positive reviews, it does leave some red flags — even though different users left positive reviews, the comments they leave contain the same, exact text: ‘Great, works fast and good.’ They also gave the app the same four-star rating." As always, stick to downloading apps from Google Play and turn off your device’s ability to install apps from unknown sources, if you’ve ever used that to sideload an app and forgot to reset it. When you’re considering installing a new app on your device, even from Google Play, ask yourself whether it’s truly necessary. Do a web search to see if more trustworthy alternatives exist from well-known app developers and brands. Read the reviews to see if they sound off. Has the app been around for years and received regular updates, or is this an app’s very first version—and, somehow, it’s racked up a ton of reviews despite only being a few days old? Unfortunately, the onus is on you to keep your device free of crappy apps. Google can help, but it can’t catch everything in advance—as we’ve seen. And make sure you’re giving your friends this advice, too; you might be smart, but your loved ones who are a bit less tech-savvy are probably going crazy with cleaner and other crapware downloads. Help them! Source
  3. New Coronavirus Strain? Nope, Just Hackers Trying to Spread Malware PhotoCredit: NurPhoto via Getty The hackers have been using files and emails that warn about a new coronavirus strain to trick users into opening them. Doing so can secretly deliver malware to the victim's machine. Received a random file about the coronavirus? It's best to avoid opening it. Hackers are starting to exploit fears around the ongoing outbreak to infect computers with malware, according to security researchers. The attacks have been occurring through files and emails that pretend to know something about the coronavirus, but have actually been designed to take over the victim's computer. On Wednesday, the hackers were spotted sending out spam emails to users in Japan, warning about a new strain of coronavirus reaching the island country, according to IBM Security. The emails, which are written in Japanese, urge the recipient to open up the attached Word document to learn more. If macros are enabled, the opened document will be able to execute a series of commands to secretly download the Emotet malware, which can steal sensitive information from your machine or deliver other dangerous payloads, such as ransomware. The email pretends to come from a disability welfare service provider: "This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it," IBM Security said in the report. "We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too." On Thursday, the security firm Kaspersky Lab also reported uncovering malicious files disguised as documents about a new strain of coronavirus. To deliver the payload, the hackers were using PDFs, MP4 files and Word documents. "The file names imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus detection procedures, which is not actually the case," Kaspersky Lab said. In reality, the discovered files contained a range of different malware threats capable of destroying, blocking modifying and copying data on the victim's machine. "So far we have seen only 10 unique files, but as this sort of activity often happens with popular media topics, we expect that this tendency may grow," said Kaspersky malware analyst Anton Ivanov in a statement. On Friday, the security firm updated the number of detected malicious files to 32. Source
  4. Mac users are getting bombarded by laughably unsophisticated malware For malware so trite and crude, Shlayer is surprisingly prolific. Enlarge Kaspersky Lab Almost two years have passed since the appearance of Shlayer, a piece of Mac malware that gets installed by tricking targets into installing fake Adobe Flash updates. It usually does so after promising pirated videos, which are also fake. The lure may be trite and easy to spot, but Shlayer continues to be common—so much so that it’s the number one threat encountered by users of Kaspersky Labs’ antivirus programs for macOS. Since Shlayer first came to light in February 2018, Kaspersky Lab researchers have collected almost 32,000 different variants and identified 143 separate domains operators have used to control infected machines. The malware accounts for 30 percent of all malicious detections generated by the Kaspersky Lab’s Mac AV products. Attacks are most common against US users, who account for 31 percent of attacks Kaspersky Lab sees. Germany, with 14 percent, and France and the UK (both with 10 percent) followed. For malware using such a crude and outdated infection method, Shlayer remains surprisingly prolific. An analysis Kaspersky Lab published on Thursday says that Shlayer is “a rather ordinary piece of malware” that, except for a recent variant based on a Python script, was built on Bash commands. Under the hood, the workflow for all versions is similar: they collect IDs and system versions and, based on that information, download and execute a file. The download is then deleted to remote traces of an infection. Shlayer also uses curl with the combination of options -f0L, which Thursday’s post said “is basically the calling card of the entire family.” Another banal detail about Shlayer is its previously mentioned infected method. It’s seeded in links that promise pirated versions of commercial software, episodes of TV shows, or live feeds of sports matches. Once users click, they receive a notice that they should install a Flash update. Never mind that Flash has been effectively deprecated for years and that platforms offering warez and pirated content are a known breeding ground for malware. Second verse, same as the first The file downloaded by the Python variant Kaspersky Lab analyzed installs adware known as Cimpli. It ostensibly offers to install applications such as Any Search, which as indicated by search results is clearly a program no one should want. Behind the scenes, it installs a malicious Safari extension and a tool that includes a self-signed TLS certificate that allows the extension to view encrypted HTTPS traffic. To work around any user suspicions, Cimpli superimposes its own windows over dialog boxes that macOS provides. The left windows in the image below are what targeted users see when Cimpli is installing the Safari extension. The window to the right is what’s covered up. By clicking on the button, the user unwittingly agrees to install the extension. The HTTPS decryption tool also superimposes a fake window over the installation confirmation box. Once installed, all user traffic is redirected to an attacker-controlled proxy server. Enlarge Kaspersky Lab Shlayer traditionally has relied on paid affiliates to seed advertising landing pages that display the fake Flash updates. Kaspersky Lab said Shlayer offers some of the highest rates. A newer ploy is the embedding of malicious links in pages on Wikipedia and YouTube. Kaspersky Lab said a single affiliate did so by registering more than 700 expired domains. It’s hard to believe that malware this artless would be among the most common threats facing Mac users. One explanation may be that Shlayer operators must bombard Mac users over and over in a brute-force fashion to compensate for extremely low success rates. A more somber, and probably less likely, possibility: the success rate is high enough that operators keep coming back for more. In either case, it’s likely that the help of affiliates contributes to Shlayer’s ranking. In any event, Shlayer’s ranking is a good reason for people to remember that Flash is an antiquated browser add-on that presents more risk than benefit for the vast majority of the world. For those who must use it, they should download updates solely from https://get.adobe.com/flashplayer/. People should never receive updates from windows that are displayed when trying to view videos or install software. The distinction can be hard for less experienced users, because Flash itself presents—or at least used to present—notifications when updates were available. People also would do well to steer clear of sites offering pirated material. Source: Mac users are getting bombarded by laughably unsophisticated malware (Ars Technica)
  5. Now 29-year-old faces years in the clink after long battle to bring him to justice A 29-year-old Russian scumbag has admitted masterminding the Cardplanet underworld marketplace as well as a second forum for elite fraudsters. Aleksei Burkov appeared in a US federal district court in Virginia this week to plead guilty [PDF] to access device fraud, and conspiracy to commit computer intrusion, identity theft, wire and access device fraud, and money laundering. Cardplanet was an internet souk in which crooks bought and sold stolen bank card details. When he was cuffed and charged last November, prosecutors estimated the website accounted for roughly $20m in fraud. Burkov also ran, we're told, an exclusive invite-only cybercrime den in which malware, money laundering, and hacking-for-hire were touted by top-tier miscreants as well as credit cards. "To obtain membership in Burkov’s cybercrime forum, prospective members needed three existing members to 'vouch' for their good reputation among cybercriminals and to provide a sum of money, normally $5,000, as insurance," Uncle Sam's legal eagles said of the secret den on Thursday. "These measures were designed to keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum." For the Feds, this has been a long time coming. US authorities sought Burkov's extradition back in 2017 after he was collared in Israel in 2015. After exhausting his opportunities to appeal the extradition in the Israeli legal system, Burkov was sent to the US to face trial in November of last year, and has now finally coughed to his crimes. Burkov faces a maximum of 15 years behind bars when he is sentenced on May 8, though courts typically hand down much lighter sentences when perps skip lengthy trials and go straight to pleading guilty. Source
  6. PyXie RAT capabilities include keylogging, stealing login credentials and recording videos, warn researchers at BlackBerry Cylance - who also say the trojan can be used to distribute other attacks, including ransomware. A newly discovered hacking campaign by a 'sophisticated cyber criminal operation' is targeting healthcare and education organisations with custom-built, Python-based trojan malware which gives attackers almost control of Windows systems with the ability to monitor actions and steal sensitive data. Malicious functions of the remote access trojan , dubbed PyXie RAT, include keylogging, credential harvesting, recording video, cookie theft, the ability to perform man-in-the-middle attacks and the capability to deploy other forms of malware onto infected systems. All of this is achieved while clearing evidence of suspicious activity in an effort to ensure the malware isn't discovered. However, traces of the attacks have been found and detailed by cyber security researchers at Blackberry Cylance, who named the malware PyXie because of the way its compiled code uses a '.pyx' file extension instead of the '.pyc' typically associated with Python. PyXie RAT has been active since at least 2018 and is highly customised, indicating that a lot of time and resources have gone into building it. "The custom tooling and the fact it has remained under the radar this long definitely shows a level of obfuscation and stealth in line with a sophisticated cyber criminal operation," Josh Lemos, VP of research and intelligence at Blackberry Cylance told ZDNet. The malware is typically delivered to victims by a sideloading technique which leverages legitimate applications to help compromise victims. One of these applications uncovered by researchers was a trojanized version of an open source game, which if downloaded, will go about secretly installing the malicious payload, using PowerShell to escalate privileges and gain persistence on the machine. A third stage of the multi-level download sees PyXie RAT leverage something known in the code as 'Cobalt Mode' which connects to a command and control server as well as downloading the final payload. This stage of the download takes advantage of Cobalt Strike – a legitimate penetration testing tool – to help install the malware. It's a tactic which is often deployed by cyber criminal gangs and something which aids in making attacks more difficult to attribute. This particular downloader also has similarities with another used to download the Shifu banking trojan, however, it could simply be a case of criminals taking open source – or stolen – code and re-purposing it for their own ends. "An advantage of utilizing a widely used tool such as Cobalt Strike is it makes attribution difficult since it is used by many different threat actors as well as legitimate pentesters. With the Shifu banking trojan similarities, it is unclear if it is the same actors or if someone else reused some of its code," said Lemos. Once successfully installed on the target system, the attackers can can move around the system and implement commands as they please. In addition to being used to steal usernames, passwords and any other information enter the system, researchers note that there are cases of PyXie being used to deliver ransomware to compromised networks. "This is a full-featured RAT that can be leveraged for a wide range of goals and the actors will have different motives depending on the target environment. The fact it has been used in conjunction with ransomware in a few environments indicates that the actors may be financially motivated, at least in those instances," said Lemos. The full extent of the PyXie RAT campaign still isn't certain, but researchers have identified attacks against over 30 organisations, predominately in the healthcare and education industries, with hundreds of machines believed to have been infected. Aside from likely being a well-resourced cyber criminal group, it's currently unknown who exactly is behind PyXie RAT, but the campaign is still thought to be active. However, despite the sophisticated nature of the malware, researchers state that it can be protected against by standard cyber hygiene and enterprise security best practices including operating system and application patching, endpoint protection technology, auditing, logging and monitoring of endpoint and network activity and auditing of credential use. Source
  7. After months of warnings, the first successful attack using Microsoft's BlueKeep vulnerability has arrived—but isn't nearly as bad as it could have been. Microsoft first announced the BlueKeep vulnerability in May; now, hackers have finally caught up with it. When Microsoft revealed last May that millions of Windows devices had a serious hackable flaw known as BlueKeep—one that could enable an automated worm to spread malware from computer to computer—it seemed only a matter of time before someone unleashed a global attack. As predicted, a BlueKeep campaign has finally struck. But so far it's fallen short of the worst case scenario. Security researchers have spotted evidence that their so-called honeypots—bait machines designed to help detect and analyze malware outbreaks—are being compromised en masse using the BlueKeep vulnerability. The bug in Microsoft's Remote Desktop Protocol allows a hacker to gain full remote code execution on unpatched machines; while it had previously only been exploited in proofs of concept, it has potentially devastating consequences. Another worm that targeted Windows machines in 2017, the NotPetya ransomware attack, caused more than 10 billion dollars in damage worldwide. But so far, the widespread BlueKeep hacking merely installs a cryptocurrency miner, leeching a victim's processing power to generate cryptocurrency. And rather than a worm that jumps unassisted from one computer to the next, these attackers appear to have scanned the internet for vulnerable machines to exploit. That makes this current wave unlikely to result in an epidemic. "BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale," says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who was one of the first to build a working proof-of-concept for the BlueKeep vulnerability. "They’re not seeking targets. They’re scanning the internet and spraying exploits." Hutchins says that he first learned of the BlueKeep hacking outbreak from fellow security researcher Kevin Beaumont, who observed his honeypot machines crashing over the last few days. Since those devices exposed only port 3389 to the internet—the port used by RDP—he quickly suspected BlueKeep. Beaumont then shared a "crashdump," forensic data from those crashed machines, with Hutchins, who confirmed that BlueKeep was the cause, and that the hackers had intended to install a cryptocurrency miner on the victim machines. Hutchins says he hasn’t yet determined which coin they’re trying to mine, and notes that the fact the target machines crash indicate that the exploit may be unreliable. The malware's authors appear to be using a version of the BlueKeep hacking technique included in the open-source hacking and penetration testing framework Metasploit, Hutchins says, which was made public in September. It's unclear also how many devices have been impacted, although the current BlueKeep outbreak appears to be far from the RDP pandemic that many feared. "I've seen a spike, but not the level I'd expect from a worm," says Jake Williams, a founder of the security firm Rendition Infosec, who has been monitoring his clients' networks for signs of exploitation. "It hasn’t hit critical mass yet." In fact, Williams argues, the absence of a more severe wave of BlueKeep hacking so far may actually indicate a success story for Microsoft's response to its BlueKeep bug—an unexpected happy ending. "Every month that passes by without a worm happening, more people patch and the vulnerable population goes down," Williams says. "Since the Metasploit module has been out for a couple of months now, the fact that no one has wormed this yet seems to indicate there’s been a cost-benefit analysis and there’s not a huge benefit to weaponizing it." But the threat BlueKeep poses to hundreds of thousands of Windows machines hasn't passed just yet. About 735,000 Windows computers remained vulnerable to BlueKeep according to one internet-wide scan by Rob Graham, a security researcher and founder of Errata Security, who shared those numbers with WIRED in August. And those machines could still be hit with a more serious—and more virulent—specimen of malware that exploits Microsoft's lingering RDP vulnerability. That could take the form of a ransomware worm in the model of NotPetya or also WannaCry, which infected almost a quarter million computers when it spread in May of 2017, causing somewhere between $4 and $8 billion damage. In the meantime, the current spate of BlueKeep cryptocurrency mining will represent an annoyance for those unlucky enough to have their computers crashed or hijacked by its cryptocurrency mining—and at most a vague harbinger of a more severe attack on the horizon. "A BlueKeep exploit is perfect for getting more systems to mine from," says Hutchins. "It’s not necessarily going to affect whether someone still makes a ransomware worm at some point." If helping hackers mine a few cryptocoins is the worst that BlueKeep ultimately inflicts, in other words, the internet will have dodged a bullet. Source
  8. All Android 8 (Oreo) or later devices are impacted. Google released a patch last month, in October 2019. Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming. NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth. Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source. But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning. While the lack of one prompt sounds unimportant, this is a major issue in Android's security model. Android devices aren't allowed to install apps from "unknown sources" -- as anything installed from outside the official Play Store is considered untrusted and unverified. If users want to install an app from outside the Play Store, they have to visit the "Install apps from unknown sources" section of their Android OS and enable the feature. Until Android 8, this "Install from unknown sources" option was a system-wide setting, the same for all apps. But, starting with Android 8, Google redesigned this mechanism into an app-based setting. In modern Android versions, users can visit the "Install unknown apps" section in Android's security settings, and allow specific apps to install other apps. For example, in the image below, the Chrome and Dropbox Android apps are allowed to install apps, similar to the Play Store app, without being blocked. The CVE-2019-2114 bug resided in the fact that the Android Beam app was also whitelisted, receiving the same level of trust as the official Play Store app. Google said this wasn't meant to happen, as the Android Beam service was never meant as a way to install applications, but merely as a way to transfer data from device to device. The October 2019 Android patches removed the Android Beam service from the OS whitelist of trusted sources. However, many millions of users remain at risk. If users have the NFC service and the Android Beam service enabled, a nearby attacker could plant malware (malicious apps) on their phones. Since there's no prompt for an install from an unknown source, tapping the notification starts the malicious app's installation. There's a danger that many users might misinterpret the message as coming from the Play Store, and install the app, thinking it's an update. HOW TO PROTECT YOURSELF There are good news and bad news. The bad news is that the NFC feature is enabled by default on mostly all newly-sold devices. Many Android smartphone owners may not even be aware that NFC is enabled even right now. The good news is that NFC connections are initiated only when two devices are put near each other at a distance of 4 cm (1.5 inches) or smaller. This means an attacker needs to get his phone really close to a victim's, something that may not always be possible. To stay safe, any user can disable both the NFC feature and the Android Beam service. If they use their Android phones as access cards, or as a contactless payment solutions, they can leave NFC enabled, but disable the Android Beam service -- see image below. This blocks NFC file beaming, but still allows other NFC operations. So, there's no need to panic. Just disable Android Beam and NFC if you don't need them, or update your phone to receive the October 2019 security updates and continue using both NFC and Beam as usual. A technical report on CVE-2019-2114 is available here. Source: Android bug lets hackers plant malware via NFC beaming (via ZDNet)
  9. Jack Wallen offers up his best advice for avoiding malware on Android. We're back to the topic that bears repeating every month or so: Android and malware. They seem to be like chocolate and peanut butter these days. But why? Is it the developer's fault? Is the onus on Google? I'm going to open a rather messy can of worms and say the blame could easily fall on the shoulders of everyone involved--including the user. But in the end, no matter how secure a platform Google released, if Android is used poorly, bad things will happen. The same holds true for Windows, macOS, and (gasp) even Linux. That's right. I could deploy a Linux desktop to someone and if they misuse the platform, similar bad things could happen. So what's a user to do? Nothing different than I've said before. In fact, I laid out a simple plan for users in 4 ways to avoid malware on Android. But as many an admin knows, the simpler the advice is for end users, the more likely the advice will stick. My advice? Only install applications you have to have. How users use devices I know, it's not really that easy. Why? Because users don't have the control necessary to limit themselves to only installing required applications. According to this article from sister site ZDNet, social media takes up the bulk of smartphone usage, with Americans spending an average of just over an hour a day on Facebook and 48 minutes on Instagram. Millennials spend roughly 48 minutes per day texting, versus 30 minutes for baby boomers. Boomers, on the other hand, spend 43 minutes per day on email, whereas millennials spend less than 10 minutes per day within an email app. Outside of that, the majority of time spent on smartphones is divided between the following apps/services: Internet Podcasts Snapchat Music Twitter Youtube News apps Messenger Phone So our full list of most-used apps and services looks like: Facebook Instagram Texting Phone Internet Podcasts Snapchat Music Twitter Youtube Messenger News apps Email Of those apps/services, Android has the following built into its ecosystem: Texting - Messages Phone - Phone app Internet - Chrome Podcasts - Play Music Music - Play Music Youtube - Youtube app Messenger - Messenger app News Apps - Google News Email - Gmail app What's left over? Instagram Snapchat Twitter By installing only three apps, the majority of millennials and boomers can satisfy all of their mobile needs. Three simple apps, each of which are found in the Google Play Store and have been thoroughly vetted by both the companies that created them and Google itself. Or have they? Back in 2014, more than four million Snapchat users' data was released by hackers reacting to Snapchat's claim it had no knowledge of vulnerabilities. This wasn't an issue with the Snapchat app, but the Snapchat service. And it wasn't malware. Installing the Snapchat app on an Android device wasn't accompanied by malicious code. The app itself was safe. As are all of the apps on the list above. At least they are as safe as any piece of software can be. Which is to say, not 100%. But that's the risk we all take for living an always-connected life. As the saying goes, any computer connected to the internet is vulnerable. What's the solution? This is where it gets simple. If you want to avoid malware on Android, you install only the apps you must have to do your work. Outside of that, you install Instagram, Snapchat, and Twitter and use the built-in apps to round out your experience. I know what you're asking. What about games? Funny thing, games. The majority of responses to the original ZDNet screen time poll never mentioned games. Of course we all know that the mobile gaming industry is massive, so people are--without a doubt--playing games on their devices. For those that do, I would suggest one of two things: Have a separate device for games. Only install games from official companies or reputable developers. In the end, the solution is to limit the apps you install on your device and to only install those apps from the Google Play Store. Do that and the chances of your device getting infected with malware is drastically reduced. Just remember, nothing is guaranteed in this digital age. Be safe. Source: How to avoid malware on Android in one easy step (via Tech Republic)
  10. MessageTap malware is meant to be installed on Short Message Service Center (SMSC) servers, on a telco's network. One of China's state-sponsored hacking groups has developed a custom piece of Linux malware that can steal SMS messages from a mobile operator's network. The malware is meant to be installed on Short Message Service Center (SMSC) servers -- the servers inside a mobile operator's network that handle SMS communications. US cyber-security firm FireEye said it spotted this malware on the network of a mobile operator earlier this year. HOW MESSAGETAP WORKED FireEye analysts said hackers breached a yet-to-be-named telco and planted the malware -- named MessageTap -- on the company's SMSC servers, where it would sniff incoming SMS messages, and apply a set of filters. First, MessageTap would set SMS messages aside to be stolen at a later point if the SMS message's body contained special keywords. "The keyword list contained items of geopolitical interest for Chinese intelligence collection," FireEye said. "Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government." Second, MessageTap would also set SMS messages aside if they were sent from or to particular phone numbers, or from or to a device with a particular IMSI unique identifier. FireEye said the malware tracked thousands of device phone numbers and IMSI codes at a time. PART OF APT41'S ARSENAL The company's analysts linked the malware to a relatively new Chinese hacker group it calls APT41 [PDF report]. In a previous report, FireEye said that APT41 stood apart from other Chinese groups because besides performing politically-motivated cyber-espionage, the group's members also carried out financially-motivated hacks, most likely for their private benefits. Furthermore, FireEye also found evidence on the hacked telco's network that APT41 interacted with the mobile operator's call detail record (CDR) database -- a database that stores metadata on past phone calls. FireEye said APT41 queried for the "CDR records [that] corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services." While FireEye didn't name the hacked telco or the spied on targets, Reuters journalists said that MessageTap was related to China's efforts to track its Uyghur minority, with some of these efforts involving hacking telcos to track Uyghur travelers' movements. CHINESE HACKING OPERATIONS ARE CHANGING The discovery of this campaign is significant, in the grand scheme of things of Chinese cyber-espionage operations, as a whole. For the past years, Chinese hacking groups have been known for their smash-and-grab approach, where they hacked a target and stole as much data as they could, to analyze it at later points. APT41's modus operandi shows a carefully planned and very targeted surveillance operation aimed at a very small group of targets. That's different from what Chinese hacking groups have done in the past, but it appears to have become the norm these days -- if we take into account the CCleaner and ASUS Live Update hacks, where Chinese hackers also breached a company just to go after a small subset of its customers. The overall arch is that Chinese hacker groups are now getting very good at targeted operations, on par with what we've usually seen from US or Russian operations. On a side note, FireEye's report today also confirms a general trend of Chinese hackers going after telecom opertions, first detailed in a June 2019 Cybereason report which found that Chinese government hackers had breached the networks of at least ten foreign mobile operators. Source: Chinese hackers developed malware to steal SMS messages from telco's network (via ZDNet)
  11. Gafgyt has been updated with new capabilities, and it spreads by killing rival malware. Tens of thousands of Wi-Fi routers are potentially vulnerable to an updated form of malware which takes advantage of known vulnerabilities to rope these devices into a botnet for the purposes of selling distributed denial of service (DDoS) attack capabilities to cyber criminals. A new variant of Gafgyt malware – which first emerged in 2014 – targets small office and home routers from well known brands, gaining access to the devices via known vulnerabilities. Now the authors of Gafgyt – also known as Bashlite – have updated the malware and are directing it at vulnerabilities in three wireless router models. The Huawei HG532 and Realtek RTL81XX were targeted by previous versions of Gafgyt, but now it's also targeting the Zyxel P660HN-T1A. In all cases, the malware is using a scanner function to find units facing the open internet before taking advantage of vulnerabilities to compromise them. The new attacks have been detailed by cybersecurity researchers at Palo Alto Networks. The Gafgyt botnet appears to be directly competing with another botnet – JenX – which also targets the Huawei and Realtek routers, but not Zyxel units. Ultimately, the attackers behind Gafgyt want to kill off their competition by replacing JenX with their own malware. "The authors of this malware want to make sure their strain is the only one controlling a compromised device and maximizing the device's resources when launching attacks," Asher Davila, security researcher at the Palo Alto Networks Unit 42 research division told ZDNet. "As a result, it is programmed to kill other botnet malware it finds, like JenX, on a given device so that it has the device's full resources dedicated to its attack". Control of the botnet allows its gang to launch DDoS attacks against targets in order to cause disruption and outages. While the malware could be used to launch denial of service campaigns against any online service, the current incarnation of Gafgyt appears to focus on game servers, particularly those running Valve Source Engine games, including popular titles Counter-Strike and Team Fortress 2. Often the targeted servers aren't hosted by Valve, but rather are private servers hosted by players. The most common reason for attacks is plain sabotage of other users: some young game players want to take revenge against opponents or rivals. Those interested in these malicious services don't even need to visit underground forums to find them – Unit 42 researchers note that botnet-for-hire services have been advertised using fake profiles on Instagram and can cost as little as $8 to hire. Researchers have alerted Instagram to the accounts advertising malicious botnet services. "There's clearly a younger demographic that they can reach through that platform, which can launch these attacks with little to no skill. It is available to everyone and is easier to access than underground sites," said Davila. As more IoT products become connected to the internet, it's going to become easier for attacker to rope devices into botnets and other malicious activity if devices aren't kept up to date. The routers being targeted by the new version of Gafgyt are all old – some have been on the market for more than five years – researchers recommend upgrading your router to a newer model and that you should regularly apply software updates to ensure the device is as protected as possible against attacks. "In general, users can stay safe against botnets by getting in the habit of updating their routers, installing the latest patches and implementing strong, unguessable passwords," Davila explained. The more frequent the better, but perhaps for simplicity, considering timing router updates around daylight savings so at least you're updating twice a year," he added. Source: This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army (via ZDNet)
  12. Apple has confirmed that 17 malware iPhone apps were removed from the App Store after successfully hiding from the company’s app review process. The apps were all from a single developer but covered a wide range of areas, including a restaurant finder, internet radio, BMI calculator, video compressor, and GPS speedometer … The apps were discovered by mobile security company Wandera, which said that the apps did what they claimed while secretly committing fraud in the background. Although no direct harm was done to app users, the activity would be using up mobile data, as well as potentially slowing the phone and accelerating battery drain. Wandera said the malware iPhone apps evaded Apple’s review process because the malicious code was not found within the app itself, but the apps were instead getting instructions on what to do from a remote server. Apple says it is improving its app review process to detect this approach. The same server was also controlling Android apps. In at least one of those cases, weaker security in Android meant that the app was able to do more direct harm. The apps were all from AppAspect Technologies. iOS aims to guard against this by sandboxing. Each app gets its own private environment, so cannot access system data or data from other apps unless using processes specifically permitted and monitored by iOS. However, Wandera cautions that there have been examples of the sandbox failing, giving three examples of this. Wandera is the same company that warned how a Siri feature could be used for phishing non-technically knowledgeable iPhone users. Apple confirmed the removal of the 17 apps to ZDNet. Source: 1. 17 malware iPhone apps removed from App Store after evading Apple’s review (via 9to5Mac) - Main article 2. Trojan malware infecting 17 apps on the App Store (via Wandera) - Main reference to the article p/s: The list of 17 apps that are mentioned on the article are as follows:
  13. A new report -- Webroot Threat Report: Mid-Year Update -- has found that one in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 and exploits have grown 75 percent since January 2019. According to the report, Hackers are using trusted domains and HTTPS to trick victims. Nearly a quarter (24 percent) of malicious URLs were found to be hosted on trusted domains, as hackers know trusted domain URLs raise less suspicion among users and are more difficult for security measures to block. 1 in 50 URLs (1.9 percent) were found to be malicious, which is high, the report says, given that nearly a third (33 percent) of office workers click more than 25 work-related links per day. Nearly a third (29 percent) of detected phishing web pages use HTTPS as a method to trick users into believing they're on a trusted site via the padlock symbol. Phishing continued rapid growth into 2019, and criminals are expanding their phishing targets. Phishing grew rapidly, with a 400-percent increase in URLs discovered from January to July 2019. The top industries impersonated by phishing include: 25 percent are SaaS/Webmail providers 19 percent are financial institutions 16 percent are social media 14 percent are retail 11 percent are file hosting Eight percent are payment services companies Phishing lures are becoming increasingly personalized as more PII is collected from breaches. Phished passwords are used for more than account takeover. Specifically: extortion emails are being used, claiming the user has been caught doing something embarrassing or damaging that will be shared with colleagues, friends and family unless a ransom is paid, says the results. Phishing doesn't always target usernames and passwords. The attacks also go after secret questions and their answers, says the report. Windows 7 is becoming even riskier, with infections increasing by 71 percent. Between January and June, the number of IPs that host Windows exploits grew 75 percent Malware samples seen on only one PC are at 95.2 percent, up from 91.9 percent in 2018 Out of all infected PCs, 64 percent were home user machines, and 36 percent were business devices. More at: (Webroot) Source
  14. Hackers continue to target the Drupal vulnerability named Drupalgeddon2 to install malware onto unpatched systems, Akamai’s security researchers have discovered. Tracked as CVE-2018-7600, the security flaw impacts Drupal versions 6, 7 and 8. The bug was addressed in March 2018, with the first attacks targeting it spotted only several weeks later, attempting to deploy malicious programs such as crypto-miners and backdoors. Now, Akamai security researcher Larry W. Cashdollar reveals that the vulnerability continues to be targeted in a recently observed malicious campaign where attackers attempt to run code embedded in a .gif file. Although not widespread, the campaign appears to be targeting a broad range of high profile websites, without a focus on a specific industry. One of the analyzed .gif files was hosted on a compromised bodysurfing website located in Brazil. The file contains obfuscated PHP code designed to decode base64-encoded malware stored in a variable. The researcher discovered that the malware could scan for credentials stored in local files, send email with the discovered credentials, replace the local .htaccess file, display MySQL my.cnf configuration files, execute a remote file, show system information, rename files, upload files, and launch a web shell. In addition to the .gif, the attack drops a piece of malware stored in a .txt in the form of a Perl script. This malicious program uses Internet Relay Chat (IRC) for command and control (C&C) communication. The threat can launch distributed denial-of-service (DDoS) attacks, but also functions as a remote access Trojan (RAT). It can connect to a now defunct IRC server and join a specific channel to receive commands. Functionality included in the malware allows it to gather information from the local system and provide attackers with control over it. It also supports a SQL flood command, which allows the malware operators to send generic HTTP GET requests to MySQL’s default port, 3306, on the specified target. “This piece of code has been widely shared and modified by the criminal Internet underground,” Cashdollar says. The new campaign underlines once again the importance of maintaining a good security hygiene, which also involves patching in a timely manner. The targeted Drupalgeddon2 vulnerability is a year and a half old and can be easily exploited, which creates great risks for enterprise environments with unpatched systems, as scanning and infection attacks can be automated. “Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take,” the researcher concludes. Source
  15. Brian12

    Malware Removal Guide

    "This guide will help you remove malicious software from your computer. If you think your computer might be infected with a virus or trojan, you may want to use this guide. It provides step-by-step instructions on how to remove malware from Windows operating system. It highlights free malware removal tools and resources that are necessary to clean your computer. You will quickly learn how to remove a virus, a rootkit, spyware, and other malware." Guide: http://www.selectrealsecurity.com/malware-removal-guide I'll be posting updates. :)
  16. Security researchers discovered a new form of malware that specifically targeted users of a French telecom giant. One of the more disturbing features of this malware is its capability to identify when someone was likely viewing porn and record their screen. Researchers at IT security company ESET spotted the malware, which they coined Varenyky, in May of this year, and in July, operators of the malware launched their first sextortion scam. The malware targets customers of Orange S.A., a French internet service provider, and filters out non-French users based on the location of someone’s computer. According to the researchers, the malware is sent in the form of an email with a fake Microsoft Word attachment under the guise of a €491.27 bill. The document is actually malware, and opening it infects the user’s computer. The researchers pointed out that the hackers routinely tweaked and added commands to the malware, and that a recent version deployed a hidden desktop on someone’s computer that was able to navigate menus, read text, take screenshots, click on the screen, adjust windows, and even record the screen’s activity. One feature the researchers spotted in one version of the malware was that it would search for porn-related words in French in a user’s window and subsequently record the screen and upload it the command and control server, which is a computer that can send instructions to a device infected with malware. The researchers noted, though, that while the malware is capable of recording someone’s screen while they watch porn, they didn’t find any evidence indicating that the hackers exploited these recordings beyond collecting them. That being said, in July, the hackers did deploy a sextortion scam—in which someone was blackmailed through sexual material. The sextortion scam is also sent in the form of an email and informs the recipient that a virus-infected their computer when they were watching porn, and that the hackers have gained access to their computer. The scammer also claims that they have a video of both the porn the victim was watching as well as a recording from their webcam of “you having… fun.” The scammer says that if they don’t pay them €750 in bitcoin within 72 hours, they’ll send the video to family, coworkers, and post it on social media. “This offer is non-negotiable, do not waste my time and yours, think about the consequences of your actions,” it states in the email sign-off. The researchers said that one bot can send up to 1,500 emails in an hour, and as of August 8, the bitcoin address included in the sextortion email had received four payments. Sextortion campaigns and phishing attacks that can give a hacker access to your desktop are hardly unique forms of online exploitation, but this newly spotted malware indicates that they aren’t going anywhere and that people are still easily duped by inarguably unsettling threats. The researchers also note that the operators of this malware tweaked it a lot over the course of two months, indicating that they “are inclined to experiment with new features that could bring a better monetization of their work.” In this case, the best way to scare French internet users into paying a gross grifter in return for peace of mind. Source
  17. Advanced mobile surveillanceware, made in Russia, found in the wild Monokle infected Android devices, but evidence suggests iOS versions may also exist. Enlarge Big Brother Utopia Researchers have discovered some of the most advanced and full-featured mobile surveillanceware ever seen. Dubbed Monokle and used in the wild since at least March 2016, the Android-based application was developed by a Russian defense contractor that was sanctioned in 2016 for helping that country’s Main Intelligence Directorate meddle in the 2016 US presidential election. Monokle uses several novel tools, including the ability to modify the Android trusted-certificate store and a command-and-control network that can communicate over Internet TCP ports, email, text messages, or phone calls. The result: Monokle provides a host of surveillance capabilities that work even when an Internet connection is unavailable. According to a report published by Lookout, the mobile security provider that found Monokle is able to: Retrieve calendar information including name of event, when and where it is taking place, and description Perform man-in-the-middle attacks against HTTPS traffic and other types of TLS-protected communications Collect account information and retrieve messages for WhatsApp, Instagram, VK, Skype, imo Receive out-of-band messages via keywords (control phrases) delivered via SMS or from designated control phones Send text messages to an attacker-specified number Reset a user’s pincode Record environmental audio (and specify high, medium, or low quality) Make outgoing calls Record calls Interact with popular office applications to retrieve document text Take photos, videos, and screenshots Log passwords, including phone unlock PINs and key presses Retrieve cryptographic salts to aid in obtaining PINs and passwords stored on the device Accept commands from a set of specified phone numbers Retrieve contacts, emails, call histories, browsing histories, accounts and corresponding passwords Get device information including make, model, power levels, whether connections are over Wi-Fi or mobile data, and whether screen is on or off Execute arbitrary shell commands, as root, if root access is available Track device location Get nearby cell tower info List installed applications Get nearby Wi-Fi details Delete arbitrary files Download attacker-specified files Reboot a device Uninstall itself and remove all traces from an infected phone Commands in some of the Monokle samples Lookout researchers analyzed lead them to believe that there may be versions of Monokle developed for devices running Apple’s iOS. Unused in the Android samples, the commands were likely added unintentionally. The commands controlled iOS functions for the keychain, iCloud connections, iWatch accelerometer data, iOS permissions, and other iOS features or services. Lookout researchers didn’t find any iOS samples, but they believe iOS versions may be under development. Monokle gets its name from a malware component a developer titled "monokle-agent." From Russia with… Lookout researchers were able to tie Monokle to Special Technology Centre Ltd. (STC), a St. Petersburg, Russia, defense contractor that was sanctioned in 2016 by then-President Obama for helping Russia’s GRU, or Main Intelligence Directorate, meddle in the 2016 election. Evidence linking Monokle to the contractor includes control servers the malware connects to and cryptographic certificates that sign the samples. Both are identical to those used by Defender, an Android antivirus app developed by STC. Monokle’s sophistication, combined with its possible use in nation-sponsored surveillance, evokes memories of Pegasus, a powerful set of spying apps developed for both iOS and Android devices. Developed by Israel-based NSO Group, Pegasus was used in 2016 against a dissident of the United Arab Emirates and again this year against a UK-based lawyer. Lookout researchers found Monokle folded into an extremely small number of apps, an indication the surveillance tool is used in highly targeted attacks on a limited number of people. Most of the apps contained legitimate functionality to prevent users from suspecting the apps are malicious. Based on the app titles and icons of the apps, Lookout believes targets were likely: interested in Islam interested in Ahrar al-Sham, a militant group fighting against the Syrian government and Bashar al-Assad living in or associated with the Caucasus regions of Eastern Europe interested in a messaging application called “UzbekChat” referencing the Central Asian nation and former Soviet republic Uzbekistan Many of the icons and titles have been stolen from legitimate applications to disguise Monokle’s purpose. Enlarge Lookout Other titles used familiar words like Google Update, Flashlight, and Security Update Service to appear innocuous to the intended target. Titles are mostly in English with a smaller number in Arabic and Russian. While only a small number of samples have been found in the wild, a larger number of samples dates back as long ago as 2015. As the graph below shows, they follow a fairly regular development cycle. Enlarge / Signing dates of Monokle samples. Lookout STC is best known for developing radio frequency measurement equipment and unmanned aerial vehicles. It claims to employ 1,000 to 5,000 people. It develops a suite of Android security products, including Defender, that are intended for government customers. Lookout monitored Russian job search sites for positions open at STC and found they required experience in both Android and iOS. As noted earlier, the control servers and signing certificates used by the Android defensive software were in many cases identical to those used by Monokle. Monokle’s design is consistent with a professional development company that sells to governments. The surveillanceware defines 78 separate tasks—including “gathers call logs,” “collects SMS messages,” “collects contacts,” and “gets list of files in particular system directories”—that control servers can send through SMS, email, or TCP connections. Control phrases used to invoke the commands—including “connect,” “delete,” “location,” and “audio”—are short and vague enough that, should an end user see them appear in a text message, they aren’t likely to arouse suspicions. Infected phones can also receive calls from specific numbers that will turn off headsets and allow the device on the other end to record nearby sounds. There are clear differences between Monokle and Pegasys, including the fact that the latter came packaged with powerful exploits that install the surveillance malware with little interaction required of the end user. By contrast, there are no accompanying exploits for Monokle, and Lookout researchers still aren’t sure how it gets installed. The chances of ordinary people being infected with either of these types of malware are extremely small. Still, Lookout’s report provides more than 80 so-called indicators of compromise that allow security products and more technically inclined end users to detect infections. Lookout customers have been protected against Monokle since early last year. Source: Advanced mobile surveillanceware, made in Russia, found in the wild (Ars Technica)
  18. When you think of malware, it's understandable if your mind first goes to elite hackers launching sophisticated dragnets. But unless you're being targeted by a nation-state or advanced crime syndicate, you're unlikely to encounter these ultra-technical threats yourself. Run-of-the-mill profit-generating malware, on the other hand, is rampant. And the type you're most likely to encounter is adware. In your daily life you probably don't think much about adware, software that illicitly sneaks ads into your apps and browsers as a way of generating bogus revenue. Remember pop-up ads? It's like that, but with special software running on your device, instead of rogue web scripts, throwing up the ads. Advertisers often pay out based on impressions, or the number of people who load their ads. So scammers have realized that the more ads they can foist upon you, the more money they pocket. Ad It Up Your smartphone offers attackers the perfect environment to unleash ad malware. Attackers can distribute apps tainted with adware through third-party app stores for Android and even sneak adware-laced apps into the Google Play Store or Apple's App Store. They can reach millions of devices quickly, lurking on your phone, say, while their servers spew ads that run in the background of your device or right on the screen. It doesn't require elaborate hacking techniques. It isn't trying to steal your money. At worst, it makes your device a little slower or forces you to close out some unexpected ads. Adware could be on your phone right now. "With adware—which is in my opinion one of the boldest types of malware on the mobile front—we can see that the actors are basically following the money," says Aviran Hazum, analysis and response team leader at security firm Check Point. "A lot of victims will pay a ransomware ransom, or attackers can gain access to a bank account, but the probability of that is relatively low compared to the amount of money they can generate by displaying ads. More audience, more adware, more revenue." Strains of adware regularly infect tens of millions or even hundreds of millions of devices at a time. Even though adware detections have declined year over year, security firm Malwarebytes still ranked it as the most prevalent type of consumer malware in 2018. Check Point published findings on one example last week, dubbed Agent Smith, which infected more than 25 million Android devices around the world. Fifteen million of those are in India, but Check Point also found more than 300,000 infections in the US. Check Point sees signs that attackers started developing Agent Smith adware in 2016 and have been refining it ever since. Distributed largely through the third-party Android app store 9Apps, the adware was originally a more clunky, obvious type of malware that masqueraded as legitimate apps but asked for a suspicious number of device permissions to run and displayed a lot of intrusive ads. In spring 2018, though, Agent Smith evolved. Attackers added other malware components so that once the adware was installed, it would search through the device's third-party apps and replace as many as possible with malicious decoys. The initial malware would be in apps like shoddy games, photo services, or sex-related apps. But once installed, it would masquerade as a Google update utility—like a fake app called Google Updater—or apps that pretended to sell Google products, to have a better chance of hiding in plain sight. Agent Smith also infiltrated the Google Play Store during 2018, hidden in 11 apps that contained a software development kit related to the campaign. Some of these apps had about 10 million downloads in total, but the Agent Smith functionality was dormant and may have represented a planned next step for the actors. Google has removed these tainted apps. Check Point's Hazum points out that the actors behind Agent Smith also overhauled its infrastructure in 2018 and moved its command and control framework to Amazon Web Services. This way, the attackers could expand features like logging and more easily monitor analytics like download stats. Campaigns like adware and cryptojacker distribution can often function on legitimate infrastructure platforms like AWS, because it's difficult to distinguish their malicious activity from legitimate operations. In other recent adware campaigns, researchers have found innovations like malware that takes advantage of smartphone display and accessibility settings to overlay invisible ads that give them credit with ad networks without users even seeing anything. "You’re starting to see actors realizing that just regular adware won’t do these days," Check Point's Hazum says. "If you want the big money you need to invest in infrastructure and research and development." It's an Ad, Ad, Ad, Ad World Agent Smith is just one wave, though, in a sea of massive adware campaigns that impact hundreds of millions of users combined. For example, in late 2017, adware known as Fireball infected more than 250 million PCs. Imposter Fortnite apps started spreading adware on Android during the summer of 2018. And in April researchers found 50 adware-ridden apps in Google Play that had been down­loaded more than 30 million times. Almost any popular app spawns adware clones almost immediately—even FaceApp. Though adware isn't necessarily an immediate threat to users, even when it's on their devices, it opens the door for attackers to add other malicious functionality in the future that could endanger users' data or accounts. And adware can also come bundled with other types of malware, portending worse attacks to come. “Specific to adware, a lot of the risk to the user comes in applications that download extra stuff or redirect users to other websites,” says Ronnie Tokazowski, a senior threat researcher at email security firm Agari. “Many forms of adware are sold through a pay-to-install model, so the more things that get installed on an end user’s phone or PC, the more the actor gets.” To avoid downloading adware in the first place, use official app stores to download software, stick to prominent, mainstream apps as much as possible, and always double-check that you're actually downloading, say, the real Twitter app and not Twltter. To eliminate adware that could already be on your device, go through your apps and delete anything you don't use anymore, or any apps that are particularly glitchy or ad-ridden, such as random games or utilities like flashlight apps. And if you want an outside opinion, you can download reputable adware scanners from antivirus companies like Bitdefender, Malwarebytes, or Avast. Most offer a free trial. But be careful to download the real deal—adware and other malware loves to hide in apps that pretend to be adware scanners. Adware isn't the powerful and deeply invasive malware that nation-state hackers specially craft for tailored reconnais­sance or intimidation. But it's the malware most likely to show up on your phone, which makes it the type that's most important to look out for. Source
  19. The Oconee County Courthouse has been closed and computer servers at nearly every Oconee County government office have been compromised by software designed to disrupt computer systems, Sheriff Mike Crenshaw said Thursday afternoon. Government offices affected are along Pine Street in Walhalla, and they include the treasurer's office, the assessor, the auditor's office, administrative buildings and the solid waste division. It's not yet clear whether or how much residents' personal information may have been compromised as a result of the breach. "We're working to figure that out, and if it has been, we will notify people," Crenshaw said. The Oconee County Sheriff's Office and its 911 communications systems are among the only government agencies not affected because they operate on different computer servers, Crenshaw said. The Oconee County School District also has offices on Pine Street, but those systems are unaffected, he said. "The county basically had to shut down offices because most folks simply couldn't do business," he said. A team assessed the damage until Thursday evening. County Administrator Amanda Brock said in a prepared statement Thursday night that all Oconee County government offices would reopen Friday morning, but that "some offices may have limited resources" until computer systems are restored. The FBI and a computer-crimes unit of the State Law Enforcement Division have been called in to assist the Sheriff's Office and the county's information technology division with the investigation. It's not yet clear how the malware, or malicious software, made it past various firewalls used by the computer system. Crenshaw said the investigation is still in its early stages and many questions remain unanswered. Source
  20. Pale Moon's Archive Server hacked and used to spread malware The Pale Moon team announced on July 10, 2019 that its archive server was hacked and used to spread malware. The team detected the breach on July 9, 2019 and shut down the archive server immediately to prevent further infections with malware. An analysis of the issue revealed that the infection most likely happened on December 27, 2017. The Archive server is used to serve older versions of Pale Moon; the browser's main distribution channels were not affected by the breach. This never affected any of the main distribution channels of Pale Moon, and considering archived versions would only be updated when the next release cycle would happen, at no time any current versions, no matter where they were retrieved from, would be infected. Additionally, the hacker infected only executable files of the browser and not files inside archives. Other programs hosted on the server, the web browser Basilisk, were not affected either. According to the post mortem, the issue affected all archived executable files of Pale Moon 27.6.2 and earlier. The team's investigation in the matter was severely impacted by another incident on May 26, 2019 that caused "widespread data corruption" on the archive server to the point where booting or data transfers were not possible anymore. The hacker managed to sneak a script on the server that would run locally to infect the executable files on the server. The infection increased the size of the executable by about three Megabytes and planted a variant of Win32/ClipBanker.DY inside the executable. Running these infected executables will drop a trojan/backdoor on your system that would potentially allow further compromise to it. Bleeping Computer notes that the malware creates a scheduled task on the system in the background while Pale Moon's installer runs in the foreground. Users who never downloaded Pale Moon from the Archive Server (archive.palemoon.org) are "almost certainly in the clear" according to Pale Moon's announcement. The team recommends that users who downloaded the browser from the official site or archive site run a full virus scan on their systems to make sure they are clean. The infection signature is "known to all major antivirus vendors" according to the announcement; programs like Avira Antivirus, Avast Free Antivirus, BitDefender Free, or Kaspersky Free Antivirus. There is also the option to check signature files or the digital signature of Pale Moon's executable. The digital signature is not available for all releases though so that its absence does not infer that the file is infected. The existence of a digital signature on the other hand is a clear indicator that the file is clean. Archived versions of Pale Moon are accessible again on archive.palemoon.org. Dates indicate that directories were created on July 10, 2019. Closing words Pale Moon's main distribution channel was not affected by the hack which means that most users were not affected by the issue. The team has not released any archive server statistics and it is unclear how many users were potentially affected by the breach. Pale Moon users should run a full virus scan on the system to make sure that their devices are not infected. Source: Pale Moon's Archive Server hacked and used to spread malware (gHacks - Martin Brinkmann)
  21. Cybercriminals are using the notoriety of the DeepNude app to distribute info-stealing malware in campaigns over YouTube that promise a cracked premium version of the program for Windows, Android, and iOS. DeepNude allowed anyone with $50 in their pocket to create naked versions of clothed women by removing their clothes based on the calculations from algorithms in a neural network. The DeepNude app is no longer available for download from official sources, as its developer on June 27 announced the end of the project. But copies still exist and this is what cybercriminals are betting on to lure users into installing malware on their systems, choosing YouTube as the distribution platform. Malware strips browser and clipboard of data Security researcher Frost discovered that the campaign was actually pushing a malware strain named Qulab that can steal information from the system and the clipboard. Fraudsters upload short videos demoing the app and providing in the description a download link. The URL may be shortened or it may point to an online storage service, but it does pull a file down. A brief search on YouTube indicates that the campaign started a week ago. The latest video linking to a file in the description was uploaded on Wednesday and has almost 1,000 views; it links to an Android app. An analysis from Fumik0 shows that Qulab was built to steal information from the browser (history, credentials, cookies) and from other programs (FileZilla, Discord, Steam). It goes without saying that installing programs from an unknown source is not the wisest thing to do. Crooks have always taken advantage of the traction a free or popular product received in order to push malicious files. One recent example is an operation that targeted torrent site users to plant GoBot2 backdoor on their systems. No trusted sources remain Despite its short life DeepNude certainly had its moment of fame before it went belly up. By then, the app had already made headlines, became viral, and attracted a huge wave of criticism as well as numerous users. The project was ended because of moral reasons. The developer announced on Twitter that despite adding a watermark to the result of the photo processing, some individuals could still misuse it and damage someone's reputation. GitHub is the latest to remove open-source code spun off from DeepNude. In a statement to Motherboard, the company said that although user-generated content is not under scrutiny, abuse reports are investigated and removes repositories that are found to be in violation with the platform's acceptable use policy. Moreover, sexually obscene content is prohibited through the Terms of Service and Community Guidelines. Source
  22. Croatian government targeted by mysterious hackers Government agencies targeted with never before seen malware payload — named SilentTrinity. A mysterious hacker group has targeted, and most likely infected, Croatian government employees between February and April this year. Attackers, which are suspected to be a state-sponsored unit, have targeted victims using a spear-phishing campaign that mimicked delivery notifications from the Croatian postal or other retail services. Emails contained a link to a remote website with a lookalike URL, where users were asked to download an Excel document. Users targeted with never-before-seen malware The document was laced with malicious code packed as a macro script which appeared to have been largely copied off the internet, from various tutorials or open source projects hosted on StackOverflow.com, Dummies.com, Issuu.com, Rastamouse.me, or GitHub.com. The macro script, if enabled by the victim, would download and install malware on their systems. Two different sets of malware payloads were detected during these attacks. The first was the Empire backdoor, a component of the Empire post-exploitation framework, a penetration testing utility. The second was SilentTrinity, another post-exploitation tool, similar to the first. In a presentation at the Positive Hack Days (PHDays) security conference in May, Alexey Vishnyakov, a Senior Specialist in Threat Analysis for cyber-security firm Positive Technologies, said this was the first time when a malicious threat actor had weaponized the SilentTrinity tool in an active malware distribution campaign. Croatian government detected the attacks in April While they went under the radar for two months, the phishing attacks were eventually detected in early April. The Information Systems Security Bureau (ZSIS), the central state authority responsible for the cyber-security of the Republic of Croatia state bodies, issued two separate alerts about the attacks [1, 2]. The state cyber-security agency shared indicators of compromise, such as file names, registry keys, URLs, and IP addresses for the attackers' command and control (C&C) servers, asking state agencies to check logs and scan computers for potential infections. "The Croatian Post has already taken steps to remove the malicious web sites and servers, but both malware versions are currently active," the agency said. "With this malware attackers can take control over a computer and execute arbitrary commands under the authority of the user who opened the XLS file and enabled to execute the macro commands." In a report published today, Vishnyakov pointed out certain connections between the C&C servers used in this campaign targeting Croatian government agencies and past malware distribution operations. The most important is a FireEye report about hackers using a WinRAR vulnerability to infect government targets in Ukraine with the same Empire backdoor, and using the same C&C server. While FireEye never attributed those attacks to a specific hacker group, the targeting of the Ukrainian government is specific to Russian threat actors, who have been targeting the country's officials and government agencies since 2014, when Russian troops invaded the Crimean peninsula. While Vishnyakov refrained from attributing these attacks to a specific threat actor, the researcher did note that "the available data on hosts, addresses, and domains used-as well as the high number of connections between them-suggests a large-scale malicious effort." Source: Croatian government targeted by mysterious hackers
  23. In-the-wild Mac malware kept busy in June—here’s a rundown Newly disclosed OSX/CrescentCore is 1 of 6 Mac threats to come to light this month. June was a busy month for Mac malware with the active circulation of at least six threats, several of which were able to bypass security protections Apple has built into modern versions of its macOS. The latest discovery was published Friday by Mac antivirus provider Intego, which disclosed malware dubbed OSX/CrescentCore that's available through Google search results and other mainstream channels. It masquerades as an updater or installer for Adobe’s Flash media player, but it's in fact just a persistent means for its operators to install malicious Safari extensions, rogue disk cleaners, and potentially other unwanted software. “The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites,” Intego’s Joshua Long wrote of two separate versions of the malware his company has found. “Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.” Security evasions Long said that the CrescentCore versions he observed were signed with certificates belonging to an Apple-trusted developer. That would allow the malware to bypass Gatekeeper, a macOS protection that’s designed to thwart malware by allowing only digitally signed applications to be installed. Both recovered versions of CrescentCore are signed by certificates assigned to a developer using the name Sanela Lovic using certificate fingerprints 5UA7HW48Y7 and D4AYX8GHJS. Long said he reported the certificate abuse to Apple, but as early Friday afternoon, a tool called WhatsYourSign, developed by Mac security expert Patrick Wardle, showed both signing certificates remained valid. On Friday evening, the tool showed one certificate had been revoked and another remained valid. CrescentCore uses other techniques to avoid detection and analysis. After targets click on the fake Flash installer/updater, it first checks to see if it’s about to be installed inside a virtual machine or on a Mac that’s running AV software. If either of those possibilities turns out to be true, the trojan will simply exit and not do anything more. Security researchers almost always test suspected malware inside VMs to prevent accidentally infecting trusted work computers. Mac users who want to check for infections should look for files with the name Player.dmg (or Player #.dmg or Player (#).dmg where # is a numeral such as 1 or 2) downloaded to the Downloads folder. Infected Macs may also contain folders or files with the following names: /Library/com.apple.spotlight.Core /Library/Application Support/com.apple.spotlight.Core /Library/LaunchAgents/com.google.keystone.plist com.player.lights.extensions.appex Friday’s Intego post lists one of at least six macOS threats that have come to light this month. Others include: OSX/Linker, a Mac malware family that exploits a zero-day vulnerability in Gatekeeper so that it can install unsigned malware. The exploit technique, which was disclosed by researcher Filippo Cavallarin last month, works by loading installers from a network-shared disk, which is off limits to Gatekeeper. A cryptocurrency miner dubbed LoudMiner by ESET and Bird Miner by Malwarebytes, the two firms that independently discovered it. The miners, found in a cracked installer for the high-end music production software Ableton Live, work by emulating Linux. Malware dubbed OSX/Newtab, which tries to inject tabs into the Safari browser. Some of the file names disguise themselves as government forms or recipe apps. All samples have an identifier of com.NTAppStubInstaller and were digitally signed with the Apple Developer ID cosmina beteringhe (HYC4353YBE). Backdoors dubbed NetWire and Mokes that were installed in in-the-wild attacks exploiting a pair of potent Firefox zerodays to target people involved with cryptocurrencies. Both backdoors were able to bypass Gatekeeper and were undetected by antivirus engines at the time the attacks went live. The recent activity is an indication that more and more malware developers are finding it worth their time to create malicious wares for macOS, a platform they largely shunned a decade ago. As is the case with Windows computers, the best way to protect Macs against malware is to ensure the OS, browsers, and browser extensions are updated as soon as possible after security patches are released. Another key safeguard is to never run a stand-alone version of Flash (the one built into Chrome is generally OK). Source: In-the-wild Mac malware kept busy in June—here’s a rundown (Ars Technica)
  24. The New York Times reported over the weekend that the United States planted potentially destructive malware in Russia’s electric power grid, but President Donald Trump has denied the claims. The newspaper has learned from current and former government officials that the U.S. has been probing control systems of the Russian power grid since at least 2012 as part of reconnaissance operations. However, the officials claimed the U.S. recently ramped up its efforts and started launching more offensive activities that involve placing “potentially crippling malware [...] at a depth and with an aggressiveness that had never been tried before.” According to The New York Times, these hacking operations area meant as a warning to Russian President Vladimir Putin and appear to show how the White House is using new authorities granted last year to the U.S. Cyber Command. There is no evidence that the planted malware was actually used to cause any disruption. U.S. government agencies contacted by the newspaper did not comment on the allegations, but President Trump said on Twitter that the story was not true. “Do you believe that the Failing New York Times just did a story stating that the United States is substantially increasing Cyber Attacks on Russia. This is a virtual act of Treason by a once great paper so desperate for a story, any story, even if bad for our Country,” Trump wrote. “ALSO, NOT TRUE! Anything goes with our Corrupt News Media today. They will do, or say, whatever it takes, with not even the slightest thought of consequence! These are true cowards and without doubt, THE ENEMY OF THE PEOPLE!” he added. Two officials told The Times that they believed Trump had not been briefed in detail about the steps to plant malware inside Russian systems due to concerns over his reaction and the possibility that he could either cancel the operation or discuss it with foreign officials. However, national security adviser, John Bolton, did say last week that Russia or anyone else engaged in cyber operations against the United States “will pay a price.” There have been several confirmed and unconfirmed reports describing cyberattacks launched by the U.S. against its adversaries, including North Korea, Iran and the Islamic State. However, when it comes to Russia, the United States has mostly played the victim, often accusing Moscow — directly or indirectly — of launching cyberattacks and online misinformation campaigns. There have been reports of Russia-linked hackers targeting control systems in energy facilities in the U.S. and, most recently, a threat actor with apparent ties to a Russian government-backed research institute was spotted targeting electric utilities in the United States and the Asia-Pacific region. Recent disruptions to electrical grid operations in the United States have been blamed on a denial-of-service (DoS) incident, but no power outages were reported and the incident was apparently not part of a coordinated hacking operation. Source
  25. ESET analysis uncovers a novel technique bypassing SMS-based two-factor authentication while circumventing Google’s recent SMS permissions restrictions When Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms. We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google’s recent restrictions. As a bonus, this technique also works to obtain OTPs from some email-based 2FA systems. The apps impersonate the Turkish cryptocurrency exchange BtcTurk and phish for login credentials to the service. Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these malicious apps take the OTP from notifications appearing on the compromised device’s display. Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening. The malware, all forms of which are detected by ESET products as Android/FakeApp.KP, is the first known to sidestep the new SMS permission restrictions. The malicious apps The first of the malicious apps we analyzed was uploaded to Google Play on June 7, 2019 as “BTCTurk Pro Beta” under the developer name “BTCTurk Pro Beta”. It was installed by more than 50 users before being reported by ESET to Google’s security teams. BtcTurk is a Turkish cryptocurrency exchange; its official mobile app is linked on the exchange’s website and only available to users in Turkey. The second app was uploaded on June 11, 2019 as “BtcTurk Pro Beta” under the developer name “BtSoft”. Although the two apps use a very similar guise, they appear to be the work of different attackers. We reported the app on June 12, 2019 when it had been installed by fewer than 50 users. After this second app was removed, the same attackers uploaded another app with identical functionality, this time named “BTCTURK PRO” and using the same developer name, icon and screenshots. We reported the app on June 13, 2019. Figure 1 shows the first two malicious apps as they appeared on Google Play. Figure 1. The fake BtcTurk apps on Google Play The novel 2FA bypass technique After installation, both apps described in the previous section follow a similar procedure. In this section of the blogpost, we will describe the novel 2FA bypass technique using the first app, “BTCTurk Pro Beta”, as an example. After the app is launched, it requests a permission named Notification access, as shown in Figure 2. This permission allows the app to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain. Figure 2. The fake app requesting Notification access The Notification access permission was introduced in Android version 4.3 (Jelly Bean), meaning almost all active Android devices are susceptible to this new technique. Both fake BtcTurk apps require Android version 5.0 (KitKat) or higher to run; thus they could affect around 90% of Android devices. Once the user grants this permission, the app displays a fake login form requesting credentials for BtcTurk, as shown in Figure 3. Figure 3. The fake login form displayed by the malicious app After credentials are entered, a fake error message in Turkish is displayed, as seen in Figure 4. The English translation of the message is: “Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.” In the background, the entered credentials are sent to the attacker’s server. Figure 4. The fake error message displayed by the malicious app Thanks to the Notification access permission, the malicious app can read notifications coming from other apps, including SMS and email apps. The app has filters in place to target only notifications from apps whose names contain the keywords “gm, yandex, mail, k9, outlook, sms, messaging”, as seen in Figure 5. Figure 5. Targeted app names and types The displayed content of all notifications from the targeted apps is sent to the attacker’s server. The content can be accessed by the attackers regardless of the settings the victim uses for displaying notifications on the lock screen. The attackers behind this app can also dismiss incoming notifications and set the device’s ringer mode to silent, which can prevent victims from noticing fraudulent transactions happening. As for effectiveness in bypassing 2FA, the technique does have its limitations – attackers can only access the text that fits the notification’s text field, and thus, it is not guaranteed it will include the OTP. The targeted app names show us that both SMS and email 2FA are of interest to the attackers behind this malware. In SMS 2FA, the messages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA, message length and format are much more varied, potentially impacting the attacker’s access to the OTP. A fast-evolving technique Just last week, we analyzed a malicious app impersonating the Turkish cryptocurrency exchange Koineks (kudos to @DjoNn35 for bringing that app to our attention). It is of interest that the fake Koineks app uses the same malicious technique to bypass SMS and email-based 2FA but lacks the ability to dismiss and silence notifications. According to our analysis, it was created by the same attacker as the “BTCTurk Pro Beta” app analyzed in this blogpost. This shows that attackers are currently working on tuning this technique to achieve the “next best” results to stealing SMS messages. Figure 6. Information about the fake Koineks app on Google Play How to stay safe If you suspect that you have installed and used one of these malicious apps, we advise you to uninstall it immediately. Check your accounts for suspicious activity and change your passwords. Last month, we warned about the growing price of bitcoin giving rise to a new wave of cryptocurrency malware on Google Play. This latest discovery shows that crooks are actively searching for methods of circumventing security measures to increase their chances of profiting from the development. To stay safe from this new technique, and financial Android malware in general: Only trust cryptocurrency-related and other finance apps if they are linked from the official website of the service Only enter your sensitive information into online forms if you are certain of their security and legitimacy Keep your device updated Use a reputable mobile security solution to block and remove threats; ESET systems detect and block these malicious apps as Android/FakeApp.KP Whenever possible, use software-based or hardware token one-time password (OTP) generators instead of SMS or email Only use apps you consider trustworthy, and even then: only allow Notification access to those that have a legitimate reason for requesting it Indicators of Compromise (IoCs) MITRE ATT&CK Source
  • Create New...