Jump to content

Search the Community

Showing results for tags 'malware'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 291 results

  1. The New York Times reported over the weekend that the United States planted potentially destructive malware in Russia’s electric power grid, but President Donald Trump has denied the claims. The newspaper has learned from current and former government officials that the U.S. has been probing control systems of the Russian power grid since at least 2012 as part of reconnaissance operations. However, the officials claimed the U.S. recently ramped up its efforts and started launching more offensive activities that involve placing “potentially crippling malware [...] at a depth and with an aggressiveness that had never been tried before.” According to The New York Times, these hacking operations area meant as a warning to Russian President Vladimir Putin and appear to show how the White House is using new authorities granted last year to the U.S. Cyber Command. There is no evidence that the planted malware was actually used to cause any disruption. U.S. government agencies contacted by the newspaper did not comment on the allegations, but President Trump said on Twitter that the story was not true. “Do you believe that the Failing New York Times just did a story stating that the United States is substantially increasing Cyber Attacks on Russia. This is a virtual act of Treason by a once great paper so desperate for a story, any story, even if bad for our Country,” Trump wrote. “ALSO, NOT TRUE! Anything goes with our Corrupt News Media today. They will do, or say, whatever it takes, with not even the slightest thought of consequence! These are true cowards and without doubt, THE ENEMY OF THE PEOPLE!” he added. Two officials told The Times that they believed Trump had not been briefed in detail about the steps to plant malware inside Russian systems due to concerns over his reaction and the possibility that he could either cancel the operation or discuss it with foreign officials. However, national security adviser, John Bolton, did say last week that Russia or anyone else engaged in cyber operations against the United States “will pay a price.” There have been several confirmed and unconfirmed reports describing cyberattacks launched by the U.S. against its adversaries, including North Korea, Iran and the Islamic State. However, when it comes to Russia, the United States has mostly played the victim, often accusing Moscow — directly or indirectly — of launching cyberattacks and online misinformation campaigns. There have been reports of Russia-linked hackers targeting control systems in energy facilities in the U.S. and, most recently, a threat actor with apparent ties to a Russian government-backed research institute was spotted targeting electric utilities in the United States and the Asia-Pacific region. Recent disruptions to electrical grid operations in the United States have been blamed on a denial-of-service (DoS) incident, but no power outages were reported and the incident was apparently not part of a coordinated hacking operation. Source
  2. ESET analysis uncovers a novel technique bypassing SMS-based two-factor authentication while circumventing Google’s recent SMS permissions restrictions When Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms. We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google’s recent restrictions. As a bonus, this technique also works to obtain OTPs from some email-based 2FA systems. The apps impersonate the Turkish cryptocurrency exchange BtcTurk and phish for login credentials to the service. Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these malicious apps take the OTP from notifications appearing on the compromised device’s display. Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening. The malware, all forms of which are detected by ESET products as Android/FakeApp.KP, is the first known to sidestep the new SMS permission restrictions. The malicious apps The first of the malicious apps we analyzed was uploaded to Google Play on June 7, 2019 as “BTCTurk Pro Beta” under the developer name “BTCTurk Pro Beta”. It was installed by more than 50 users before being reported by ESET to Google’s security teams. BtcTurk is a Turkish cryptocurrency exchange; its official mobile app is linked on the exchange’s website and only available to users in Turkey. The second app was uploaded on June 11, 2019 as “BtcTurk Pro Beta” under the developer name “BtSoft”. Although the two apps use a very similar guise, they appear to be the work of different attackers. We reported the app on June 12, 2019 when it had been installed by fewer than 50 users. After this second app was removed, the same attackers uploaded another app with identical functionality, this time named “BTCTURK PRO” and using the same developer name, icon and screenshots. We reported the app on June 13, 2019. Figure 1 shows the first two malicious apps as they appeared on Google Play. Figure 1. The fake BtcTurk apps on Google Play The novel 2FA bypass technique After installation, both apps described in the previous section follow a similar procedure. In this section of the blogpost, we will describe the novel 2FA bypass technique using the first app, “BTCTurk Pro Beta”, as an example. After the app is launched, it requests a permission named Notification access, as shown in Figure 2. This permission allows the app to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain. Figure 2. The fake app requesting Notification access The Notification access permission was introduced in Android version 4.3 (Jelly Bean), meaning almost all active Android devices are susceptible to this new technique. Both fake BtcTurk apps require Android version 5.0 (KitKat) or higher to run; thus they could affect around 90% of Android devices. Once the user grants this permission, the app displays a fake login form requesting credentials for BtcTurk, as shown in Figure 3. Figure 3. The fake login form displayed by the malicious app After credentials are entered, a fake error message in Turkish is displayed, as seen in Figure 4. The English translation of the message is: “Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.” In the background, the entered credentials are sent to the attacker’s server. Figure 4. The fake error message displayed by the malicious app Thanks to the Notification access permission, the malicious app can read notifications coming from other apps, including SMS and email apps. The app has filters in place to target only notifications from apps whose names contain the keywords “gm, yandex, mail, k9, outlook, sms, messaging”, as seen in Figure 5. Figure 5. Targeted app names and types The displayed content of all notifications from the targeted apps is sent to the attacker’s server. The content can be accessed by the attackers regardless of the settings the victim uses for displaying notifications on the lock screen. The attackers behind this app can also dismiss incoming notifications and set the device’s ringer mode to silent, which can prevent victims from noticing fraudulent transactions happening. As for effectiveness in bypassing 2FA, the technique does have its limitations – attackers can only access the text that fits the notification’s text field, and thus, it is not guaranteed it will include the OTP. The targeted app names show us that both SMS and email 2FA are of interest to the attackers behind this malware. In SMS 2FA, the messages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA, message length and format are much more varied, potentially impacting the attacker’s access to the OTP. A fast-evolving technique Just last week, we analyzed a malicious app impersonating the Turkish cryptocurrency exchange Koineks (kudos to @DjoNn35 for bringing that app to our attention). It is of interest that the fake Koineks app uses the same malicious technique to bypass SMS and email-based 2FA but lacks the ability to dismiss and silence notifications. According to our analysis, it was created by the same attacker as the “BTCTurk Pro Beta” app analyzed in this blogpost. This shows that attackers are currently working on tuning this technique to achieve the “next best” results to stealing SMS messages. Figure 6. Information about the fake Koineks app on Google Play How to stay safe If you suspect that you have installed and used one of these malicious apps, we advise you to uninstall it immediately. Check your accounts for suspicious activity and change your passwords. Last month, we warned about the growing price of bitcoin giving rise to a new wave of cryptocurrency malware on Google Play. This latest discovery shows that crooks are actively searching for methods of circumventing security measures to increase their chances of profiting from the development. To stay safe from this new technique, and financial Android malware in general: Only trust cryptocurrency-related and other finance apps if they are linked from the official website of the service Only enter your sensitive information into online forms if you are certain of their security and legitimacy Keep your device updated Use a reputable mobile security solution to block and remove threats; ESET systems detect and block these malicious apps as Android/FakeApp.KP Whenever possible, use software-based or hardware token one-time password (OTP) generators instead of SMS or email Only use apps you consider trustworthy, and even then: only allow Notification access to those that have a legitimate reason for requesting it Indicators of Compromise (IoCs) MITRE ATT&CK Source
  3. No data nicked in weekend attack but systems and server pulled to contain infection Bio-analytical testing biz Eurofins Scientific today admitted it was the subject of a ransomware attack at the weekend. The Paris Stock Exchange-listed group operates in food, environmental, pharmaceutical and cosmetics product testing. It has 800 labs spread across 47 countries. The company said in a statement that its tech security team had detected the malware. Upon detection of the issues, according to our incident management procedures, many systems and servers were taken off line by the group's IT teams to contain the activity of this new version of malware. Resident techies and a team of external infosec specialists tried to "mitigate the impact" and are said to be "working hard to return the IT operations to normal". "At this time there is no evidence of unauthorised transfer or misuse of data. The Eurofins companies affected are notifying the relevant authorities of this IT incident and will cooperate in any investigation." Euorfins said it is trying to prevent further attacks by shoring up its defences. "This includes installing additional protections against this new variant of malware which were received over the weekend and restoring affected systems from backups after appropriate security verifications." This work may take the tech team some time and so the company apologised to customers of the labs and sites that "may be impacted for the potential temporary disruption of delays to some of its services". Eurofins employs 45,000 staff and sells more than 200,000 analytical methods used to evaluate safety, authenticity, composition, origin and purity of substances and products. It also produces labs services for genomics, forensics and discovery pharmacology. The Register called Eurofins Scientific to try to discover more about the ransomware and was put through to a flustered rep in the IT department. We were told that no further information was forthcoming because "we are having issues right now" Source
  4. Unlike the Windows cybersecurity ecosystem, the threats concerning the Linux systems aren’t often discussed in much detail. The attacks either go undetected by the security mechanisms laid out by enterprises or they aren’t too severe to be reported widely by the security researchers. However, as pointed out by cybersecurity firm Intezer, malware with sophisticated evasion techniques, which often utilize the already available open source code, do appear on the horizon from time to time. One such recent malware discovered by the firm is HiddenWasp. What makes HiddenWasp pretty dangerous at the moment is the fact that it has a zero detection rate in all popular malware protection systems. How does HiddenWasp attack Linux machines? The first step of the HiddenWasp Linux malware involves the running of the initial script for the deployment of malware. The hidden script uses a user named ‘sftp’ with a hardocded password and cleans the system to eradicate older versions of malware in case the machine was already infected. Further, it proceeds to download an archive file from the server that contains all the components — including the rootkit and the trojan. The script also attempts to add the trojan binary to /etc/rc.local to work even after a reboot. The rootkit involved in the malware shares lots of similarities with the open source rootkit Azazel. It also shares parts of strings with ChinaZ malware, Adore-ng rootkit, and Mirai malware. Talking about the capabilities of this stealthy Linux malware, it can run commands on the terminal, execute files, download more scripts, etc. However, security researchers still don’t know the actual infection vector; they suspect that the malware was spread in systems already controlled by the hackers. So, it could be said that HiddenWasp is being used as a secondary payload. If you’re interested in knowing about HiddenWasp Linux malware in detail, feel free to read the technical analysis of the same on Intezer blog. Source
  5. Microsoft’s Azure cloud services have become an attractive option for cybercriminals to store malicious content. From phishing templates to malware and command and control services, it seems that crooks found a new place for them. Just this month, BleepingComputer reported on two incidents related to malware on Azure. In one case there were about 200 websites showing tech-support scams that were hosted on the platform. Another article, published this week, informs of Azure being used to host a phishing template for Office 365. Being both products from Microsoft, the scam appears as a legitimate login request, increasing the success rate. It appears that these are not isolated incidents. Security researchers JayTHL and MalwareHunterTeam found malware on Azure and reported it to Microsoft on May 12. interesting MS-hosted mal f/b @malwrhunterteam systemservicex.azurewebsites[.]net/Files/prenter.exe > systemservicex.azurewebsites[.]net/data.asmx in a SOAP-format set of messages. u/a Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5485)@JAMESWT_MHT pic.twitter.com/rV0wzpulgW — JTHL (@JayTHL) May 11, 2019 According to AppRiver cybersecurity company, the reported piece of malware along with other samples that were uploaded at a later time were still present on Microsoft’s Azure infrastructure on May 29. “It's evident that Azure is not currently detecting the malicious software residing on Microsoft's servers,” says David Pickett of AppRiver. One of the samples, ‘searchfile.exe,’ was indexed by VirusTotal scanning service on April 26, and Windows Defender detects it. The same goes for the malware found by the two researchers, ‘printer/prenter.exe,’ which is an uncompiled portable executable file, specifically so to avoid gateway and endpoint security solutions detecting it upon download. However, Windows Defender will kick in and block the malicious file when users try to download them on the machine. Pickett says that when executing ‘printer.exe’ the command line is invoked to run C# compiler and thus activate the payload. “Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx,” the researcher explains. JayTHL details that the sample appears to be a simple agent that runs any command it receives from the command and control server. He determined that there could be as many as 90 bots under control, if their ID numbers were generated in a sequential order. Microsoft Azure would not be the first big-name platform abused to store malicious content; Google Drive, Dropbox, and Amazon’s web services are just some examples. Typically, cybercriminals compromise legitimate websites and use them to host malicious content, but they will not shy away from grabbing any opportunity to do their business, especially if little risk and effort are on the table. Source
  6. A wave of malware add-ons hit the Mozilla Firefox Extensions Store If you browse the official Mozilla store for Firefox extensions, called Mozilla AMO, you may stumble upon extensions that have names of popular software products or extensions. Extensions like Adobe Flash Player or ublock Origin Pro are listed in the Mozilla AMO store currently. These have no users at the time of writing as they are brand new and they appear to have been created and uploaded by random users (Firefox user xyz). The extensions have no description and they require access to all data for all websites. When you download the extensions, you may notice that the name of the extension does not necessarily match the downloaded file name. The download if ublock origin pro returned a adpbe_flash_player-1.1-fx.xpi file. The actual extensions have different file sizes and their functionality may differ as well. All have in common that they listen to certain user inputs and send these to a third-party web server. The uBlock copycat extension sends form data to a web server, the first Adobe Flash Player copycat that I checked logged all keyboard inputs and did the same. Mozilla will remove the extensions once it notices them. The problem here is that this happens after the fact. The spam extensions may turn up in user searches and they also turn up when you sort by recent updates. Mozilla switched from a "review first, publish second" to a "publish first, review second" model in 2017. Any extension uploaded to Mozilla AMO that passes automated checks is published first with the exception of extensions of the Firefox Recommended Extensions program. Google does the same thing but does not even review extensions manually after publication. The process leads to faster publications but also opens the door for spam and malicious extensions. Closing Words Malicious or spam extensions that use the names of popular extensions or programs are not anything new. Mozilla's AMO store was hit with waves of spam extensions in 2017 and 2018, both happened after Mozilla switched the release process. Google's Chrome Web Store was hit even harder by unwanted extensions in recent years. Chrome's popularity and the fact that Google does not review any extensions manually by default play a role here. While it is easy to spot these particular fake extensions, others may not be as easy to spot. Back in 2017 I suggested Mozilla add a "manual reviewed" batch to extensions to give Firefox users more confidence in the legitimacy of extensions on the official add-ons repository. Source: A wave of malware add-ons hit the Mozilla Firefox Extensions Store (gHacks - Martin Brinkmann)
  7. Mobdro: Malware Allegations Are False and Misleading Late April, researchers acting on behalf of the Digital Citizens Alliance, which tries to deter piracy, published results of a study indicating that the popular Mobdro streaming application is malicious. Speaking with TorrentFreak in depth, the developers say the claims being made are false and misleading. Late April the Digital Citizens Alliance, which regularly campaigns against online piracy, published results of a study into ‘pirate’ online streaming apps. Carried out by network security company Dark Wolfe Consulting, the report placed focus on popular Android-based streaming app Mobdro. The report claimed that Mobdro carries out a number of malicious acts, including the stealing of wifi names and passwords. It also allegedly accessed other media content and legitimate apps on the researchers’ network. According to the study, Mobdro acted in other suspicious ways too, ones not authorized by the user. Over the past several days, TorrentFreak put every single allegation to the developers behind the official Mobdro software who were happy to answer our questions. In short, they either completely dispute or give explanations for every claim made against them. TF: Does Mobdro attempt to steal users’ wifi names and passwords? Mobdro: It’s impossible that our app reads wifi passwords because first of all, it is impossible for an Android app to read wifi passwords or any sensitive system data without the device being rooted. So the user would have to root his device first, so that statement is completely ridiculous. Basically, no Android application can read files outside of its working directory. In the case of wifi passwords, they are stored in the /data directory of the Android device. This folder is not readable unless you have a rooted [device], because it’s a protected system directory. TF: To be clear, does Mobdro attempt to get a wifi password from a rooted device? Mobdro: No, the app does no attempt to get wifi passwords on any device. Rooted or non-rooted, the app does not try to get any wifi password. It can be shown via a simple test. Get a rooted device and if Mobdro tries to read protected data, then the rooted device would prompt you to allow or disallow Mobdro root access. As simple as that. But the burden of proving something does not rely on us, it relies on [the researchers]. They should prove that the app does what they accuse us of doing. TF: The researchers’ next big claim is that Mobdro tried to access media content and other legitimate apps on the researchers’ network. Is that true? Mobdro: The only permission required in the app is to access external storage [TF note: An earlier permission to access location is no longer required]. [The external storage] permission is used to save updates in the external storage of the device because Android only allows installations of APKs when they are located in external storage (for off-store apps like Mobdro). Also, this permission is used to download/cast streams when the user chooses to do that. Unfortunately, Google gives the read external storage permission a name that leads to confusion, like the app could access your files and modify them etc. But the folder [Mobdro] accesses is a folder located under /sdcard/Mobdro where it downloads APK updates, streams or files necessary for casting. TF: The researchers say that Mobdro “port knocks” which they explain as a “process to look for other active malware.” They also said Mobdro accepted commands but admitted that since they were “either encrypted or encoded” it made it “difficult to analyze for infection.” What are they talking about? Mobdro: To protect against unofficial versions [TF note: Mobdro is often cloned and modified by third-parties] we have some anti-tampering measures. One of them was to detect the presence on the user device of the Frida toolkit. This is a kit used by ‘crackers’ to remove the SSL certificate we use to [securely] communicate with the servers that host the API. When they break this protection they then release their unofficial versions. In past versions (prior to 2.1.34) we tried to detect the presence of the Frida toolkit in the user device and one of the methods to try to detect Frida was to try to connect to the port that Frida uses in the device. If a connection was succesful we enabled anti-tampering measures. In newer versions, we no longer have these anti-tampering measures because we found a way to make it very difficult to break the SSL protection within the app. TF: The study claims suggests that Mobdro can receive potentially malicious commands “through movie streams”. What’s the official response to that claim? Mobdro: We don’t know what they are talking about here. Some commands from a movie stream….encrypted…Does not make sense to us to be honest. When Mobdro gets a video stream, it fires a video player that uses the FFmpeg API and that’s it. The result is the stream being displayed on the phone, tablet or Android TV. TF: The study says that it’s also possible for a “threat actor” to log in to a user’s device via Mobdro and then navigate away from the device to the Internet, effectively posing as the user online. In our initial report, we noted that this is probably referencing Mobdro’s use of the Luminati network, as used by the proxy app Hola, something highlighted in Mobdro’s EULA. Anything to add? Mobdro: We have included a mode called NO ADS mode, in which the user accepts to be a peer in the Luminati Network. The default mode is and will be ADS mode. If the user does not want to see ads, the user has the possibility to not see them in exchange for their network resources under certain circumstances that are explained before accepting to be a peer. The user has to click and accept the Luminati EULA that is prompted when the user clicks on ‘remove ads’ before enabling the NO ADS mode. Mobdro final comment: We are busy enough trying to keep the app afloat without doing these crazy things that they accuse us of. But again, they should show the proofs that the app is doing these crazy things. What they describe maybe could be done if we were founded by a government [agency] like the CIA or the Mossad and we were looking to infect and destroy nuclear centrifuges. [END] Whether the researchers will provide more information to back up their claims remains to be seen. If the source material that led them to publish the claims against Mobdro (and indeed other applications) was made publicly available, it would certainly help to clear up the confusion and ambiguity. It would also allow anti-virus and anti-malware companies to do their own analysis and publish their findings too. Currently, we are not aware that Mobdro triggers malware warnings with leading vendors, which either means it doesn’t contain malware, or these products are missing something serious. At this point, it’s down to simple faith as to who one believes. Source
  8. Hackers Launching Malware via Weaponized Excel File to Gain the Remote Access to the Target Computers Cyber criminals launching a new malware campaign that make use of legitimate script engine AutoHotkey with a malicious script to evade detection and also gain the remote access to the targeted system. AutoHotkey is an open source Microsoft Windows tool that allows you to create macros, scripts, and automate frequently performed tasks on your computer. Attackers distributing this malicious campaign via weaponized Excel File via email with attached Excel file that posed as a legitimate file with the filename “Military Financing.xlsm.” In order to fully open the attached file, users need to enable the Micro that helps AutoHotkey loading the malicious script file to avoid detection. Infection Process to Gain Remote Access via TeamViewer Attached excel file in the email is titled “Foreign Military Financing (FMF),” named after a program of the U.S. Defense Security Cooperation Agency. Attackers fooled users to enable the content by claiming that the document contains a confidential information. Once the Victims open the malicious excel documents by enables macro from the email attachment, it drops the AutoHotkey that loads the malicious script file. Later its connect to its Command and control server to download and execute additional script files. According to Trend Micro, Depending on the script files, the AutoHotkey application can assign a hotkey or execute any process written in the script file. In this case, the script file AutoHotkeyU32.ahk does not assign a hotkey but it does execute the following commands: Create a link file in the startup folder for AutoHotkeyU32.exe, allowing the attack to persist even after a system restart. Connect to the C&C server every 10 seconds to download, save, and execute script files containing the commands. Send the volume serial number of the C drive, which allows the attacker to identify the victim. A final script will download and execute the TeamViewer to gain remote control over the system. Further research uncovered other dropped files involved in this attack. These files allow the attackers to get the computer name and take screen captures. Trend Micro said. Indicators of Compromise (IoCs) SHA-256 EFE51C2453821310C7A34DCA3054021D0F6D453B7133C381D75E3140901EFD12 43FBDA74A65668333727C6512562DB4F9E712CF1D5AD9DCA8F06AE51BB937BA2 ACB3181D0408C908B2A434FC004BF24FB766D4CF68BF2978BC5653022F9F20BE BE6C6B0942AD441953B0ED0C4327B9DED8A94E836EACA070ACA3988BADB31858 F64792324839F660B9BDFDA95501A568C076641CF08CE63C1DDBE29B45623AC0 C&C 185[.]70[.]186[.]145 Source
  9. Fin7 Ramps Up Campaigns With Two Fresh Malware Samples Despite the 2018 crackdown on Fin7, the cybercrime group has been ramping up its efforts with two new malware samples and an attack panel. Despite the arrest of several Fin7 members in 2018, the cybercrime group has ramped up its efforts in a series of widespread campaigns hitting businesses with two never-before-seen malware samples. Researchers with Flashpoint said Wednesday that they have discovered a new administrative panel and two previously unseen malware samples, dubbed SQLRat and DNSBot, in a series of Fin7 campaigns. The campaigns, which may have started as early as January 2018, are hitting businesses with malware embedded in documents and sent via phishing emails, in hopes of stealing payment cards. “Despite the arrests of three prominent members of the Fin7 cybercrime gang beginning in January 2018, attacks targeting businesses and customer payment-card information did not cease,” Flashpoint Principal Threat Researchers Joshua Platt and Jason Reaves said in a Wednesday analysis. Fin7 – A Costly History Since 2015, Fin7 has targeted point-of-sale systems at casual-dining restaurants, casinos and hotels. The group typically uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it. Fin7 has also used a backdoor linked to Carbanak (another prolific cybercrime outfit responsible for billions in losses in the financial services industry) and has stolen more than 15 million payment-card records from American businesses by infiltrating more than 6,500 individual point-of-sale terminals at more than 3,600 business locations, according to the Department of Justice (DoJ). In August 2018, the DoJ announced it had arrested three Fin7 members, who were identified as Ukrainian nationals and charged with 26 felony counts of alleged conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. However, the group’s new malware samples and an attack panel indicate that Fin7 doesn’t appear to be going anywhere. “This suggests there are plenty of surviving members with sufficient knowledge to continue the operation with ease,” Platt and Reaves told Threatpost. New Malware, Attack Panel The group is using a new attack panel, called Astra, which has its back end installed on a Windows server with Microsoft SQL. The panel was written in PHP and it manages the content in the tables. The attack panel essentially functions as a script-management system, allowing Fin7 to quickly push attack scripts down to compromised computers, researchers said. The attack panel was found being used in a series of campaigns, which typically initially infects machines through phishing emails containing malicious attachments. The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document, researchers said. Within these documents researchers discovered the two new malware samples. One of these is called SQLRat. Campaigns using this malware typically involve a lure document which once opened displays an image overlaid by a Visual Basic (VB) Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script, which executes an obfuscated JavaScript file. The malware then drops files and executes SQL scripts on the host’s system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables, researchers said. “The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does,” researchers said. “Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered.” The other malware sample was a multiprotocol backdoor, called DNSBot, used to exchange commands and transmit data to and from victim machines. The malware was embedded in documents sent via emails. While the embedded JavaScript-based backdoor operates over DNS traffic, it can also switch to encrypted channels such as HTTPS or SSL, researchers said. “The campaigns maintain persistence on machines by creating two daily scheduled task entries,” researchers said. “The code, meanwhile, is still controlled by the Fin7 actors and may be leveraged in future attacks by the group.” To protect against both malware samples, Flashpoint recommends that businesses watch out for newly added Windows tasks, specifically those with a JScript switch. “Flashpoint also recommends implementing host-based detections for new files in %appdata%\Roaming\Microsoft\Templates\ with a dot extension, as well as implementing host-based detections for files in %appdata%\local\Storage\,” researchers said. Source
  10. New Sextortion Scam Says Adult Sites Infected Victims with Malware A new sextortion scam is informing victims that their computers suffered a malware infection after they visited an adult website. In this latest ruse, digital criminals claim that they infected a user with malware after they visited a child pornography website. They then say that they leveraged that infection to capture compromising video footage of the user. Finally, the attackers threaten to share the video with the targeted user’s email contacts and Facebook friends unless they meet the extortionists’ demands and pay $2,000 worth of Bitcoin within 72 hours. Here’s a copy of the scam note, as provided by Bleeping Computer. Final Warning Sextortion Scam Email (Source: Bleeping Computer) As you can see, the digital criminals threaten that they’ll release the video if the user tries to deceive them. As quoted in the note shared by Bleeping Computer: You can visit the police but nobody will help you. I know what I am doing. I don’t live in your country and I know how to stay anonymous. Don’t try to deceive me – I will know it immediately – my spy ware is recording all the websites you visit and all keys you press. If you do – I will send this ugly recording to everyone you know, including your family. Don’t cheat me! Don’t forget the shame and if you ignore this message your life will be ruined. This isn’t the first time that bad actors have preyed on users with sextortion scams. Indeed, there have been no less than three such sextortion variants since July 2018. The earliest version used breached passwords to trick victims into meeting their demands. Another variant used redacted phone numbers, while the most recent iterationinfected users with GandCrab ransomware. As with these earlier versions, users who come across the newest sextortion scam variant discussed above should not give into the extortionists. They should instead keep an up-to-date security solution installed on their devices as well as exercise caution around suspicious email attachments and embedded links. Source
  11. Beware!! New Windows .exe Malware Found Targeting macOS Computers A malicious Windows EXE file can even infect your Mac computer as well. Yes, you heard me right — a .exe malware on macOS. Security researchers at antivirus firm Trend Micro have discovered a novel way hackers are using in the wild to bypass Apple's macOS security protection and infect Mac computers by deploying malicious EXE files that normally run only on Windows computers. Researchers found several samples of malicious macOS application (.dmg) masquerading as installers for popular software on a torrent site that includes an EXE application compiled with Mono framework to make it compatible with macOS. Mono is an open source implementation of Microsoft's .NET Framework that allows developers to create cross-platform .NET applications, which work across all supported platforms, including Linux, Windows and Mac OS X. Usually, running any Windows executable results in error on macOS systems, and its built-in protection mechanisms such as Gatekeeper also skips scanning .exe files for any malicious code. "This routine evades Gatekeeper because EXE is not checked by this software, bypassing the code signature check and verification since the technology only checks native Mac files," Trend Micro said in a blog post published Monday. The fake installer analyzed by the researchers promised to install the Little Snitch firewall application, but also comes bundled with mono-compiled hidden payload, designed to collect and send system information about the targeted Mac computer to a remote command-and-control server controlled by the attackers. Once installed, the exe malware then also downloads and prompts users to install various adware apps, some of which disguise as legitimate versions of Adobe Flash Media Player and Little Snitch. During their analysis, the researchers found "no specific attack pattern" associated with the malware, but their telemetry showed that the highest numbers for infections existed in the in the United Kingdom, Australia, Armenia, Luxembourg, South Africa, and the United States. Interestingly, the security researchers could not get the same malicious EXE file to run on Windows—attempting to run the file on Windows resulted in an error, which means that this malware has been designed to target macOS users specifically. "Currently, running EXE on other platforms may have a bigger impact on non-Windows systems such as MacOS. Normally, a mono framework installed in the system is required to compile or load executables and libraries," researchers explained. "In this case, however, the bundling of the files with the said framework becomes a workaround to bypass the systems given EXE is not a recognized binary executable by MacOS' security features. As for the native library differences between Windows and MacOS, the mono framework supports DLL mapping to support Windows-only dependencies to their MacOS counterparts." The best way to protect yourself from being a victim to such malware is to avoid downloading apps, tools, and other files on your computers from torrent websites or any untrusted source. Source
  12. Malware can bypass multi-factor authentication to gain access to cryptocurrency wallets - and also drops mining malware on infected machines. Mac users are being targeted with newly discovered Mac malware that aims to steal the contents of cryptocurrency wallets. Dubbed CookieMiner by researchers because of its capability for stealing browser cookies associated with cryptocurrency exchanges and wallet service websites visited by the victim, the malware has been uncovered by Palo Alto Networks. In addition to stealing and trading the contents of cryptocurrency wallets, CookieMiner also plants a cryptojacker onto the infected OSX machine, enabling the attackers to secretly mine for additional digital currency. In this instance, it's Koto, a lesser-known cryptocurrency that offers users anonymity. It's mostly used in Japan. It's still unknown how the newly detected malware gains access to systems, but once there, CookieMiner examines browser cookies with links to cryptocurrency exchanges and websites that reference blockchain. Exchanges targeted include Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet. Using a Shellscript, it steals Google Chrome and Apple Safari browser cookies from the victim's machine, uploading them to a folder on a remote server. By doing this, it can extract the required login credentials and the cookies required to make it look as if the new login attempt is coming from a machine previously used by the victim — therefore preventing it from looking suspect. "What it wants to do in combination with credentials which it's harvested is impersonate that user from their own system," Alex Hinchliffe, threat intelligence analyst at Palo Alto Networks' Unit 42 research division told ZDNet. "So they use the cookies to try and get past that initial login without suspicion." It isn't just the victim's Mac that is targeted by CookieMiner — if the victim has used iTunes to sync their Mac with their iPhone, the malware can also access text messages. This potentially allows the attackers to steal login codes and other messages that they can abuse to bypass any two-factor authentication the users have applied to their cryptocurrency accounts. Once the attackers have access to the wallets, they have all the same privileges as the user, which they can use to steal the contents of the wallet. It's also possible that the attackers could game the system, trading large amounts of cryptocurrency in an effort to boost valuations for their own ends. "If the adversary gets access to someone's account on the exchange, they can buy and sell cryptocurrency. Buying and selling a lot could change the price of the cryptocurrency, in which case they can use it to profit," said Hinchliffe. The attack isn't over after the adversaries are done using the wallets — they drop a cryptocurrency miner that appears to be highly active, ranking as the top miner for Koto. Filenames associated with the wallet reference xmrig, something usually used by Monero miners, but it's thought that the attackers have employed this with their Koto scheme in order to generate confusion. CookieMiner also drops a script for persistence and remote control of the infected machine, allowing them to check-in on the machine and send commands — although all of this currently appears to be related to mining. It's believed that the cyber criminal campaign is still active and researchers recommend that cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage. Source
  13. This malware uses debt to prey on banking victims Redaman uses screen capture and keylogging to grab the credentials required to break into online bank accounts. 0:00 A new malware campaign targeting Russian speakers is using the threats of debt and missing payments to dupe victims into downloading and executing a banking Trojan. The round of attacks, as described by Palo Alto Network's Unit 42 security team, was tracked over the last four months of 2018. The attack vector is broad and involves the mass distribution of spam and phishing emails rather than selected, targeted attacks. The emails sent, however, use a number of subject lines which could induce panic or fear in unsuspecting would-be victims -- the threat of debtors or payments owed, a situation many of us are familiar with. These subject lines include "Debt due Wednesday," "Payment Verification," and "The package of documents for payment 1st October," among other financial subjects. The subject headers constantly change, but the researchers say they "all have a common theme: they refer to a document or file for an alleged financial issue the recipient needs to resolve." "These messages are often vague, and they contain few details on the alleged financial issue," Unit 42 added. "Their only goal is to trick the recipient into opening the attached archive and double-clicking the executable contained within." The focus of the campaign is to spread a banking Trojan known as Redaman. First discovered in 2015, this malware was first known as the RTM banking Trojan (.PDF). Upon execution, the executable file containing the Trojan will first launch a scan to ascertain whether or not the program is running in a sandbox environment, commonly used by security researchers to unpack malware samples. If the malware uncovers files or directories on a Windows machine which suggests virtualization or sandboxing, the executable exits. If the target machine appears legitimate, the Windows executable will drop a DLL file in the PC's temporary directory, create a randomly-named folder in the ProgramData directory, and shift the DLL to this folder, again, using a random file name. The Redaman DLL the creates a scheduled Windows task which triggers every time the user logs on to the machine in order to maintain persistence. The malware uses a hooking system to monitor browsing activity. Chrome, Firefox, and Internet Explorer are of particular interest to Redaman, which will also search the local host for any information related to banking or finance. Redaman's goal is to steal banking credentials and other data which, once sent to the malware's operators, can be used to compromise accounts and potentially steal the victim's funds or conduct identity theft. The Trojan is also able to download additional files to an infected host, use keylogging, capture screenshots, record video of a Windows desktop session, alter DNS configurations, steal clipboard data, terminate running processes, and add certificates to the Windows store. The spam messages used to spread Redaman have file attachments which are Windows executables disguised as .PDF documents, or sent as .zip, 7-zip, .rar, or .gz gzip archives. Russian recipients are the main focus at present; however, individuals in the US, Netherlands, Sweden, Japan, Khazakstan, Finland, Germany, Austria, and Spain are also being targeted. Palo Alto expects to see new samples of Redaman appear in the wild over the coming year. Source
  14. Multiple threat actors are using relatively simple techniques to take advantage of the vulnerability, launching cryptominers, skimmers, and other malware payloads. Last month a code execution vulnerability was found in the ThinkPHP framework, a rapid-development framework developed by Chinese firm TopThink. While the vulnerability, designated CVE-2018-20062, was patched by the developer, a researcher has now found active exploits of the vulnerability in the wild. Larry Cashdollar, a vulnerability researcher and member of Akamai's Security Incident Response Team, was doing research on a recent Magecart attack targeting extensions to the Magento e-commerce platform when he noticed a malware request he hadn't seen before – a request to ThinkPHP. "I realized there was a software framework developed in China that had this vulnerability, and it was being taken advantage of to install coin miners and skimmers," Cashdollar says. "They [also] were using it to install any kind of payload targeting Windows machines, IoT devices, or to mine Bitcoin or Monero coins." In a blog post describing the new attacks, Cashdollar wrote that multiple threat actors are using relatively simple techniques to take advantage of the vulnerability. He pointed out that a single line of code can scan for the presence of the vulnerability, which can then be exploited with attacks involving simple cut-and-paste code that is widely available. One of the payloads Cashdollar has seen delivered is a Mirai variant – a development he has worried about, he says. "I had been waiting for Mirai botnet kits to include Web app code in their arsenal," he says, "and this was an indicator that it's happening." The code being executed through the PHP framework calls can skip a series of steps long considered essential for malware. "Back in the 1990s, people were always trying to get root access," Cashdollar says. "Now it doesn't matter. They just want to execute code on the system as any user so they can share malware or mine coin. They want to execute code on as many systems as possible." Systems hit by this exploit are largely concentrated in Asia, which is where the ThinkPHP framework was developed and is very popular. Nothing in the attack limits it to the Asia-Pacific region, though, and Cashdollar says that attackers are actively scanning systems across the globe, including Europe and the US. "I'm seeing about 600 scans a day for it," he explains. "They're scanning across all verticals, software companies, car rentals, and others." Asked about security and remediation, Cashdollar says he has seen some Web application security companies begin to write advisories to their customers regarding the vulnerability. In addition, he recommends that companies ask development groups about the use of the ThinkPHP framework. If it is being used, Cashdollar says, it should be updated to the current version immediately. Source
  15. JavaScript Malware in Spam Spreads Ransomware, Miners, Spyware, Worm We observed a sudden spike in JavaScriptmalware in more than 72,000 email samples that sourced and spread at least eight other kinds of malware (such as GandCrab ransomware and coinminers) beginning December 31, 2018. Our telemetry showed the highest detections from Japan, India, the United States, Germany, Taiwan, the Philippines and Canada, with the majority of the targets in the education, government, manufacturing and banking industries. As of publishing, the IP address has been blocked. Trend Micro machine learning and behavioral detection technology proactively blocked the malicious JavaScript at the time of discovery. Figure 1. Data from the Trend Micro Smart Protection Network™ showed a spike in malware spread beginning 2019, with January 3 having the most number of detections. Figure 2. Countries with the most number of detections for infections. Behavior The spam mails have different subject headings with random email addresses, as reported by SANS ISC. Clicking on the attached ZIP file triggers the JavaScript (detected by Trend Micro as TROJAN.JS.PLOPROLO.THOAOGAI) to download malware such as GandCrab, Smoke, AZORult, Phorpiex and coinminers from the command and control (C&C) server. Figure 3. Over 72,000 mail samples with the JavaScript malware. Figure 4. Malware payloads spread by this campaign. [Read: Spam campaign abusing SettingContent-ms Found dropping same FlawedAmmyy RAT distributed by Necurs] The sudden increase in our detection systems revealed thousands of unique SHAs in a matter of days. The IP address (which we traced to have been registered in Russia) is no longer accessible as of writing, but the payloads can still be sourced online. Interestingly, the cybercriminals change the malware included in the .EXE files, and spread different kinds of malware depending on the region and industry targeted. Figure 5. The script downloads different malware from the IP address. As of writing, this .EXE was analyzed to download GandCrab. Figure 6. Even when the registered IP address has been blocked, other sites source the file for the malware and send the spam emails. Cybercriminals will employ new and even older techniques to compromise users and enterprises for profit. JavaScript malware in malspam campaigns are not new, but remain dangerous for users because it may no longer require executables nor further interactions with the user to be launched. Moreover, when the malicious code is saved in the hard drive, Windows can run these by default based on the code referenced to the JavaScript libraries used by JavaScript-enabled pages online. [Read: Same old yet brand new: New file types emerge in malware spam attachments] Opening malicious email or attachments can launch malware downloads, not only to access, collect and steal proprietary and system information, but to possibly enable other functions such as remote administrator controls with malicious intent. To defend against these types of threats: Avoid clicking on or opening emails, URL links, or attachments from suspicious or unfamiliar senders. Regularly back up important files. Practice the 3-2-1 system. Install a multi-layered protection system that can detect and block malicious emails, attachments, URLs and websites. Source
  16. Malware was also available inside an official Alcatel app available through the Google Play Store. Image: Alcatel A weather app that comes preinstalled on Alcatel smartphones contained malware that surreptitiously subscribed device owners to premium phone numbers behind their backs. The app, named "Weather Forecast-World Weather Accurate Radar," was developed by TCL Corporation, a Chinese electronics company that among other things owns the Alcatel, BlackBerry, and Palm brands. The app is one of the default apps that TCL installs on Alcatel smartphones, but it was also made available on the Play Store for all Android users --where it had been downloaded and installed more than ten million times. But at one point last year, both the app included on some Alcatel devices and the one that was available on the Play Store were compromised with malware. How the malware was added to the app is unclear. TCL has not responded to phone calls requesting comment made by ZDNet this week. App caused financial losses to users The infection came to light last summer, when Upstream, a UK-based mobile security firm, discovered suspicious traffic originating from the smartphones of some of its customers. In a report published this week and shared with ZDNet, the company says it initially detected that the app was harvesting users' data and sending it to a server in China. The app collected geographic locations, email addresses, and IMEI codes, which it sent back to TCL. But this weather app isn't the only suspicious app with intrusive permissions that collects data and sends it back to China. There are plenty of those around already. Upstream devs also found that in certain regions, the malicious code hidden inside the app would also attempt to subscribe users to premium phone numbers that incurred large charges on users' phone bills. In Brazil, 2.5 million transaction attempts initiated from this Weather application on Alcatel devices were blocked in July and August 2018. Those 2.5 million transaction attempts to purchase a digital service originated from 128,845 unique mobile phone numbers. In Brazil again but for another premium digital service, 428,291 transaction attempts initiated from this Weather application on Alcatel devices were blocked in July and August 2018. In Kuwait, 78,940 transactions attempts initiated from Alcatel devices were blocked in July and August 2018. Transaction attempts initiated by this Weather application on Alcatel devices were also blocked in Nigeria, South Africa, Egypt, and Tunisia. All in all, the company says it detected and blocked over 27 million transaction attempts across seven markets, which would have created losses of around $1.5 million to phone owners if they hadn't been blocked. On top of these transactions, Upstream devs also spotted adware-like behavior that originated from an infected phone they've purchased from its former owner. The weather app, which ran in the phone's background, also started hidden browser windows that loaded web pages and clicked on ads. "We recorded 50MB to 250MB of data per day being consumed by the application's unwanted activity," researchers said. This means that on top of driving up phone bills by subscribing users to premium numbers, the app was also most likely depleting internet access data plans, incurring even more financial losses to victims. Two Alcatel smartphone models mainly affected According to Upstream, most of the behavior they've seen originated only from two types of smartphones, Pixi 4 and A3 Max models. However, the company doesn't have a worldwide view into infected devices, and many more could still be infected, especially users who downloaded the app from the Play Store. Google has removed the app (com.tct.weather) from the Play Store after Upstream worked with Wall Street Journal reporters to notify both TCL and Google. The point of the compromise doesn't appear to be with some shady phone supplier or rogue telecom provider in any of the affected countries, mainly because both the preinstalled and Play Store apps were affected in the same way. The source of the infection appears to be a TCL developer who had his system compromised, although this is only a theory. "The suspicious activity stopped after the WSJ contacted TCL," an Upstream spokesperson told ZDNet yesterday via email, "although the data collection continued." Upstream told ZDNet that it's currently working with TCL on investigating the issue further. The company also said they didn't analyze the other apps uploaded on the Play Store from the same TCL account, but they didn't find any suspicious activity originating from them either. Source
  17. Virus interferes with publishing at Southern California printing plant. A malware attack is suspected of preventing production on Saturday of several newspapers, including the Wall Street Journal and Los Angeles Times. The suspected malware attack affected the computer systems at Tribune Publishing's Southern California printing plant beginning Thursday night, said Jeff Light, the editor and publisher of the San Diego Union-Tribune. The systems are shared by the Times and Union-Tribune. By Friday, the virus had spread to critical systems necessary to publish the newspapers, as well as the Southern California versions of the Wall Street Journal and New York Times, Light wrote in an online note to readers. "Technology teams from both companies made significant progress against the threat, but were unable to clear all systems before press time," Light wrote. "We are working to restore full service and to continue to make our journalism available to you both in print and digitally." Malware has in recent years becoming an increasingly common weapon against a wide variety of organizations, including hospitals, banks and government institutions. It wasn't immediately clear whether law enforcement officials had been contacted. Representatives for the Los Angeles Times said they had no additional information or comment, while Tribune Publishing representatives didn't immediately respond to a request for comment. Print subscribers should get Saturday's paper delivered with Sunday's edition, Light said, citing information provided by Joe Robidoux, the Tribune Publishing's director of distribution. Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night. source
  18. A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports. First detailed last year, the adversary is mainly focused on governmental targets in Iraq and Saudi Arabia, but attacks appear difficult to attribute. Security researchers linked the actor to multiple attacks this year and even revealed an expanded target list. From the start, the attack group has been using phishing emails as the primary vector in its elaborate espionage attacks, and has made only minor changes to the tools, techniques and procedures (TTPs) employed. According to Trend Micro, recent incidents show the use of delivery documents similar to the known MuddyWater TTPs, and which were uploaded to Virus Total from Turkey. The documents would drop a new backdoor written in PowerShell, and which is similar to MuddyWater’s known POWERSTATS malware. Unlike the already known POWERSTATS, the new backdoor uses the API of a cloud file hosting provider for command and control (C&C) communication and data exfiltration, the security researchers say. When open, the document, which includes blurry logos belonging to various Turkish government organizations, notifies the user that macros need to be enabled to properly display content. The macros in the document contain strings encoded in base52, a technique already associated with MuddyWater but rarely used by other threat actors. When enabled, the macros drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp% directory. The PowerShell code embedded inside the .dll file has several layers of obfuscation, with the last layer being the main backdoor body, which shows features similar to a previously discovered version of the MuddyWater malware. The threat collects system information such as OS name, domain name, user name, IP address, and more, and saves it using the separator “::” between each piece of information. For communication, the malware uses files named <md5(hard disk serial number)> with various extensions, based on the purpose of the file: .cmd (text file with a command to execute), .reg (system info generated by myinfo() function), .prc (output of the executed .cmd file, stored on local machine), and .res (output of the executed .cmd file, stored on cloud storage). These files are used as an asynchronous mechanism, with the malware operator leaving a command to execute in a .cmd file and returning to retrieve the .res files. The content encoding, however, differs between the MuddyWater backdoor and the new malware. Commands supported in the backdoor include file upload, persistence removal, exit, file download, and command execution. “Based on our analysis, we can confirm that the targets were Turkish government organizations related to the finance and energy sectors. This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities. If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes. Source
  19. Two reports call out the most serious malware attacks and attackers of the year (so far). What is the worst malware to rear its head in 2018? The year isn't quite over, but candidates for the role of "worst" have made themselves clear. According to a new report issued by Webroot, among the worst are three large botnets. The list starts with Emotet, included because of its ability to spread laterally within a victim's network. Trickbot follows, both on the list and in the wild, adding capabilities (including the ability to carry ransomware payloads) to the ones introduced by Emotet. Zeus Panda is the third member of the botnet and banking Trojan trio, included because it employs a wide variety of distribution methods to infect its victims. These botnets are, together, part of a major trend that has been building for some time, says Chris Doman, an AlienVault threat engineer. "One of the new, interesting trends is that the commercial malware people are looking toward open source and rentable malware because it makes them harder to trace and means that they can pay others to do development," he states. Malware-as-a-service puts malicious capabilities into the hands of those who may have very little technical sophistication, he adds. AlienVault, an AT&T company, has released its own report that looks at the top threats and exploits seen in the first half of the year. It finds that malicious actors are broadening the horizons on which they attack and constantly shifting their approaches to evade detection and remediation. Asked whether the overall news regarding malware is good or bad, Doman says, "The answer varies depending on which side you're looking at. Are there more threats out there and more exploitable vulnerabilities? Yes." At the same time, he says, "The defensive side is getting better. It doesn't get the attention because it's not as sexy as the hacking, but there are a lot of things today that are built in and we don't have to think about." One of the areas AlienVault's research looked at is major threat actors; this year, Lazarus took the No. 1 spot from Fancy Bear as the most-reported. The top 10 malicious actors were distributed across the globe, launching threats from North Korea (two groups), Russia (three), Iran (two), China (two), and India (one). According to the Webroot report, those top malicious actors have been busy in both rentable malware networks and ransomware. Webroot identifies the three worst ransomware actors for 2018 as Crysis/Dharma, GandCrab, and SamSam. According to the AlienVault report, one change from 2017 is the distribution of the top threats and vulnerabilities across platforms. Whereas 2017's top vulnerabilities were found almost exclusively in Microsoft Office and Adobe Flash, this year hackers have exploited vulnerabilities in Web application servers and Internet of Things (IoT) devices. That said, Microsoft Office still accounts for half the top 10, and Adobe Flash is still the home of the third vulnerability. The malicious actors are increasingly turning from a near-exclusive focus on Microsoft and Adobe software to remote exploits of IoT and Web application platforms, such as Drupal, as they build cryptomining botnets to generate ready income and remain under the radar of law enforcement agencies. Javvad Malik, security advocate at AlienVault, says that many of those technologically unsophisticated criminals have turned their hands to ransomware. "Because of the ease of deployment and the open system nature, [ransomware] can be deployed by people who aren't hardened criminals," Malik says. "It could pay for someone's college fees, and then the cultural issues come in, where the perpetrators don't see it as a real crime." AlienVault's Doman says the Internet has, so far, avoided the mass wave of ransomware that marked 2017. "One thing that struck me is that last year we had things like WannaCry and BadRabbit — a few big worms that spread around causing chaos. They had ties to nation-states," he says. "This year we haven't had so much. There was Olympic Destroyer, but it was a one-off." Despite the focus on bad actors and malware, one piece of good news is improved information sharing about malicious software is becoming standard practice in the security field, Malik says. "A lot of the improvements are down to the more open sharing nature of what we're doing," he says. "We're seeing a lot more independent researchers reaching out and sharing their data and research. I think that's a very good thing." Source
  20. According to a report from the MalwareHunterTeam, hackers are using freelancing web applications such as the Fiverr and Freelancer to distribute malware disguised as job offers which contain attachments that are pretending to be a job description but are actually installing keyloggers such as Agent Tesla or Remote Access Trojan (RATs)in victim files. For example, an attacker can create a fake job offer with the "my details.doc" attachment and send it to multiple users. As job briefs are commonly sent as attachments, to the targets they look like legitimate job offers. When the victims open the malicious document attached to the job offers, they become infected. If an attacker wished to gain control of a user’s mobile device they would say the document cannot be opened on a PC and instead can only be opened on a mobile device. Not only are victims opening the attachments and getting infected, but some of them are asking for support when they have problems opening the document. Attackers are using innovative ways to distribute their malware and also going the extra mile in “helping” these victims to install their malware on the devices. For example, a user responded to the attacker stating that they were unable to open it on their mobile device and the attacker responds that they need to open it on their PC. It is important to have updated anti-virus software and OS patches installed on your systems. If you are unsure of an attachment run it through websites such as Virustotal, also consider using a separate sandbox environment for opening attachments. Source
  21. Brian12

    Malware Removal Guide

    "This guide will help you remove malicious software from your computer. If you think your computer might be infected with a virus or trojan, you may want to use this guide. It provides step-by-step instructions on how to remove malware from Windows operating system. It highlights free malware removal tools and resources that are necessary to clean your computer. You will quickly learn how to remove a virus, a rootkit, spyware, and other malware." Guide: http://www.selectrealsecurity.com/malware-removal-guide I'll be posting updates. :)
  22. Dozens of people reported receiving an email from Google revealing a potential FBI investigation into people who purchased malware. At least dozens of people have received an email from Google informing them that the internet giant responded to a request from the FBI demanding the release of user data, according to several people who claimed to have received the email. The email did not specify whether Google released the requested data to the FBI. The unusual notice appears to be related to the case of Colton Grubbs, one of the creators of LuminosityLink, a $40 remote access tool (or RAT), that was marketed to hack and control computers remotely. Grubs pleaded guilty last year to creating and distributing the hacking tool to hundreds of people. Several people on Reddit, Twitter, and on HackForums, a popular forum where criminals and cybersecurity enthusiast discuss and sometimes share hacking tools, reported receiving the email. Google received and responded to legal process issue by Federal Bureau of Investigation (Eastern District of Kentucky) compelling the release of information related to your Google account,” the email read, according to multiple reports from people who claimed to have received it. The email included a legal process number. When Motherboard searched for it within PACER, the US government’s database for court cases documents, it showed that it was part of a case that’s still under seal. Despite the lack of details in the email, as well as the fact that the case is still under seal, it appears the case is related to LuminosityLink. Several people who claimed to have received the notice said they purchased the software. Moreover, Grubbs’ case was investigated by the same district mentioned in the Google notice. Luca Bongiorni, a security researcher who received the email, said he used LuminosityLink for work, and only with his own computer and virtual machines. The FBI declined to comment. Google did not respond to a request for comment. Lawyers that specialize in cybercrime told me that it’s not unusual for Google to disclose law enforcement requests when it is allowed to. “It looks to me like the court initially ordered Google not to disclose the existence of the info demand, so Google was legally prohibited from notifying the user. Then the nondisclosure order was lifted, so Google notified the user. There's nothing unusual about that per se,” Marcia Hoffman, a lawyer who specializes in cybercrime, told Motherboard in an online chat. “It's common when law enforcement is seeking info during an ongoing investigation and doesn't want to tip off the target(s).” What may be unusual and controversial is for the FBI to try to unmask everyone who purchased software that may not necessarily be considered illegal. “If one is just buying a tool that enables this kind of capability to remotely access a computer, you might be a good guy or you might be a bad guy,” Gabriel Ramsey, a lawyer who specializes in internet and cybersecurity law, told Motherboard in a phone call. “I can imagine a scenario where that kind of request reaches—for good or bad—accounts of both type of purchasers.” Source
  23. Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online. A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler. More specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\Windows\Task. The vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level. A couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement. PowerPool targets GoogleUpdate.exe The group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine. The researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it. "PowerPool’s developers chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe. This is the legitimate updater for Google applications and is regularly run under administrative privileges by a Microsoft Windows task," ESET notes. Threat actor changes permissions of the Google Updater executable This allows PowerPool to overwrite the Google updater executable with a copy of a backdoor they typically use in the second stages of their attacks. The next time the updater is called, the backdoor launches with SYSTEM privileges. According to the researchers, PowerPool malware operators likely use the second-stage backdoor only on victims of interest, following a reconnaissance step. Microsoft did not patch the ALPC bug to this day, but it is expected to release a fix in its monthly security updates, on September 11. Some mitigation is possible without Microsoft's help, though the company did not approve it. A solution provided by Karsten Nilsen, blocks the exploit and allows scheduled tasks to run, but it may break things created by the legacy Task Scheduler interface. Users of 64-bit Windows 10, version 1803, can mitigate the problem by applying a micropatch. The fix is temporary and requires the installation of the 0patch Agent (https://0patch.com/) from Acros Security. The company makes the source code for the micropatch available in the tweet below: Source
  • Create New...