Jump to content

Search the Community

Showing results for tags 'malware'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 336 results

  1. Fin7 Ramps Up Campaigns With Two Fresh Malware Samples Despite the 2018 crackdown on Fin7, the cybercrime group has been ramping up its efforts with two new malware samples and an attack panel. Despite the arrest of several Fin7 members in 2018, the cybercrime group has ramped up its efforts in a series of widespread campaigns hitting businesses with two never-before-seen malware samples. Researchers with Flashpoint said Wednesday that they have discovered a new administrative panel and two previously unseen malware samples, dubbed SQLRat and DNSBot, in a series of Fin7 campaigns. The campaigns, which may have started as early as January 2018, are hitting businesses with malware embedded in documents and sent via phishing emails, in hopes of stealing payment cards. “Despite the arrests of three prominent members of the Fin7 cybercrime gang beginning in January 2018, attacks targeting businesses and customer payment-card information did not cease,” Flashpoint Principal Threat Researchers Joshua Platt and Jason Reaves said in a Wednesday analysis. Fin7 – A Costly History Since 2015, Fin7 has targeted point-of-sale systems at casual-dining restaurants, casinos and hotels. The group typically uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it. Fin7 has also used a backdoor linked to Carbanak (another prolific cybercrime outfit responsible for billions in losses in the financial services industry) and has stolen more than 15 million payment-card records from American businesses by infiltrating more than 6,500 individual point-of-sale terminals at more than 3,600 business locations, according to the Department of Justice (DoJ). In August 2018, the DoJ announced it had arrested three Fin7 members, who were identified as Ukrainian nationals and charged with 26 felony counts of alleged conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. However, the group’s new malware samples and an attack panel indicate that Fin7 doesn’t appear to be going anywhere. “This suggests there are plenty of surviving members with sufficient knowledge to continue the operation with ease,” Platt and Reaves told Threatpost. New Malware, Attack Panel The group is using a new attack panel, called Astra, which has its back end installed on a Windows server with Microsoft SQL. The panel was written in PHP and it manages the content in the tables. The attack panel essentially functions as a script-management system, allowing Fin7 to quickly push attack scripts down to compromised computers, researchers said. The attack panel was found being used in a series of campaigns, which typically initially infects machines through phishing emails containing malicious attachments. The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document, researchers said. Within these documents researchers discovered the two new malware samples. One of these is called SQLRat. Campaigns using this malware typically involve a lure document which once opened displays an image overlaid by a Visual Basic (VB) Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script, which executes an obfuscated JavaScript file. The malware then drops files and executes SQL scripts on the host’s system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables, researchers said. “The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does,” researchers said. “Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered.” The other malware sample was a multiprotocol backdoor, called DNSBot, used to exchange commands and transmit data to and from victim machines. The malware was embedded in documents sent via emails. While the embedded JavaScript-based backdoor operates over DNS traffic, it can also switch to encrypted channels such as HTTPS or SSL, researchers said. “The campaigns maintain persistence on machines by creating two daily scheduled task entries,” researchers said. “The code, meanwhile, is still controlled by the Fin7 actors and may be leveraged in future attacks by the group.” To protect against both malware samples, Flashpoint recommends that businesses watch out for newly added Windows tasks, specifically those with a JScript switch. “Flashpoint also recommends implementing host-based detections for new files in %appdata%\Roaming\Microsoft\Templates\ with a dot extension, as well as implementing host-based detections for files in %appdata%\local\Storage\,” researchers said. Source
  2. New Sextortion Scam Says Adult Sites Infected Victims with Malware A new sextortion scam is informing victims that their computers suffered a malware infection after they visited an adult website. In this latest ruse, digital criminals claim that they infected a user with malware after they visited a child pornography website. They then say that they leveraged that infection to capture compromising video footage of the user. Finally, the attackers threaten to share the video with the targeted user’s email contacts and Facebook friends unless they meet the extortionists’ demands and pay $2,000 worth of Bitcoin within 72 hours. Here’s a copy of the scam note, as provided by Bleeping Computer. Final Warning Sextortion Scam Email (Source: Bleeping Computer) As you can see, the digital criminals threaten that they’ll release the video if the user tries to deceive them. As quoted in the note shared by Bleeping Computer: You can visit the police but nobody will help you. I know what I am doing. I don’t live in your country and I know how to stay anonymous. Don’t try to deceive me – I will know it immediately – my spy ware is recording all the websites you visit and all keys you press. If you do – I will send this ugly recording to everyone you know, including your family. Don’t cheat me! Don’t forget the shame and if you ignore this message your life will be ruined. This isn’t the first time that bad actors have preyed on users with sextortion scams. Indeed, there have been no less than three such sextortion variants since July 2018. The earliest version used breached passwords to trick victims into meeting their demands. Another variant used redacted phone numbers, while the most recent iterationinfected users with GandCrab ransomware. As with these earlier versions, users who come across the newest sextortion scam variant discussed above should not give into the extortionists. They should instead keep an up-to-date security solution installed on their devices as well as exercise caution around suspicious email attachments and embedded links. Source
  3. Beware!! New Windows .exe Malware Found Targeting macOS Computers A malicious Windows EXE file can even infect your Mac computer as well. Yes, you heard me right — a .exe malware on macOS. Security researchers at antivirus firm Trend Micro have discovered a novel way hackers are using in the wild to bypass Apple's macOS security protection and infect Mac computers by deploying malicious EXE files that normally run only on Windows computers. Researchers found several samples of malicious macOS application (.dmg) masquerading as installers for popular software on a torrent site that includes an EXE application compiled with Mono framework to make it compatible with macOS. Mono is an open source implementation of Microsoft's .NET Framework that allows developers to create cross-platform .NET applications, which work across all supported platforms, including Linux, Windows and Mac OS X. Usually, running any Windows executable results in error on macOS systems, and its built-in protection mechanisms such as Gatekeeper also skips scanning .exe files for any malicious code. "This routine evades Gatekeeper because EXE is not checked by this software, bypassing the code signature check and verification since the technology only checks native Mac files," Trend Micro said in a blog post published Monday. The fake installer analyzed by the researchers promised to install the Little Snitch firewall application, but also comes bundled with mono-compiled hidden payload, designed to collect and send system information about the targeted Mac computer to a remote command-and-control server controlled by the attackers. Once installed, the exe malware then also downloads and prompts users to install various adware apps, some of which disguise as legitimate versions of Adobe Flash Media Player and Little Snitch. During their analysis, the researchers found "no specific attack pattern" associated with the malware, but their telemetry showed that the highest numbers for infections existed in the in the United Kingdom, Australia, Armenia, Luxembourg, South Africa, and the United States. Interestingly, the security researchers could not get the same malicious EXE file to run on Windows—attempting to run the file on Windows resulted in an error, which means that this malware has been designed to target macOS users specifically. "Currently, running EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Normally, a mono framework installed in the system is required to compile or load executables and libraries," researchers explained. "In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS' security features. As for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts." The best way to protect yourself from being a victim to such malware is to avoid downloading apps, tools, and other files on your computers from torrent websites or any untrusted source. Source
  4. Malware can bypass multi-factor authentication to gain access to cryptocurrency wallets - and also drops mining malware on infected machines. Mac users are being targeted with newly discovered Mac malware that aims to steal the contents of cryptocurrency wallets. Dubbed CookieMiner by researchers because of its capability for stealing browser cookies associated with cryptocurrency exchanges and wallet service websites visited by the victim, the malware has been uncovered by Palo Alto Networks. In addition to stealing and trading the contents of cryptocurrency wallets, CookieMiner also plants a cryptojacker onto the infected OSX machine, enabling the attackers to secretly mine for additional digital currency. In this instance, it's Koto, a lesser-known cryptocurrency that offers users anonymity. It's mostly used in Japan. It's still unknown how the newly detected malware gains access to systems, but once there, CookieMiner examines browser cookies with links to cryptocurrency exchanges and websites that reference blockchain. Exchanges targeted include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet. Using a Shellscript, it steals Google Chrome and Apple Safari browser cookies from the victim's machine, uploading them to a folder on a remote server. By doing this, it can extract the required login credentials and the cookies required to make it look as if the new login attempt is coming from a machine previously used by the victim — therefore preventing it from looking suspect. "What it wants to do in combination with credentials which it's harvested is impersonate that user from their own system," Alex Hinchliffe, threat intelligence analyst at Palo Alto Networks' Unit 42 research division told ZDNet. "So they use the cookies to try and get past that initial login without suspicion." It isn't just the victim's Mac that is targeted by CookieMiner — if the victim has used iTunes to sync their Mac with their iPhone, the malware can also access text messages. This potentially allows the attackers to steal login codes and other messages that they can abuse to bypass any two-factor authentication the users have applied to their cryptocurrency accounts. Once the attackers have access to the wallets, they have all the same privileges as the user, which they can use to steal the contents of the wallet. It's also possible that the attackers could game the system, trading large amounts of cryptocurrency in an effort to boost valuations for their own ends. "If the adversary gets access to someone's account on the exchange, they can buy and sell cryptocurrency. Buying and selling a lot could change the price of the cryptocurrency, in which case they can use it to profit," said Hinchliffe. The attack isn't over after the adversaries are done using the wallets — they drop a cryptocurrency miner that appears to be highly active, ranking as the top miner for Koto. Filenames associated with the wallet reference xmrig, something usually used by Monero miners, but it's thought that the attackers have employed this with their Koto scheme in order to generate confusion. CookieMiner also drops a script for persistence and remote control of the infected machine, allowing them to check-in on the machine and send commands — although all of this currently appears to be related to mining. It's believed that the cyber criminal campaign is still active and researchers recommend that cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage. Source
  5. This malware uses debt to prey on banking victims Redaman uses screen capture and keylogging to grab the credentials required to break into online bank accounts. 0:00 A new malware campaign targeting Russian speakers is using the threats of debt and missing payments to dupe victims into downloading and executing a banking Trojan. The round of attacks, as described by Palo Alto Network's Unit 42 security team, was tracked over the last four months of 2018. The attack vector is broad and involves the mass distribution of spam and phishing emails rather than selected, targeted attacks. The emails sent, however, use a number of subject lines which could induce panic or fear in unsuspecting would-be victims -- the threat of debtors or payments owed, a situation many of us are familiar with. These subject lines include "Debt due Wednesday," "Payment Verification," and "The package of documents for payment 1st October," among other financial subjects. The subject headers constantly change, but the researchers say they "all have a common theme: they refer to a document or file for an alleged financial issue the recipient needs to resolve." "These messages are often vague, and they contain few details on the alleged financial issue," Unit 42 added. "Their only goal is to trick the recipient into opening the attached archive and double-clicking the executable contained within." The focus of the campaign is to spread a banking Trojan known as Redaman. First discovered in 2015, this malware was first known as the RTM banking Trojan (.PDF). Upon execution, the executable file containing the Trojan will first launch a scan to ascertain whether or not the program is running in a sandbox environment, commonly used by security researchers to unpack malware samples. If the malware uncovers files or directories on a Windows machine which suggests virtualization or sandboxing, the executable exits. If the target machine appears legitimate, the Windows executable will drop a DLL file in the PC's temporary directory, create a randomly-named folder in the ProgramData directory, and shift the DLL to this folder, again, using a random file name. The Redaman DLL the creates a scheduled Windows task which triggers every time the user logs on to the machine in order to maintain persistence. The malware uses a hooking system to monitor browsing activity. Chrome, Firefox, and Internet Explorer are of particular interest to Redaman, which will also search the local host for any information related to banking or finance. Redaman's goal is to steal banking credentials and other data which, once sent to the malware's operators, can be used to compromise accounts and potentially steal the victim's funds or conduct identity theft. The Trojan is also able to download additional files to an infected host, use keylogging, capture screenshots, record video of a Windows desktop session, alter DNS configurations, steal clipboard data, terminate running processes, and add certificates to the Windows store. The spam messages used to spread Redaman have file attachments which are Windows executables disguised as .PDF documents, or sent as .zip, 7-zip, .rar, or .gz gzip archives. Russian recipients are the main focus at present; however, individuals in the US, Netherlands, Sweden, Japan, Khazakstan, Finland, Germany, Austria, and Spain are also being targeted. Palo Alto expects to see new samples of Redaman appear in the wild over the coming year. Source
  6. Multiple threat actors are using relatively simple techniques to take advantage of the vulnerability, launching cryptominers, skimmers, and other malware payloads. Last month a code execution vulnerability was found in the ThinkPHP framework, a rapid-development framework developed by Chinese firm TopThink. While the vulnerability, designated CVE-2018-20062, was patched by the developer, a researcher has now found active exploits of the vulnerability in the wild. Larry Cashdollar, a vulnerability researcher and member of Akamai's Security Incident Response Team, was doing research on a recent Magecart attack targeting extensions to the Magento e-commerce platform when he noticed a malware request he hadn't seen before – a request to ThinkPHP. "I realized there was a software framework developed in China that had this vulnerability, and it was being taken advantage of to install coin miners and skimmers," Cashdollar says. "They [also] were using it to install any kind of payload targeting Windows machines, IoT devices, or to mine Bitcoin or Monero coins." In a blog post describing the new attacks, Cashdollar wrote that multiple threat actors are using relatively simple techniques to take advantage of the vulnerability. He pointed out that a single line of code can scan for the presence of the vulnerability, which can then be exploited with attacks involving simple cut-and-paste code that is widely available. One of the payloads Cashdollar has seen delivered is a Mirai variant – a development he has worried about, he says. "I had been waiting for Mirai botnet kits to include Web app code in their arsenal," he says, "and this was an indicator that it's happening." The code being executed through the PHP framework calls can skip a series of steps long considered essential for malware. "Back in the 1990s, people were always trying to get root access," Cashdollar says. "Now it doesn't matter. They just want to execute code on the system as any user so they can share malware or mine coin. They want to execute code on as many systems as possible." Systems hit by this exploit are largely concentrated in Asia, which is where the ThinkPHP framework was developed and is very popular. Nothing in the attack limits it to the Asia-Pacific region, though, and Cashdollar says that attackers are actively scanning systems across the globe, including Europe and the US. "I'm seeing about 600 scans a day for it," he explains. "They're scanning across all verticals, software companies, car rentals, and others." Asked about security and remediation, Cashdollar says he has seen some Web application security companies begin to write advisories to their customers regarding the vulnerability. In addition, he recommends that companies ask development groups about the use of the ThinkPHP framework. If it is being used, Cashdollar says, it should be updated to the current version immediately. Source
  7. JavaScript Malware in Spam Spreads Ransomware, Miners, Spyware, Worm We observed a sudden spike in JavaScriptmalware in more than 72,000 email samples that sourced and spread at least eight other kinds of malware (such as GandCrab ransomware and coinminers) beginning December 31, 2018. Our telemetry showed the highest detections from Japan, India, the United States, Germany, Taiwan, the Philippines and Canada, with the majority of the targets in the education, government, manufacturing and banking industries. As of publishing, the IP address has been blocked. Trend Micro machine learning and behavioral detection technology proactively blocked the malicious JavaScript at the time of discovery. Figure 1. Data from the Trend Micro Smart Protection Network™ showed a spike in malware spread beginning 2019, with January 3 having the most number of detections. Figure 2. Countries with the most number of detections for infections. Behavior The spam mails have different subject headings with random email addresses, as reported by SANS ISC. Clicking on the attached ZIP file triggers the JavaScript (detected by Trend Micro as TROJAN.JS.PLOPROLO.THOAOGAI) to download malware such as GandCrab, Smoke, AZORult, Phorpiex and coinminers from the command and control (C&C) server. Figure 3. Over 72,000 mail samples with the JavaScript malware. Figure 4. Malware payloads spread by this campaign. [Read: Spam campaign abusing SettingContent-ms Found dropping same FlawedAmmyy RAT distributed by Necurs] The sudden increase in our detection systems revealed thousands of unique SHAs in a matter of days. The IP address (which we traced to have been registered in Russia) is no longer accessible as of writing, but the payloads can still be sourced online. Interestingly, the cybercriminals change the malware included in the .EXE files, and spread different kinds of malware depending on the region and industry targeted. Figure 5. The script downloads different malware from the IP address. As of writing, this .EXE was analyzed to download GandCrab. Figure 6. Even when the registered IP address has been blocked, other sites source the file for the malware and send the spam emails. Cybercriminals will employ new and even older techniques to compromise users and enterprises for profit. JavaScript malware in malspam campaigns are not new, but remain dangerous for users because it may no longer require executables nor further interactions with the user to be launched. Moreover, when the malicious code is saved in the hard drive, Windows can run these by default based on the code referenced to the JavaScript libraries used by JavaScript-enabled pages online. [Read: Same old yet brand new: New file types emerge in malware spam attachments] Opening malicious email or attachments can launch malware downloads, not only to access, collect and steal proprietary and system information, but to possibly enable other functions such as remote administrator controls with malicious intent. To defend against these types of threats: Avoid clicking on or opening emails, URL links, or attachments from suspicious or unfamiliar senders. Regularly back up important files. Practice the 3-2-1 system. Install a multi-layered protection system that can detect and block malicious emails, attachments, URLs and websites. Source
  8. Malware was also available inside an official Alcatel app available through the Google Play Store. Image: Alcatel A weather app that comes preinstalled on Alcatel smartphones contained malware that surreptitiously subscribed device owners to premium phone numbers behind their backs. The app, named "Weather Forecast-World Weather Accurate Radar," was developed by TCL Corporation, a Chinese electronics company that among other things owns the Alcatel, BlackBerry, and Palm brands. The app is one of the default apps that TCL installs on Alcatel smartphones, but it was also made available on the Play Store for all Android users --where it had been downloaded and installed more than ten million times. But at one point last year, both the app included on some Alcatel devices and the one that was available on the Play Store were compromised with malware. How the malware was added to the app is unclear. TCL has not responded to phone calls requesting comment made by ZDNet this week. App caused financial losses to users The infection came to light last summer, when Upstream, a UK-based mobile security firm, discovered suspicious traffic originating from the smartphones of some of its customers. In a report published this week and shared with ZDNet, the company says it initially detected that the app was harvesting users' data and sending it to a server in China. The app collected geographic locations, email addresses, and IMEI codes, which it sent back to TCL. But this weather app isn't the only suspicious app with intrusive permissions that collects data and sends it back to China. There are plenty of those around already. Upstream devs also found that in certain regions, the malicious code hidden inside the app would also attempt to subscribe users to premium phone numbers that incurred large charges on users' phone bills. In Brazil, 2.5 million transaction attempts initiated from this Weather application on Alcatel devices were blocked in July and August 2018. Those 2.5 million transaction attempts to purchase a digital service originated from 128,845 unique mobile phone numbers. In Brazil again but for another premium digital service, 428,291 transaction attempts initiated from this Weather application on Alcatel devices were blocked in July and August 2018. In Kuwait, 78,940 transactions attempts initiated from Alcatel devices were blocked in July and August 2018. Transaction attempts initiated by this Weather application on Alcatel devices were also blocked in Nigeria, South Africa, Egypt, and Tunisia. All in all, the company says it detected and blocked over 27 million transaction attempts across seven markets, which would have created losses of around $1.5 million to phone owners if they hadn't been blocked. On top of these transactions, Upstream devs also spotted adware-like behavior that originated from an infected phone they've purchased from its former owner. The weather app, which ran in the phone's background, also started hidden browser windows that loaded web pages and clicked on ads. "We recorded 50MB to 250MB of data per day being consumed by the application's unwanted activity," researchers said. This means that on top of driving up phone bills by subscribing users to premium numbers, the app was also most likely depleting internet access data plans, incurring even more financial losses to victims. Two Alcatel smartphone models mainly affected According to Upstream, most of the behavior they've seen originated only from two types of smartphones, Pixi 4 and A3 Max models. However, the company doesn't have a worldwide view into infected devices, and many more could still be infected, especially users who downloaded the app from the Play Store. Google has removed the app (com.tct.weather) from the Play Store after Upstream worked with Wall Street Journal reporters to notify both TCL and Google. The point of the compromise doesn't appear to be with some shady phone supplier or rogue telecom provider in any of the affected countries, mainly because both the preinstalled and Play Store apps were affected in the same way. The source of the infection appears to be a TCL developer who had his system compromised, although this is only a theory. "The suspicious activity stopped after the WSJ contacted TCL," an Upstream spokesperson told ZDNet yesterday via email, "although the data collection continued." Upstream told ZDNet that it's currently working with TCL on investigating the issue further. The company also said they didn't analyze the other apps uploaded on the Play Store from the same TCL account, but they didn't find any suspicious activity originating from them either. Source
  9. Virus interferes with publishing at Southern California printing plant. A malware attack is suspected of preventing production on Saturday of several newspapers, including the Wall Street Journal and Los Angeles Times. The suspected malware attack affected the computer systems at Tribune Publishing's Southern California printing plant beginning Thursday night, said Jeff Light, the editor and publisher of the San Diego Union-Tribune. The systems are shared by the Times and Union-Tribune. By Friday, the virus had spread to critical systems necessary to publish the newspapers, as well as the Southern California versions of the Wall Street Journal and New York Times, Light wrote in an online note to readers. "Technology teams from both companies made significant progress against the threat, but were unable to clear all systems before press time," Light wrote. "We are working to restore full service and to continue to make our journalism available to you both in print and digitally." Malware has in recent years becoming an increasingly common weapon against a wide variety of organizations, including hospitals, banks and government institutions. It wasn't immediately clear whether law enforcement officials had been contacted. Representatives for the Los Angeles Times said they had no additional information or comment, while Tribune Publishing representatives didn't immediately respond to a request for comment. Print subscribers should get Saturday's paper delivered with Sunday's edition, Light said, citing information provided by Joe Robidoux, the Tribune Publishing's director of distribution. Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night. source
  10. A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports. First detailed last year, the adversary is mainly focused on governmental targets in Iraq and Saudi Arabia, but attacks appear difficult to attribute. Security researchers linked the actor to multiple attacks this year and even revealed an expanded target list. From the start, the attack group has been using phishing emails as the primary vector in its elaborate espionage attacks, and has made only minor changes to the tools, techniques and procedures (TTPs) employed. According to Trend Micro, recent incidents show the use of delivery documents similar to the known MuddyWater TTPs, and which were uploaded to Virus Total from Turkey. The documents would drop a new backdoor written in PowerShell, and which is similar to MuddyWater’s known POWERSTATS malware. Unlike the already known POWERSTATS, the new backdoor uses the API of a cloud file hosting provider for command and control (C&C) communication and data exfiltration, the security researchers say. When open, the document, which includes blurry logos belonging to various Turkish government organizations, notifies the user that macros need to be enabled to properly display content. The macros in the document contain strings encoded in base52, a technique already associated with MuddyWater but rarely used by other threat actors. When enabled, the macros drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp% directory. The PowerShell code embedded inside the .dll file has several layers of obfuscation, with the last layer being the main backdoor body, which shows features similar to a previously discovered version of the MuddyWater malware. The threat collects system information such as OS name, domain name, user name, IP address, and more, and saves it using the separator “::” between each piece of information. For communication, the malware uses files named <md5(hard disk serial number)> with various extensions, based on the purpose of the file: .cmd (text file with a command to execute), .reg (system info generated by myinfo() function), .prc (output of the executed .cmd file, stored on local machine), and .res (output of the executed .cmd file, stored on cloud storage). These files are used as an asynchronous mechanism, with the malware operator leaving a command to execute in a .cmd file and returning to retrieve the .res files. The content encoding, however, differs between the MuddyWater backdoor and the new malware. Commands supported in the backdoor include file upload, persistence removal, exit, file download, and command execution. “Based on our analysis, we can confirm that the targets were Turkish government organizations related to the finance and energy sectors. This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities. If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes. Source
  11. Two reports call out the most serious malware attacks and attackers of the year (so far). What is the worst malware to rear its head in 2018? The year isn't quite over, but candidates for the role of "worst" have made themselves clear. According to a new report issued by Webroot, among the worst are three large botnets. The list starts with Emotet, included because of its ability to spread laterally within a victim's network. Trickbot follows, both on the list and in the wild, adding capabilities (including the ability to carry ransomware payloads) to the ones introduced by Emotet. Zeus Panda is the third member of the botnet and banking Trojan trio, included because it employs a wide variety of distribution methods to infect its victims. These botnets are, together, part of a major trend that has been building for some time, says Chris Doman, an AlienVault threat engineer. "One of the new, interesting trends is that the commercial malware people are looking toward open source and rentable malware because it makes them harder to trace and means that they can pay others to do development," he states. Malware-as-a-service puts malicious capabilities into the hands of those who may have very little technical sophistication, he adds. AlienVault, an AT&T company, has released its own report that looks at the top threats and exploits seen in the first half of the year. It finds that malicious actors are broadening the horizons on which they attack and constantly shifting their approaches to evade detection and remediation. Asked whether the overall news regarding malware is good or bad, Doman says, "The answer varies depending on which side you're looking at. Are there more threats out there and more exploitable vulnerabilities? Yes." At the same time, he says, "The defensive side is getting better. It doesn't get the attention because it's not as sexy as the hacking, but there are a lot of things today that are built in and we don't have to think about." One of the areas AlienVault's research looked at is major threat actors; this year, Lazarus took the No. 1 spot from Fancy Bear as the most-reported. The top 10 malicious actors were distributed across the globe, launching threats from North Korea (two groups), Russia (three), Iran (two), China (two), and India (one). According to the Webroot report, those top malicious actors have been busy in both rentable malware networks and ransomware. Webroot identifies the three worst ransomware actors for 2018 as Crysis/Dharma, GandCrab, and SamSam. According to the AlienVault report, one change from 2017 is the distribution of the top threats and vulnerabilities across platforms. Whereas 2017's top vulnerabilities were found almost exclusively in Microsoft Office and Adobe Flash, this year hackers have exploited vulnerabilities in Web application servers and Internet of Things (IoT) devices. That said, Microsoft Office still accounts for half the top 10, and Adobe Flash is still the home of the third vulnerability. The malicious actors are increasingly turning from a near-exclusive focus on Microsoft and Adobe software to remote exploits of IoT and Web application platforms, such as Drupal, as they build cryptomining botnets to generate ready income and remain under the radar of law enforcement agencies. Javvad Malik, security advocate at AlienVault, says that many of those technologically unsophisticated criminals have turned their hands to ransomware. "Because of the ease of deployment and the open system nature, [ransomware] can be deployed by people who aren't hardened criminals," Malik says. "It could pay for someone's college fees, and then the cultural issues come in, where the perpetrators don't see it as a real crime." AlienVault's Doman says the Internet has, so far, avoided the mass wave of ransomware that marked 2017. "One thing that struck me is that last year we had things like WannaCry and BadRabbit — a few big worms that spread around causing chaos. They had ties to nation-states," he says. "This year we haven't had so much. There was Olympic Destroyer, but it was a one-off." Despite the focus on bad actors and malware, one piece of good news is improved information sharing about malicious software is becoming standard practice in the security field, Malik says. "A lot of the improvements are down to the more open sharing nature of what we're doing," he says. "We're seeing a lot more independent researchers reaching out and sharing their data and research. I think that's a very good thing." Source
  12. According to a report from the MalwareHunterTeam, hackers are using freelancing web applications such as the Fiverr and Freelancer to distribute malware disguised as job offers which contain attachments that are pretending to be a job description but are actually installing keyloggers such as Agent Tesla or Remote Access Trojan (RATs)in victim files. For example, an attacker can create a fake job offer with the "my details.doc" attachment and send it to multiple users. As job briefs are commonly sent as attachments, to the targets they look like legitimate job offers. When the victims open the malicious document attached to the job offers, they become infected. If an attacker wished to gain control of a user’s mobile device they would say the document cannot be opened on a PC and instead can only be opened on a mobile device. Not only are victims opening the attachments and getting infected, but some of them are asking for support when they have problems opening the document. Attackers are using innovative ways to distribute their malware and also going the extra mile in “helping” these victims to install their malware on the devices. For example, a user responded to the attacker stating that they were unable to open it on their mobile device and the attacker responds that they need to open it on their PC. It is important to have updated anti-virus software and OS patches installed on your systems. If you are unsure of an attachment run it through websites such as Virustotal, also consider using a separate sandbox environment for opening attachments. Source
  13. Brian12

    Malware Removal Guide

    "This guide will help you remove malicious software from your computer. If you think your computer might be infected with a virus or trojan, you may want to use this guide. It provides step-by-step instructions on how to remove malware from Windows operating system. It highlights free malware removal tools and resources that are necessary to clean your computer. You will quickly learn how to remove a virus, a rootkit, spyware, and other malware." Guide: http://www.selectrealsecurity.com/malware-removal-guide I'll be posting updates. :)
  14. Dozens of people reported receiving an email from Google revealing a potential FBI investigation into people who purchased malware. At least dozens of people have received an email from Google informing them that the internet giant responded to a request from the FBI demanding the release of user data, according to several people who claimed to have received the email. The email did not specify whether Google released the requested data to the FBI. The unusual notice appears to be related to the case of Colton Grubbs, one of the creators of LuminosityLink, a $40 remote access tool (or RAT), that was marketed to hack and control computers remotely. Grubs pleaded guilty last year to creating and distributing the hacking tool to hundreds of people. Several people on Reddit, Twitter, and on HackForums, a popular forum where criminals and cybersecurity enthusiast discuss and sometimes share hacking tools, reported receiving the email. Google received and responded to legal process issue by Federal Bureau of Investigation (Eastern District of Kentucky) compelling the release of information related to your Google account,” the email read, according to multiple reports from people who claimed to have received it. The email included a legal process number. When Motherboard searched for it within PACER, the US government’s database for court cases documents, it showed that it was part of a case that’s still under seal. Despite the lack of details in the email, as well as the fact that the case is still under seal, it appears the case is related to LuminosityLink. Several people who claimed to have received the notice said they purchased the software. Moreover, Grubbs’ case was investigated by the same district mentioned in the Google notice. Luca Bongiorni, a security researcher who received the email, said he used LuminosityLink for work, and only with his own computer and virtual machines. The FBI declined to comment. Google did not respond to a request for comment. Lawyers that specialize in cybercrime told me that it’s not unusual for Google to disclose law enforcement requests when it is allowed to. “It looks to me like the court initially ordered Google not to disclose the existence of the info demand, so Google was legally prohibited from notifying the user. Then the nondisclosure order was lifted, so Google notified the user. There's nothing unusual about that per se,” Marcia Hoffman, a lawyer who specializes in cybercrime, told Motherboard in an online chat. “It's common when law enforcement is seeking info during an ongoing investigation and doesn't want to tip off the target(s).” What may be unusual and controversial is for the FBI to try to unmask everyone who purchased software that may not necessarily be considered illegal. “If one is just buying a tool that enables this kind of capability to remotely access a computer, you might be a good guy or you might be a bad guy,” Gabriel Ramsey, a lawyer who specializes in internet and cybersecurity law, told Motherboard in a phone call. “I can imagine a scenario where that kind of request reaches—for good or bad—accounts of both type of purchasers.” Source
  15. Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online. A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler. More specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\Windows\Task. The vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level. A couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement. PowerPool targets GoogleUpdate.exe The group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine. The researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it. "PowerPool’s developers chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe. This is the legitimate updater for Google applications and is regularly run under administrative privileges by a Microsoft Windows task," ESET notes. Threat actor changes permissions of the Google Updater executable This allows PowerPool to overwrite the Google updater executable with a copy of a backdoor they typically use in the second stages of their attacks. The next time the updater is called, the backdoor launches with SYSTEM privileges. According to the researchers, PowerPool malware operators likely use the second-stage backdoor only on victims of interest, following a reconnaissance step. Microsoft did not patch the ALPC bug to this day, but it is expected to release a fix in its monthly security updates, on September 11. Some mitigation is possible without Microsoft's help, though the company did not approve it. A solution provided by Karsten Nilsen, blocks the exploit and allows scheduled tasks to run, but it may break things created by the legacy Task Scheduler interface. Users of 64-bit Windows 10, version 1803, can mitigate the problem by applying a micropatch. The fix is temporary and requires the installation of the 0patch Agent (https://0patch.com/) from Acros Security. The company makes the source code for the micropatch available in the tweet below: Source
  16. When I start my laptop, in the taskbar from process tab, I found the disk is showing 100% and my laptop becomes slow. My antivirus sais it's OK. What's the problem?
  17. At Node Summit, coders served some humble pie Wise words ... Snyk's Guy Podjarny Software developers have been lionized in recent years for their influence over the information economy. At the Node Summit in San Francisco, California, on Wednesday, Guy Podjarny, CEO and cofounder of security biz Snyk, reminded an audience full of devs that they've become a popular vector for malware distribution. Programmers, he said "have become far more powerful today than ever before" in terms of their access to information and their reach. At the same time, he said, they're often overconfident about their susceptibility to attack. He pointed to an internal Salesforce phishing test that found developers were the second most likely group of employees to click on a phishing link. Marketers were the most gullible, apparently. To underscore that point, he recounted the 2013 hack of The Financial Times by the Syrian Electronic Army and an analysis posted by developer Andrew Betts, then director of FT Labs, that acknowledges as much. "Developers might well think they’d be wise to all this – and I thought I was," Betts wrote. To highlight the risk, Podjarny reviewed several examples in which developers propagated malware. Apple's XCode IDE, presently a hefty 5.3GB, weighed in at about 3GB in 2015, he said. That was still too much for programmers in China who had to endure slow download speeds due the country's Great Firewall. In response, someone placed a copy of XCode on a Baidu file sharing site, however, the software had been altered to include compiler malware called XCodeGhost. The malware, which went undetected for four months and compromised hundreds of apps, modified a CoreServices object file with malicious code that infected iOS apps during compilation. It created extra interface elements designed to capture personal information. "What's interesting is how it propagated," said Podjarny. "CoreServices not an executable. It is a library linked by the LLVM linker." Developers in effect were the distribution mechanism. They were the virus. Malware exploiting developers and their tools goes back further still, Podjarny said. There was a similar attack on the Delphi compiler in 2009, known as Induc. And back in 1984, computing luminary Ken Thompson, wrote a paper, "Reflections on Trusting Trust," describing how he created a C compiler that automatically inserted a backdoor in the programs it created. "The moral is obvious," Thompson wrote. "You can't trust code that you did not totally create yourself." That sentiment poses a particular problem for the Node.js community, where developers often rely on dozens or hundreds of code libraries (each of which may incorporate other libraries) written by someone else. Developer David Gilbertson touched on the issue in a blog post in January about how easy it would be to create an npm package to steal credit card data. And there have been several attacks on npm and other developer resources like Pypi and RubyGems in recent years. Podjarny offered several mitigation strategies. He advocated automating security controls, as Apple and npm have done with malware scans, and adopting multi-factor authentication for accounts. Organizations, he said, should make it easy to be secure, by auto-expiring access tokens for example. And they should do more to educate developers about security. Vladimir de Turckheim, lead Node.js engineer for security monitoring biz Sqreen, echoed this point in the session that followed, a roundtable discussion of Node.js security. "We are not good at evangelizing good practices in terms of coding," he said. Podjarny, also participating in the roundtable discussion, joked about that his CTO recently gave a presentation titled, "Stack Overflow, the vulnerability marketplace," in reference to the insecure code examples that get copied and pasted from the coding community site into apps because they're blessed with a green check mark as the accepted solution. Podjarny's message to developers was to be humble about the possibility that your code may be insecure. "With great power comes great responsibility," he said. "You're trustworthy but you're not infallible." Source
  18. While Apple devices are normally thought of as difficult to hack, researchers have discovered a mysterious malware campaign that specifically targeted Indian iPhone users. However, it only affected 13 iPhones. Mysterious Malware Campaign Targeted 13 iPhones in India As revealed in a recent blog post, the researchers from Cisco Talos identified a highly targeted malware campaign against Indian iPhone users. This campaign exploited an open-source Mobile Device Management (MDM) system to take control of the 13 selected iPhones. However, it is yet unknown how the attacker managed to ‘register’ the selected iPhones. “At this time, we don’t know how the attacker enrolled the 13 targeted devices into the MDM. It could be through physical access to the phones, or by using social engineering, motivating the user to enroll their device.” Explaining about their work, the researchers wrote in their blog post, “In this campaign, we identified five applications that have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the functionality of the device, one steals SMS message contents, and the remaining two report the location of the device and can exfiltrate various data.” The researchers consider this mysterious malware campaign unique since it entirely replaced a few apps in the target devices. For this purpose, the attacker used BOptions sideloading technique to integrate desired features in some common legit apps including WhatsApp, Telegram, and PrayTime. He then deployed these customized apps to the 13 targeted iPhones via MDM. Regarding why the hacker adapted this approach, the researcher wrote, “The purpose of the BOptions sideloading technique is to inject a dynamic library in the application. The malicious code inserted into these apps is capable of collecting and exfiltrating information from the device, such as the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages.” The Attacker Masks His Indian Location As “Russia” Delving deep into details, the researchers succeeded to extract the whereabouts of the attacker. Although, he tried level best to mask his location as Russia by using a Russian email address. Yet, the researchers believe it to be a ‘false flag’ to mislead security researchers. To confirm this speculation, they analyzed the log files placed on the MDM servers and the malware’s C&C server. They found the malware to be in use since 2015 and identified the attacker’s location as India. Although the researchers have comprehensively explained the technicalities associated with this malware campaign. Yet, they remained unsuccessful in finding an exact answer as to why the attacker only targeted 13 iPhones. A possible answer to this behavior may be that the attacker wanted to remain under the radar. Probably, because of the same reason, the malware remained unidentified for the past 3 years. Talos has closely collaborated with Apple to counteract this threat and we may expect some permanent fixes from Apple to protect their users from such malware attacks as we usually see them working proactively to maintain user’s privacy and security. < Here >
  19. Cybercriminals are aggressively targeting organizations using cryptomining malware to develop illegal revenue streams, according to Check Point. Meanwhile, cloud infrastructures appear to be the growing target among threat actors. Most prevalent malware globally Between January and June 2018, the number of organizations impacted by cryptomining malware doubled to 42%, compared to 20.5% in the second half of 2017. Cryptomining malware enables cybercriminals to hijack the victim’s CPU or GPU power and existing resources to mine cryptocurrency, using as much as 65% of the end-user’s CPU power. The top three most common malware variants seen in H1 2018 were all cryptominers. In a new trend, Check Point detected an increasing number of attacks targeting cloud infrastructures. With organizations moving more of their IT estates and data to cloud environments, criminals are turning to the cloud to exploit its vast computational power and multiply their profits. “The first half of this year saw criminals continue the trend we observed at the end of 2017, and take full advantage of stealthy cryptomining malware to maximize their revenues. We’ve also seen increasingly sophisticated attacks against cloud infrastructures and multi-platform environments emerging. These multi-vector, fast-moving, large-scale Gen V attacks are becoming more and more frequent, and organizations need to adopt a multi-layered cybersecurity strategy that prevents these attacks from taking hold of their networks and data,” said Maya Horowitz, Threat Intelligence Group Manager at Check Point. Cryptocurrency miners evolve In 2018, cryptominers have been upgraded with vastly improved capabilities, becoming more sophisticated and even destructive. Motivated by a clear interest to increase the percentage of computational resources leveraged and be even more profitable, cryptominers today target anything that could be perceived as being in their way. Cryptominers have also highly evolved recently to exploit high profile vulnerabilities and to evade sandboxes and security products in order to expand their infection rates. Hackers move to the cloud So far this year, there have been a number of sophisticated techniques and tools exploited against cloud storage services. Several cloud-based attacks, mainly those involving data exfiltration and information disclosure, derived from poor security practices, including credentials left available on public source code repositories or the use of weak passwords. Cryptominers are also, targeting cloud infrastructures to exploit its computational power and multiply profits for threat actors. Multi-platform attacks on the rise Up until the end of 2017, multi-platform malware was rare. However, the rise in the number of consumer connected devices and the growing market share of non-Windows operating systems has led to an increase in cross-platform malware. Campaign operators implement various techniques in order to take control over the campaigns’ different infected platforms. Mobile malware spread via the supply chain In the first half of this year, there has been several incidences where mobile malware that has not been downloaded from a malicious URL, but instead arrived already installed within the device. In addition, there was an increase in applications readily available on app stores that were actually malware under disguise, including Banking Trojans, Adware and sophisticated remote access Trojans (RATs). Top cryptominers during H1 2018 1. Coinhive (30%) – A cryptominer designed to perform online mining of the Monero cryptocurrency without the user’s approval when a user visits a web page. Coinhive only emerged in September 2017 but has hit 12% of organizations worldwide hit by it. 2. Cryptoloot (23%) – A JavaScript Cryptominer, designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. 3. JSEcoin (17%) – Web-based Crypto miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. Top ransomware during H1 2018 1. Locky (40%) – Ransomware that spreads mainly via spam emails containing a downloader, disguised as a Word or Zip attachment, before installing malware that encrypts the user files. 2. WannaCry (35%) – Ransomware that was spread in a large scale attack in May 2017, utilizing a Windows SMB exploit called EternalBlue, in order to propagate within and between networks. 3. Globeimposter (8%) – Distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file. Top mobile malware during H1 2018 1. Triada (51%) – A Modular Backdoor for Android which grants superuser privileges to downloaded malware, as it helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser. 2. Lokibot (19%) – A mobile banking Trojan which targets Android smartphones and turns into a Ransomware, upon an attempt of the victim trying to remove its admin privileges. 3. Hidad (10%) – Android malware which repackages legitimate apps and then releases them to a third-party store. It is able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data. Top banking malware during H2 2017 1. Ramnit (29%) – A banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data. 2. Dorkbot (22%) – A banking Trojan which steals the victim’s credentials using web-injects, activated as the user tries to login to their banking website. 3. Zeus (14%) – A Trojan that targets Windows platforms and often uses them to steal banking information by man-in-the-browser keystroke logging and form grabbing. Source
  20. MyEtherWallet, a popular site that lets users manage ether wallets, was under a major attack when a hacker added a fake VPN extension to the Google Chrome store. Sadly, the extension was downloaded by thousands of customers, due to which a number of them were hacked. How Did The Hack Happen? Hola VPN is a popular Chrome extension that lets users unblock websites that are restricted in a specific region. The app is quite popular due to some websites being blocked in different regions due to state censorship and other such reasons. Hackers made use of this app and modified it so they could hack others. With over 50 million users, the app had a huge consumer base. What Did The Fake Extension Do? Upon investigation, it was revealed that customers of MEW (MyEtherWallet) were the targets of the hackers. The extension led to a clone of the original website to hack users with the help of a phishing technique, which is commonly used to hack into systems and accounts. Who Are The Hackers? The investigation revealed the hackers used Russian IPs, however, their origin is still unknown. No party has accepted responsibility so far. Who Was Compromised? While the exact figures are not available, it is believed that millions of customers have been a victim in some way or another due to this hack. MEW officials have advised all VPN Hola users to transfer their funds to a secure wallet. The total loss is not known at this time, but with crypto being so popular, it must be into millions. The Bottomline It is still unknown exactly what hackers have gained from this hack so far but the malicious JavaScript was clearly intent on hacking ewallets. We need to be careful about how we use apps as Hola itself has been accused of running attacks in the past. < Here >
  21. Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages. The malicious code has been removed thanks to the quick intervention of the AUR team. Info-stealer found in "acroread" Arch Linux package The incident happened because AUR allows anyone to take over "orphaned" repositories that have been abandoned by their original authors. On Saturday, a user going by the pseudonym of "xeactor" took over one such orphaned package named "acroread" that allows Arch Linux users to view PDF files. According to a Git commit to the package's source code, xeactor added malicious code that would download a file named "~x" from ptpb.pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts. When the user would install the xeactor package, the user's PC would download and execute the ~x file [VirusTotal, source code], which would later download and run another file named "~u" [VirusTotal, source code]. Besides downloading ~u, the main purpose of the first file (~x) was also to modify systemd and add a timer to run the ~u file at every 360 seconds. Malware didn't do much The purpose of the second file (~u) was to collect data about each infected system and post these details inside a new Pastebin file, using the attacker's custom Pastebin API key. Collected data includes details such as the date and time, machine's ID, CPU information, Pacman (package manager) details, and the outputs of the "uname -a" and "systemctl list-units" commands. No other malicious actions were observed, meaning the acroread package wasn't harming users' systems, but merely collecting data in preparation for... something else. There isn't a self-update mechanism included, meaning xeactor would have needed a second acroread package update to deploy more intrusive code, or potentially another malware strain. Two other yet-to-be-named packages also found infected The AUR team also said it found similar code in two other packages that the xeactor user has recently taken over, but has not revealed their names. All malicious changes to all three packages have now been reversed, and xeactor's account has been suspended. The Arch Linux team is the second Linux distro that has found malware on its user-submitted package repository this year. In May, the Ubuntu Store team found a cryptocurrency miner hidden in an Ubuntu package named 2048buntu. < Here >
  22. Rakhni is one of the oldest ransomware strains affecting devices. Partly this is due to it self-updating with the latest patches. The creators of the malware have added the cryptocurrency mining component lately which only deploys on selected PCs. The ransomware has been in the wild since 2013 and remained alive by keeping a low profile. The security experts at Kaspersky Labs have found a new variant of Rakhni which allows scanning of the user’s machine before actually infecting the computer with a crypto miner using a remote server. If the malware finds a folder named Bitcoin it executes a component on the PC which will encrypt the private key of the Bitcoin wallet in the user’s PC. If the malware doesn’t find the Bitcoin folder it will then deploy a Cryptocurrency miner from the remote server and install it so the PC affected can mine the cryptocurrency. The report from Kaspersky also said the miner is mining Monero, Monero Original and Dashcoin. The new version of Rakhni is being distributed via spam Emails with the infection spreading fast in Russia, Kazakhstan, Ukraine, Germany and India. The spam email from the authors contains a malicious file of Word DOCX and when the DOCX is opened it references it to a PDF file which will execute upon clicking the link. < Here >
  23. Please read it < Here >: D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly skilled cyberespionage group focused on East Asia, particularly Taiwan ESET researchers have discovered a new malware campaign misusing stolen digital certificates. We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen. Having confirmed the file’s malicious nature, we notified D-Link, who launched their own investigation into the matter. As a result, the compromised digital certificate was revoked by D-Link on July 3, 2018. Figure 1. The D-Link Corporation code signing certificate used to sign malware The malware Our analysis identified two different malware families that were misusing the stolen certificate – the Plead malware, a remotely controlled backdoor, and a related password stealer component. Recently, the JPCERT published a thorough analysis of the Plead backdoor, which, according to Trend Micro, is used by the cyberespionage group BlackTech. Figure 2. The Changing Information Technology Inc. code signing certificate used to sign malware Along with the Plead samples signed with the D-Link certificate, ESET researchers have also identified samples signed using a certificate belonging to a Taiwanese security company named Changing Information Technology Inc. Despite the fact that the Changing Information Technology Inc. certificate was revoked on July ‎4, ‎2017, the BlackTech group is still using it to sign their malicious tools. The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region. The signed Plead malware samples are highly obfuscated with junk code, but the purpose of the malware is similar in all samples: it downloads from a remote server or opens from the local disk a small encrypted binary blob. This binary blob contains encrypted shellcode, which downloads the final Plead backdoor module. Figure 3. Obfuscated code of the Plead malware The password stealer tool is used to collect saved passwords from the following applications: Google Chrome Microsoft Internet Explorer Microsoft Outlook Mozilla Firefox Why steal digital certificates? Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion. Probably the most infamous malware known to have used several stolen digital certificates is the Stuxnet worm, discovered in 2010 and the malware behind the very first cyberattack to target critical infrastructure. Stuxnet used digital certificates stolen from RealTek and one from JMicron, two well-known technology companies based in Taiwan. However, the tactic is not exclusive to high-profile incidents like Stuxnet, as evidenced by this recent discovery. IoCs ESET detection names Win32/PSW.Agent.OES trojan Win32/Plead.L trojan Win32/Plead.S trojan Win32/Plead.T trojan Win32/Plead.U trojan Win32/Plead.V trojan Win32/Plead.X trojan Win32/Plead.Y trojan Win32/Plead.Z trojan Unsigned samples (SHA-1) 80AE7B26AC04C93AD693A2D816E8742B906CC0E3 62A693F5E4F92CCB5A2821239EFBE5BD792A46CD B01D8501F1EEAF423AA1C14FCC816FAB81AC8ED8 11A5D1A965A3E1391E840B11705FFC02759618F8 239786038B9619F9C22401B110CF0AF433E0CEAD Signed samples (SHA-1) 1DB4650A89BC7C810953160C6E41A36547E8CF0B CA160884AE90CFE6BEC5722FAC5B908BF77D9EEF 9C4F8358462FAFD83DF51459DBE4CD8E5E7F2039 13D064741B801E421E3B53BC5DABFA7031C98DD9 C&C servers amazon.panasocin[.]com office.panasocin[.]com okinawas.ssl443[.]org Code signing certificates serial numbers D-Link Corporation: 13:03:03:e4:57:0c:27:29:09:e2:65:dd:b8:59:de:ef Changing Information Technology Inc: 73:65:ed:e7:f8:fb:b1:47:67:02:d2:93:08:39:6f:51 1e:50:cc:3d:d3:9b:4a:cc:5e:83:98:cc:d0:dd:53:ea
×
×
  • Create New...