Jump to content

Search the Community

Showing results for tags 'trojan'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 62 results

  1. A new trend in adware and unwanted program purveyors is to install protection software that makes it more difficult for Windows users to run their security programs and clean infections. This was seen with the SmartService rootkit that blocked AV software from running and now with a protection program being called CertLock. Since the end of May, security forum helpers have noticed reports that people are not able to install and run security programs on their infected computers. When they try to run the programs, they are greeted with an alert that states that the publisher has been blocked from running on the computer. It turns out that this is being caused by CertLock disallowing a security vendor's certificate on the affected computer so that Windows does not allow the program to run. CertLock disallows security vendor certificates Being commonly detected as Ceram or Wdfload by anti-virus vendors, CertLock is distributed by unwanted programs bundles, such as miners. Once installed, CertLock will block a security vendor's certificate by adding them to a special Windows registry key. This causes Windows to not execute any programs that are signed with that certificate. CertLock blocks a certificate by creating a subkey named using the thumbprint of the certificate it wants to block to the following key: HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\ As an example, one of ESET's certificates has a thumbprint of F83099622B4A9F72CB5081F742164AD1B8D048C9. To block this certificate, CertLock will create a Registry key called: HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9 Under this key will be a single BLOB value that contains the certificate information. You can see an example of the registry key used to block the ESET certificate below. If a certificate is added to the Disallowed list, when a user tries to run a program that is signed by this certificate they will be greeted with an error that states "The publisher has been blocked from running software on your machine". You can see an example of the ESET installer being blocked using this method below. Blocked ESET Installer While blocking certificate prevents signed installers from running, it also prevents already installed programs that use the blocked cert from executing as well. For example, when Malwarebytes' code-signing certificates are blocked, users are greeted with errors when they try to run the program. These errors state: Unable to start Unable to connect the Service. or Error Runtime Error (at 49:120): Could not call proc. You can see examples of these errors below: Unable to connect the Service Error Malwarebytes 49:120 Error This trojan really does not like Avast While CertLock already disallows the use of the AVAST certificate, it also goes a step further to make sure Avast is unable to run. It does this by pointing many Avast.com hostnames to 127.0.0.1 using the Windows HOSTs file so that the computer cannot connect to them. CertLock generates the list of Avast hosts to block by downloading the files.avast.com/iavs9x/servers.def file. This file contains a list of hostnames associated with Avast security program. It then parses this file and adds them to the Windows HOSTS file as shown below. Modified HOSTS File By adding the hostnames to the HOSTS file and pointing them to 127.0.0.1, it effectively blocks the computer from reaching these servers. How to remove Certificates Disallowed by CertLock ToolsLib.com co-administrator and Malwarebytes AdwCleaner developer Jérôme.B has created a tool called AVCertClean that will scan the Disallowed registry key for legitimate blocked keys and remove them. To use the tool, simply download and execute it. The program will then automatically remove blocked certificates AVCertClean When the program has finished, it will display a log that lists the certificates that were cleaned by AVCertClean. AVCertClean Log Now that the certificates are no longer being blocked, users can install and run their security programs in order to clean their computer. In some situations, user's may need to restart the application in order to get them to run. For example, for Malwarebytes to run after cleaning the certs, users should go into the Windows Service Manager (services.msc) and restart the Malwarebytes Service. IOCs Hashes: b1cbe0ee129bc96cc3e3d2aa4bc2ce3f6b7403045bd0ffc8956b7b7af4d070f5 - Installer (Password Protected) b529ca4dd148fdfcee0c1f267bc6821cc5168c121363fa690536a72e0f447c19 - CertLock (Thx Aura) Registry Entiries Associated with CertLock: HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\0F684EC1163281085C6AF20528878103ACEFCAAB HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1667908C9E22EFBD0590E088715CC74BE4C60884 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\18DEA4EFA93B06AE997D234411F3FD72A677EECE HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\249BDA38A611CD746A132FA2AF995A2D3C941264 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\331E2046A1CCA7BFEF766724394BE6112B4CA3F7 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3353EA609334A9F23A701B9159E30CB6C22D4C59 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\373C33726722D3A5D1EDD1F1585D5D25B39BEA1A HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3D496FA682E65FC122351EC29B55AB94F3BB03FC HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4420C99742DF11DD0795BC15B7B0ABF090DC84DF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5240AB5B05D11B37900AC7712A3C6AE42F377C8C HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DD3D41810F28B2A13E9A004E6412061E28FA48D HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7457A3793086DBB58B3858D6476889E3311E550E HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\76A9295EF4343E12DFC5FE05DC57227C1AB00D29 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\775B373B33B9D15B58BC02B184704332B97C3CAF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\88AD5DFE24126872B33175D1778687B642323ACF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9132E8B079D080E01D52631690BE18EBC2347C1E HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\982D98951CF3C0CA2A02814D474A976CBFF6BDB1 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9C43F665E690AB4D486D4717B456C5554D4BCEB5 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A5341949ABE1407DD7BF7DFE75460D9608FBC309 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A59CC32724DD07A6FC33F7806945481A2D13CA2F HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD96BB64BA36379D2E354660780C2067B81DA2E0 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CDC37C22FE9272D8F2610206AD397A45040326B8 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB303C9B61282DE525DC754A535CA2D6A9BD3D87 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E22240E837B52E691C71DF248F12D27F96441C00 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\ED841A61C0F76025598421BC1B00E24189E68D54 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9 HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FBB42F089AF2D570F2BF6F493D107A3255A9BB1A HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\[computer_name] %temp%\[temp_name].tmp.exe Files Associated with CertLock: %temp%\[temp_name].tmp.exe Disallowed Certificates (Thumbprints): Security Vendor Thumbprint AVAST AD4C5429E10F4FF6C01840C20ABA344D7401209F AVAST DB77E5CFEC34459146748B667C97B185619251BA AVG 3D496FA682E65FC122351EC29B55AB94F3BB03FC AVG AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 AVG Technologies E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF Adaware 9132E8B079D080E01D52631690BE18EBC2347C1E Avira A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 BitDefender 18DEA4EFA93B06AE997D234411F3FD72A677EECE BitDefender ED841A61C0F76025598421BC1B00E24189E68D54 BullGuard A5341949ABE1407DD7BF7DFE75460D9608FBC309 Bullguard 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 Checkpoint Software 5240AB5B05D11B37900AC7712A3C6AE42F377C8C Comodo 03D22C9C66915D58C88912B64C1F984B8344EF09 Comodo 872CD334B7E7B3C3D1C6114CD6B221026D505EAB CurioLab 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 Doctor Web 4420C99742DF11DD0795BC15B7B0ABF090DC84DF Doctor Web FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 ESET A59CC32724DD07A6FC33F7806945481A2D13CA2F ESET F83099622B4A9F72CB5081F742164AD1B8D048C9 Emsisoft 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF Emsisoft 5DD3D41810F28B2A13E9A004E6412061E28FA48D F-Secure 0F684EC1163281085C6AF20528878103ACEFCAAB FRISK 1667908C9E22EFBD0590E088715CC74BE4C60884 GData 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF K7 Computing 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 K7 Computing 7457A3793086DBB58B3858D6476889E3311E550E Kaspersky 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F Kaspersky D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 Malwarebytes 249BDA38A611CD746A132FA2AF995A2D3C941264 Malwarebytes B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 McAfee 775B373B33B9D15B58BC02B184704332B97C3CAF McAfee 88AD5DFE24126872B33175D1778687B642323ACF PC Tools 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 Panda FBB42F089AF2D570F2BF6F493D107A3255A9BB1A SUPERAntiSpyware 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A Safer Networking 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 Symantec 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF Symantec AD96BB64BA36379D2E354660780C2067B81DA2E0 ThreatTrack Security 9C43F665E690AB4D486D4717B456C5554D4BCEB5 ThreatTrack Security DB303C9B61282DE525DC754A535CA2D6A9BD3D87 Total Defense E22240E837B52E691C71DF248F12D27F96441C00 Trend Micro 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 Trend Micro CDC37C22FE9272D8F2610206AD397A45040326B8 Webroot 3353EA609334A9F23A701B9159E30CB6C22D4C59 Webroot 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 Article source
  2. A self-proclaimed member of the Anonymous hacker collective is behind a campaign to spread the Houdini RAT and is currently looking into deploying the MoWare H.F.D ransomware. The name of this "hacker" is Mohammed Raad, according to his Facebook profile, but he also goes online by the nickname of "vicswors baghdad," according to his Facebook, Twitter, Google+, and YouTube profiles. While there are countless of people who download and fool around with malware kits, Recorded Future claims this actor took it one step further by launching real-world campaigns. Recorded Future: Raad behind some Houdini campaigns Raad's actions would have gone unnoticed if he wouldn't have weaponized and started distributing Houdini (or H-worm), a VBScript-based RAT that was created and first spread in 2013. His biggest mistake was by using PasteBin to store the RAT's main body, a VBScript file. Because threat intelligence firm Recorded Future regularly scrapes and archives PasteBin uploads, his actions were uncovered earlier this month, after experts observed an overall increase in VBScripts posted on online paste sites. Analyzing this surge, experts realized that most of the scripts were the Houdini VBScript. Analyzing the data, they identified three spikes of activity in August 2016, October 2016, and March 2017. Recorded Future experts believe an infected computer would download the VBScript from the paste site, which would later connect to a C&C server and gain persistence on the infected host by setting up a local folder and registry key. Raad registered a C&C domain under his real name To find more details on who was behind this surge in VBScripts on paste sites, researchers took a look at all the C&C server URLs found inside the Houdini scripts. This search identified C&C servers hosted on 105 subdomains for dynamic DNS providers (ddns.net, no-ip.com, etc.), but also one clear net domain. That domain was microsofit[.]net, which was registered by Raad. At this point, researcher realized that many of the other 105 dynamic DNS subdomains were variations on this actor's name, either using Raad or the word Mohammed in the subdomain name (mohammadx47.ddns.net; mohamedsaeed.ddns.net; etc.). It didn't take long for researchers to find Raad's social media profiles, where they found his affiliation with the Anonymous hacker collective, inclination for dabbing in malware, and messages through which he entered promotions for the dynamic DNS services he used in the C&C server infrastructure. Raad is playing around with ransomware Furthermore, they found comments made by Raad on a YouTube video advertising the MoWare H.F.D ransomware, asking the author for a copy of the ransomware package. A few days later, Raad posted an image on Facebook showing the MoWare ransomware source code, implying that he received a copy, and was currently editing the code. There is no evidence the author released his ransomware in the wild. Raad's social media profiles suggest he's an Iraqi national living in Munich, Germany. Raad did not respond to a request for comment from Bleeping Computer in time for this article's publication. Other actors leveraging paste sites According to Recorded Future experts, malware authors are increasingly abusing paste sites as cogs in their malware distribution campaigns. A day before the report unmasking Raad's activity, Recorded Future experts uncovered the activity of another crook, going by the name of Leo and wzLeonardo. Experts say Leo was using a VBScript hosted on Pastebin that when executed would install the njRAT remote access trojan on the victim's computer, while also downloading encrypted RAT encrypted strings stored on HasteBin, another paste site. Recorded Future believes Leo is based either in Brazil or Tunisia. Source
  3. The interestingly named "Swearing Trojan" appears to be using fake mobile base stations in China to send phishing SMS messages to fool victims. If you're heading to China, you may want to watch out for legit-looking SMS messages from local carriers China Mobile and China Telecom. That's because the group behind the banking malware known as "Swearing Trojan" has been using fake mobile stations to masquerade as a real carrier and send phishing SMS messages that trick you into clicking on a malicious URL, according to security research group Check Point. While there have been reports that the authors behind the malware have been arrested, Check Point said it is still detecting the spread of the malware. Once installed, Screaming Trojan intercepts your bank's 2FA passwords, giving the malware authors access to your bank account. Besides fake mobile base stations, the malware also propagates via your contact lists, using seemingly real messages to get other victims to download the malware or fake "nude celebrity" scams to get victims to click on a malicious URL. Source
  4. Citadel author pleads guilty Russian programmer behind Citadel Trojan, which was used for bank-account-raiding, has pleaded guilty. Mark Vartanyan, also known by the name of "Kolypto," was arrested last year in Norway and extradited to America a month later. He was charged with one count of computer fraud, for which he pleaded guilty. In exchange for his admission, Vartanyan could get up to 10 years in jail and a $250,000 fine, down from 25 years behind bars. He will only find out his sentence in June. "We must continue to impose real costs on criminals who believe they are protected by geographic boundaries and can prey on the American people and institutions with impunity," said FBI special agent David LeValley. "It further demonstrates the FBI's long-term commitment to identifying and pursuing cyber criminals world-wide, and serves as a strong deterrent to others targeting America's financial institutions and citizens through the use of malicious software." A trip back to 2011 If your memory is a bit fuzzy on the Citadel issue, that's understandable because the trojan appeared back in 2011. It infected Windows PC, silently picking up victim's online banking credentials only to later allow criminals to get their hands on the cash. Citadel could also spy on computers and hold files to ransom, setting down a trend that's now grown into a phenomenon. According to US prosecutors, at its height, the malware infected 11 million computers and was responsible for the theft of over $500 million from bank accounts. "Between on or about August 21, 2012, and January 9, 2013, while residing in Ukraine, and again between on or about April 9, 2014, and June 2, 2014, while residing in Norway, Vartanyan allegedly engaged in the development, improvement, maintenance and distribution of Citadel. During these periods, Vartanyan allegedly uploaded numerous electronic files that consisted of Citadel malware, components, updates and patches, as well as customer information, all with the intent of improving Citadel’s illicit functionality," reads a case file. Nowadays, there are some versions of the malware still circulating. At its base, Citadel is a variant of the famous ZeuS banking trojan. Citadel was one of he first malware-as-a-service out there, with its source code being sold on exclusive Russian dark web forums. Source
  5. Researchers at Arbor Networks have come across a new piece of malware that could be linked to the Trojan used in the campaign known as Operation Potao Express. The malware caught the attention of Arbor Networks researchers after a link to a VirusTotal analysis was posted on Twitter by an Italy-based expert who uses the online moniker Antelox. An analysis of the Trojan and its dropper showed that the threat could be linked to the Potao malware family. The Potao malware, which has been described as a “universal modular cyber espionage toolkit,” has been around since at least 2011, but it was first analyzed in detail in 2015 by ESET. In its report on Operation Potao Express, ESET said the malware was most probably of Russian origin and it had been used in attacks aimed at entities in Ukraine, Russia, Georgia and Belarus, including what experts described as “high-value targets.” The new malware that Arbor Networks believes may be linked to Potao has been dubbed “Acronym” based on a debugging string and the URLs pointing to command and control (C&C) servers. Acronym and its dropper appear to have been compiled in mid-February. The dropper is designed to kill the wmpnetwk.exe Windows process and replace the legitimate wmpnetwk.exe file with the malware. Once executed, Acronym uses the Registry or the Task Scheduler to ensure that it’s persistent. It then contacts a C&C server and sends it information about the infected machine. Similar to Potao, Acronym is a modular malware. Its built-in commands allow attackers to capture screenshots, download and execute other files, and run plugins. Since the C&C servers were offline at the time of Arbor’s analysis, researchers have not been able to identify any of the plugins. However, similarities in the plugin functionality have led experts to believe that Acronym may be connected to Potao. Other similarities include the use of the same C&C infrastructure, attempts to contact C&C domains on the same ports, and the use of temporary file names that start with “HH.” On the other hand, there are several differences when it comes to encryption and how the malware is delivered – unlike Potao, Acronym’s dropper does not use decoy documents, DLL files or process injections. Furthermore, some parts of the Acronym code, including for HTTP communications, encryption and the screenshot functionality, appear to have been copied from publicly available examples. “As usual with new malware it is too soon to assess how active and widespread this new family will become, but it does have a potential link to a long running malware campaign known as Operation Potao Express that makes it worth watching,” said Arbor Networks’ Dennis Schwarz. Article source
  6. Dridex v4 is already used in campaigns against UK banks Dridex v4 is making a comeback with new capabilities that make it even harder to detect. Dridex Trojan, one of the most destructive banking Trojans to hit the Internet, has just been given an update with a new injection method that makes it even harder to detect, taking advantage of AtomBomb, IBM X-Force reports. AtomBombing, unlike some other common injection techniques used in the wild, is meant to make evading security software a breeze. "In this release, we noted that special attention was given to dodging antivirus products and hindering research by adopting a series of enhanced anti-research and anti-AV capabilities," reads the new research. This new Dridex version doesn't rely on AtomBombing entirely, using only a part of the exploit for its purpose. It seems that the malware authors used the AtomBombing technique for the writing of the payload, before switching to a different method to achieve execution permission, as well as for the execution itself. More changes to Dridex The addition of AtomBomb wasn't the only change to Dridex. In fact, developers also worked on a major upgrade to the way encryption is configured. The upgrade includes implementing a modified naming algorithm, a new persistence mechanism and a few additional enhancements. This new update isn't necessarily surprising for researchers. "The release of a major version upgrade is a big deal for any software, and the same goes for malware. The significance of this upgrade is that Dridex continues to evolve in sophistication, investing in further efforts to evade security and enhance its capabilities to enable financial fraud," X-Force writes. The new Dridex v4 is currently being used against British banks, and estimates indicate that the attacks may sometime soon move towards the United States. AtomBombing was first spotted by enSilo back in October when the security firm warned that attackers were using Windows' atom tables, which made the code injection technique affect all version of Windows. It works by using code injections to add malicious code into legitimate processes, which makes the malware harder to detect by security products. Source
  7. Website spreading Gatak-infected keygens (via Symantec) Websites offering free keygens for various enterprise software applications are helping crooks spread the Gatak malware, which opens backdoors on infected computers and facilitates attacks on a company's internal network, or the theft of sensitive information. Gatak is a backdoor trojan that first appeared in 2012. Another name for this threat is Stegoloader, and its main distinctive feature is its ability to communicate with its C&C servers via steganography. Gatak relies on steganography to stain hidden Steganography is the technique of hiding data in plain sight. In the world of cyber-security, steganography is the practice of hiding malicious code, commands, or malware configuration data inside PNG or JPG images. The malware, in this case Gatak, connects to its online C&C server and requests new commands. Instead of receiving an HTTP network requests, for which all security software knows to be on the lookout, the data is sent as an innocuous image, which looks like regular web traffic. The malware reads the image's hidden data and executes the command, all while the local antivirus thinks the user has downloaded an image off the Internet. Keygens for enterprise software spreading Gatak Security firm Symantec says it uncovered a malware distribution campaign that leverages a website offering free keygens for various applications such as: SketchList3D - woodworking design software Native Instruments Drumlab - sound engineering software BobCAD-CAM - metalworking/manufacturing software BarTender Enterprise Automation - label and barcode creation software HDClone - hard disk cloning utility Siemens SIMATIC STEP 7 - industrial automation software CadSoft Eagle Professional - printed circuit board design software PremiumSoft Navicat Premium - database administration software Originlab Originpro - data analysis and graphing software Manctl Skanect - 3D scanning software Symantec System Recovery - backup and data recovery software All of the above are specialized apps, deployed in enterprise environments. The group behind this campaign is specifically targeting users that use these applications at work, but without valid licenses, in the hopes of infecting valuable targets they could hack, steal data from, and possibly sell it on the underground. Keygens don't work, they just infect users with Gatak The keygens distributed via this website aren't even fully-working tools. They just produce a random string of characters, but their purpose is to trick the user into executing the keygen binary just once, enough to infect the victim. The hackers are picky about the companies they target because the security firm has seen second-stage attacks on only 62% of all infected computers. Attackers use Gatak to gather basic information about targets, on which, if they deem valuable, deploy other malware at later stages. In some cases, the hackers also resort to lateral movement on the victim's network, with the attackers manually logging into the compromised PC. Attacks aren't sophisticated, and the hackers only take advantage of weak passwords inside the local network. Symantec says it didn't detect any zero-days or automated hacking tools employed when hackers have attempted to infect other devices on the local network. Gatak infections per industry vertical (via Symantec) Telemetry data shows that 62% of all Gatak infections have been found on computers on enterprise networks. Most of these attacks have targeted the healthcare sector, but it doesn't appear that hackers specifically targeted this industry vertical, as other companies in other verticals were also hit. Attackers might have opted to focus more on healthcare institutions because these organizations usually store more in-depth user data they can steal, compared to the automotive industry, gambling, education, construction, or others. "In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan," Symantec notes in a report. "They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent." Article source
  8. While it is not uncommon to find malware or code on Pastebin, it is a surprise to find a dropper that downloads the payload from Pastebin on the fly. The payload has turned out to be a RAT with keylogger capabilities. The dropper The dropper is not much more than an adaptable package to deliver the actual payload. This one is called VMWare.exe and the first screen of the installer pretends itself to be “WindowsInstall”. Although we are not entirely sure of its origin, this makes us consider a method of infection that is typical for sites offering cracks and keygens. The payload When we run the sample, we have noticed a connection to a specific Pastebin page. The code posted is a Visual Basic script that downloads and runs a file called Tempwinlogon.exe. The executable itself is posted in hexadecimal and reconstructed by the function in the script. We copied and altered the script to see where it puts the file. Don’t try this at home folks, at least not on a computer you need. Running unknown scripts that you happened to find somewhere isn’t always a good idea. The destination of the file turned out to be C:\Users\{username}\AppData\Local\Tempwinlogon.exe (on a system running Windows 7). The RAT This proved to be a .NET Trojan, detected by some vendors as Bladabindi, which is very similar to njRAT. It has keylogger functionality and connects to an IP in the 37.237.112.* range. keylogger The executable is copied to C:\Users\{username}\AppData\Roaming\Tr.exe and to C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\353cd7180c8c415bfffe6958aebb47d8.exe to gain persistence. If the running process (Tr.exe) is stopped (by using the Task Manager, for example), this results in an immediate BSOD as shown below: File details SHA1 VMWare.exe 45653c39e8201a0b3c469ae6208ad6f2ed9835a4 SHA1 Tempwinlogon.exe b777b4c35ba0933f310b885a28e972c578a39922 Detected by Malwarebytes Anti-Malware as Trojan.Agent.GenX.IPH The Malwarebytes Website Protection Module blocks all traffic to the C2 server. A full removal guide can be found on our forums. Do consider changing your passwords though, if you have been infected with this RAT, since the passwords might have been compromised by this threat. After we reported this to Pastebin, the source page has been taken down. Summary A dropper we analyzed downloaded the code for part of its payload from Pastebin on the fly. The payload turned out to be a RAT with keylogging capabilities. Article source
  9. PUP software should be called malware, not PUP The term Potentially Unwanted Programs, or PUPs, is often used to describe software installed on somebody's computer without the owner's specific and direct approval. Many legally-registered software development companies engage in "bundling," mainly because they earn a nice profit by packaging another company's software (PUPs) with their legitimate apps. Detecting software as PUP comes with a financial and legal cost For years, antivirus vendors have fought to blacklist PUPs, marking specific software as dangerous inside their security products. The makers of those programs didn't sit idly, and for years, have sued antivirus vendors whenever their software received the label of "PUP" or "adware" in AV products. Nevertheless, security firms fought back in all lawsuits and continued to mark PUP software as dangerous, despite the rising costs of mounting a legal defense against these scumbag developers. Because of their work, PUP makers, who are often very large software development firms themselves, have continually evolved their products, adding new evasion tricks and pioneered new distribution methods. These new techniques have allowed older PUPs to pass undetected, or have helped PUP makers create newer and more advanced threats. PUP makers are the most litigious companies around Last week, Malwarebytes CEO Marcin Kleczynski, said his company is ready to modify the detection rules based on which their product, the Malwarebytes Anti-Malware (MBAM) toolkit detects PUP software. The new rules, which you can read below, aren't anything regular users would consider an exaggerated move from Malwarebytes. Nevertheless, Kleczynski said he expects PUP makers to fight back. "[Previously] This has resulted in backlash ranging from nasty blog posts and comments from fake profiles defending the products to, of course, a mountain of letters with legal letterheads demanding that we stop," Kleczynski said, expecting something similar again. PUP should be called malware! PUP should not be a standalone term! Lawrence Abrams, Bleeping Computer founder, shares Kleczynski's opinion and takes it one step further. "As I have said numerous times," Abrams writes on his site, "PUP distributors and developers are getting out of control and need to be stopped. They are creating adware and PUPs that are not only distributed in a deceptive manner, but in many cases also include characteristics that are only found in computer infections. These characteristics could include backdoors, rootkits, and persistence techniques that make the programs difficult to remove. "Though anyone with common sense would say that these programs should be considered malware, instead they are classified as PUPs, or not detected at all, because security companies are afraid of legal threats from the PUP developers," Abrams adds. "In fact, the term PUP, or Potentially Unwanted Program, was created to avoid calling these programs malware and to avoid legal consequences of doing so." Microsoft updates MSRT to detect newer PUP families But Malwarebytes is not the only one that's getting tougher on PUPs. Yesterday, Microsoft announced the addition of three new PUP families (SupTab, Sasquor, and Ghokswa) to its Malicious Software Removal Tool (MSRT) release, which come to complement the two new PUP families added last month (Suweezy and Xadupi). For example, Microsoft says that it decided to add the SupTab and Sasquor PUPs after it found them part of bundlers such as Istartpageing, Omniboxes, Yoursearching, iStart123, Hohosearch, Yessearches, Youndoo, and Trotux. If you take the time to read Microsoft's analysis of these new threats, PUPs aren't "PUPs" anymore. Gone are the days when a PUP that came bundled with a legitimate app would just change your homepage. PUPs have the same capabilities as APT malware Nowadays, PUPs come with rootkit components that make removal almost impossible. They also feature a modular design, with different components being installed at later times, while the main PUP component communicates with a central C&C server. Ironically, malware used in politically-motivated cyber-espionage campaigns has the very same features. Of course, if you call a PUP software as "malware," or you use its real name, you might get sued. If you haven't been aware by now, Sasquor, Xadupi, or just about any PUP codename is a generic term given to certain software applications often found inside bundled software, which security vendors avoid pointing out by their real name, afraid of legal threats. FTC and EU need to get involved Until the FTC or the EU gets involved with more strict legislation, PUP software vendors can create destructive and intrusive software, hide it under a generic EULA agreement, and then sue any company or security researcher that dares to call it malicious, let alone mark it as a PUP or malware in their security products. The only times when PUP vendors are shut down is when the victims of these aggressive software packages come forward and sue the software vendors. If you want to know what are the latest trends in PUP development, below is a list of the recent threats added to Microsoft's Malicious Software Removal Tool, along with their capabilities. Malware name Capabilities BrowserModifier:Win32/Sasquor Changes browser search and homepage settings to circumvent the browser’s supported methods and bypass your consent. It generally targets Google Chrome and Mozilla Firefox users. It also installs services and scheduled tasks that regularly install other malware like Trojan:Win32/Xadupi. It also sometimes installs Trojan:Win32/Suweezy. BrowserModifier:Win32/SupTab Changes browser search and homepage settings, circumventing the browser’s supported methods and bypass your consent. It usually targets Internet Explorer, Microsoft Edge, Google Chrome and Mozilla Firefox. It also installs services and scheduled tasks that regularly install additional or another type of malware. Trojan:Win32/Suweezy Attempts to modify settings for Windows Defender, Microsoft Security Essentials, AVG Antivirus, Avast Antivirus and Avira Antivirus, to exclude certain folders from being scanned. This can prevent detection and removal of the related malware like Sasquor and SupTab, as well as any other malware or unwanted software the machine might encounter. Suweezy usually adds C: to the exclusion list, which includes everything under that path, hence creating a significant and imminent danger to your computer’s overall security, by making that path unprotected by your antimalware software. Trojan:Win32/Xadupi Installs a service that regularly installs other apps, including Ghokswa and SupTab. This service is ostensibly an update service for an app that has some user-facing functionality – CornerSunshine displays weather information on the taskbar, WinZipper can open and extract archive files, and QKSee can be used to view image files. Trojan:Win32/Ghokswa Installs a customized version of Chrome or Firefox browsers. The Chrome version represents itself as Google Chrome, but is modified to use a different home page and search engine front-end. If Google Chrome is already installed when Ghokswa is downloaded by Xadupi, the Ghokswa installer will silently stop any running Google Chrome processes, and replace all shortcuts and associations for the real Google Chrome with ones pointing to its own version. Article source
  10. A new strain of malware has been discovered by Kaspersky Labs, named 'StrongPity,' which targets users looking for two legitimate computer programs, WinRAR and TrueCrypt. WinRAR is a file archiver utility for Windows, which compresses and extracts files, while the latter is a discontinued encryption tool. The malware contains components that not only has the ability to give attackers complete control on the victim's computer, but also steal disk contents and download other software that the cybercriminals need. It was found that users in Italy and Belgium were affected the most, but there were also records found in Turkey, North Africa, and the Middle East. To be able to gather victims, the attackers have built special fake websites that supposedly host the two programs. One instance that was discovered by the researchers is that the criminals transposed two letters in a domain name, in order to fool the potential victim into thinking that the program was a legitimate WinRAR installer website. In the image above, clicking on the blue button will direct users to 'ralrab[.]com,' an obvious trickery done by cybercriminals to fool victims. Going through this link will lead unsuspecting users to the malicious software. Interestingly enough, there was a recorded case in Italy back in May where users were not directed to a fraudulent site anymore, but they were led to the StrongPity malware itself. StrongPity was also found directing visitors from popular software sharing websites to a poisoned installer of the TrueCrypt software. Malicious WinRAR links have been removed, but there were still redirects found on TrueCrypt installers by the end of September. According to Kurt Baumgartner, this method of cybercriminals can be compared to the Crouching Yeti/Energetic Bear attacks, which compromised legitimate software distribution websites. He states: "These tactics are an unwelcome and dangerous trend that the security industry needs to address. The search for privacy and data integrity should not expose an individual to offensive waterhole damage. Waterhole attacks are inherently imprecise, and we hope to spur discussion around the need for easier and improved verification of encryption tool delivery.” At this point, wherever in the world we may be, we advise our readers to exercise caution when it comes to downloading software from untrusted websites. Malware such as StrongPity are simply waiting for its next victim, potentially compromising your security in the long run once infected. Source: Kaspersky (1) (2) Article source
  11. Trojan steals app and database passwords, PoS data Log of recent attacks against the RDP port of a honeypot server A new malware family called Trojan.sysscan has the potential to wreak havoc in enterprise networks that feature poorly protected RDP servers. Discovered by security firm Guardicore, attackers utilize this malware as a backdoor trojan, collecting data from compromised hosts, and exfiltrating it to an attacker's remote server. Attacker infects systems after RDP brute-force attacks Targeted systems are infected after the attacker scans the Internet for open RDP ports, which he brute-forces using common username and password combinations. Poorly secured servers are the optimal targets, and because RDP servers are commonly found in medium-to-large enterprise networks, companies have the most to fear from this new threat. According to Guardicore, this new trojan is coded in the Delphi programming language and comes with support for dumping passwords from locally installed applications such as browsers, databases, and PoS software. The trojan contains specific functions to target credentials used for accounts on banking, gambling and tax websites. It will also target and steal browser cookie files. Two IP addresses used in recent attacks The trojan sets up a hidden administrator account on compromised systems in order to gain boot persistence and makes sure to leave the RDP open for future connections. Guardicore says Trojan.sysscan contains code to search and identify when the trojan is executed in sandbox environments and virtual machines. Nevertheless, the trojan only detects the presence of these environments and fails to take any action to stop execution or hide its activity. The data the trojan collects is sent via an unencrypted HTTP request to a remote server. If the transfer fails, often times, the attacker logs in via RDP and copies the data manually. Security experts say that during this recent wave of Trojan.sysscan attacks, the threat actor behind the malware has used two IPs: 85.93.5.43 (UAE) to store the stolen data, and 144.76.137.166 (Germany) to scan for open RDP ports. Article source
  12. If you refuse to pay up, the malware vanishes from your PC -- but leaves everything fully encrypted. Kaspersky has released a decryption tool for the Polyglot ransomware to assist victims in recovering their files without giving in and paying a fee. On Monday, the cybersecurity firm launched the free tool (.ZIP), which is suitable for the Polyglot Trojan which is also known as MarsJoke, a strain which has been linked to attacks on government targets. Ransomware is a particularly nasty kind of malware which has hit the headlines over the past year after targeting victims including businesses, hospitals and universities. What makes the malware strain particularly devastating -- for organizations and the general public alike -- is its ability to take away access to files and content stored on a compromised machine. Once ransomware such as MarsJoke, Cerber or CTB-Locker is downloaded and executed -- often finding its way onto a PC through phishing emails or malicious links -- the ransomware encrypts files and in some cases, full hard drives. Once the victim can no longer access their machine, a holding page informs them that they must pay a "fee" in return for a decryption key which will release their content back to them. Polyglot infects PCs through spam emails which have malicious RAR archives attached. When infecting a machine, this family of ransomware blocks access to files and then replaces the victim's desktop wallpaper with the ransom demand, which is made in virtual currency Bitcoin. Many types of ransomware will simply sit on the machine for the payment to be made. However, Polyglot insists on a payment deadline and if the blackmail fails and no money is sent to the operators, the malware will delete itself -- leaving behind a machine with encrypted files and no way to retrieve them. Until now, at least. Kaspersky's tool will decrypt these machines and unlock user data. According to the security firm, although Polyglot looks similar to the severe CTB-Locker ransomware, the malware uses a weak encryption key generator. On a standard home PC, it takes less than a minute to brute-force the full set of possible Polyglot decryption keys -- which gives you an idea of actually how weak the malware is. This weakness also provided a path for Kaspersky to exploit to create the decryption tool. Anton Ivanov, senior malware analyst at Kaspersky Lab commented: If you are suffering from a different type of ransomware, it is worth checking out the No More Ransom project to see which decryption tools are available to you. The project is a joint initiative between Kaspersky Lab, the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre and Intel Security, designed to help users recover their data without giving into the cybercriminals and paying up. Article source
  13. Trojan can steal passwords, log keystrokes Two spam email samples spreading the new trojan Bitdefender security researchers say they've uncovered a spam flood spreading booby-trapped Microsoft Publisher (PUB) files laced with a new trojan that opens a backdoor on infected computers. The company says it detected a few thousands of these emails in a short period, all containing .pub files attached to the email messages. The spam itself claimed to come from various brands in the UK and China and tried to pass as orders and invoices. PUB file -> VBScript -> AutoIt script -> Backdoor Trojan The attached PUB file, when opened, would trigger a VBScript that downloads a self-extracting cabinet (CAB) file on the user's PC. This file contains an AutoIt script, a tool for running the AutoIt script, and a file encrypted with the AES-256 algorithm. Bitdefender's team noticed that a string from the AutoIt script serves as the decryption key for the latter file. The encrypted file is actually a backdoor trojan that allows crooks to connect to the infected PC. Trojan can log keystrokes, steal passwords This trojan can also log keystrokes, record passwords as they're typed into login forms, dump passwords from browsers and email clients, gather information about the infected system, and more. Bitdefender's team hasn't bothered naming the malware, which is currently detected only as Generic.Malware.SFLl.545292C. The PUB files spreading the trojan are detected in security alerts as W97M.Downloader.EGF. What's strange about this malware distribution campaign is the usage of PUB files, specific to Microsoft's Publisher application, one of the apps included in the Office 365 suite. ".pub is not your typical file format to host malware," Adrian Miron, Head of Antispam Lab at Bitdefender, says. "Spammers have chosen it because people don’t usually associate this type of file with the possibility of infection." Article source
  14. These days, parents can easily end up installing RATs instead of legitimate parental control software Parents looking for a way to monitor their child's online activities may turn to malware known as Remote Access Trojans (RATs) due to their proliferation and low cost. There's a difference between RATs and parental control software, which some might also call spyware. Unlike the latter, RATs don't come with blocking features. Parental control software, while it's as intrusive as RATs and logs certain details about how a child uses his device, does provide a parent with the ability to block certain apps from the device, proving to be useful in some other way than just spying on kids. On the other hand, RATs don't provide a similar feature. Parents looking into installing parental control software might cross the boundary from legitimate software to full-on malware due to a lack of understanding on what differentiates the two products. It's easy to end up on a RAT's homepage these days Parents looking at software packages like mSpy, TeenSafe, Mobile Fence, or PhoneSherrif, all legitimate parental control software, might very easily end up installing malware like Revenge, Orcus, Ozone, JBifrost (Adwind), Remcos, or Darktrack. All of these are commercially available RATs advertised on legitimate-looking sites as remote administration tools or parental control software when they don't provide anything outside the ability to sniff on the computers they infect. They price points between which these products are sold is the same as for commercial parental control software. Parents should stick with known & reviewed brands only In some cases, RATs come backdoored out of the gate by the crook distributing it, so while the parent keeps an eye on his kid, the RAT author is keeping an eye on both. Parents should always do research before buying or installing anything on their kids' devices. There's a growing trend around the world of parents deploying apps on their kids' smartphones to monitor and block calls, SMS, and apps, just like there's a trend for kids that install apps to hide their activities from parental control software. Parents should be very careful about the products they choose to deploy. Telling kids that they keep an eye on the way they use their devices is also recommended because parents avoid losing the child's trust and end up alienating them in the end. Article source
  15. Doctor Web’s specialists have discovered a new Linux Trojan written in the Rust programming language. The Trojan has been named Linux.BackDoor.Irc.16. Linux.BackDoor.Irc.16 is a typical backdoor program that executes commands issued by cybercriminals via the IRC (Internet Relay Chat) protocol. The Trojan connects to the public chat channel specified in its configuration and awaits its instructions. The Trojan can execute just four commands. It can connect to a specified chat channel; send cybercriminals information about an infected computer; send cybercriminals data about the applications running in a system; and delete itself from an infected machine. Unlike the majority of its counterparts, Linux.BackDoor.Irc.16 is written in Rust, a programming language whose creation was sponsored by Mozilla Research. Its first stable version was released in 2015. Linux.BackDoor.Irc.16 was designed to be a cross-platform Trojan—to make a version for Windows, for example, cybercriminals can just recompile this malware program. Doctor Web’s analysts believe that Linux.BackDoor.Irc.16 is, in fact, a prototype (Proof of Concept), because it cannot replicate itself, and the IRC channel used by the Trojan to receive commands from cybercriminals is not currently active. The signature for Linux.BackDoor.Irc.16 is already in the Dr.Web for Linux database, and it is successfully detected and removed by Doctor Web Anti-virus products. More about this Trojan Article source
  16. Betabot Trojan Steals Your Passwords and Then Installs Ransomware Money-hungry crooks find a new way to monetize their tool The crooks behind this new wave of attacks have modified Betabot and added an extra step in an attempt to monetize their malware further. According to a report from Invincea, this modification appeared when Betabot also changed its distribution method. Before this, Betabot infected victims via exploit kits (EK), with a recent campaign leveraging the Neutrino EK. Towards the end of July, Betabot's crew started leaning on spam campaigns to deliver their trojan. These spam emails contained a file attachment, a Word file modified to contain malicious macro scripts. If the user activated macro support in Microsoft Office, the scripts would download and install Betabot. The trojan worked as usual by dumping passwords from a series of applications such as browsers and email clients and sending them to a command and control server. What Invincea and other researchers saw differently from past EK-delivered Betabot versions was that this new variant also downloaded the Cerber ransomware after it stole the passwords. The crooks were encrypting data on infected PCs after stealing what they were initially after. "This marks the first time that a weaponized document with password stealing malware has called ransomware as a second stage attack," Pat Belcher of Invincea explains. "This is an evolution in maximizing the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques." Source
  17. MICROSOFT HAS taken the trouble to warn Windows users about an attack that takes what trust people have left in the software and throws it out of the window. The firm explained that the problem involves macros and the use of social engineering. People are tricked into downloading and then enabling malicious content that ultimately leads to trouble when they innocently use Word. "Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigation investments in Windows," said the firm in a Microsoft TechNet blog post suggesting that this is a cheap shot by hackers. "Tricking a user into running a malicious file or malware can be cheaper for an attacker than building an exploit which works on Windows 10. We recently came across a threat that uses the same social engineering trick but delivers a different payload." Microsoft explained that the payload's primary purpose is to change a user's browser Proxy Server setting, which could result in the theft of authentication credentials or other sensitive information. "We detect this JScript malware as Trojan:JS/Certor.A. What's not unique is that the malware gets into the victim's computer when the victim clicks the email attachment from a spam campaign," the post said. Microsoft added that people really ought not to click on links from people or outfits that they do not know or trust. This is good, if perhaps hoary and often ignored, advice. "To avoid attacks like we have just detailed, it is recommended that you only open and interact with messages from senders and websites that you recognise and trust," explained the firm. "For added defence-in-depth, you can reduce the risk from this threat by following [our] guidance to adjust the registry settings to help prevent OLE Embedded Objects executing altogether or running without your explicit permission." Just don't click untrusted links, people. Article source
  18. Trojan Uses Recently Disclosed UAC Bypass to Install Fake Chrome Browser Fake Chrome browser used to show ads to infected users Outfire, which is a Chromium-based browser, looks very much like Chrome, with minimal changes to its setup. As such, the browser makes a fine choice for tricking the user into thinking they're using Chrome, when they're not. Mutabaha was created between August 15 and 18 The Mutabaha trojan is one of the latest additions to the malware market. At this moment, researchers don't know how crooks are distributing the trojan to victims, but they found out how it infects their computers. Russian security vendor Dr.Web says the trojan uses a UAC bypass technique to execute a series of files and commands on infected PCs without triggering the Windows UAC (User Account Control) alert. The technique was only recently disclosed by two security researchers on August 15, two weeks ago. Their UAC bypass technique, which we explained in a previous article, uses the Windows Event Viewer built-in utility to skirt UAC protections. Dr.Web says that Mutabaha appeared just three days after researchers published their UAC bypass method. When users run the trojan, it uses a system registry key to launch a program with elevated privileges that downloads and installs a malware dropper and a BAT file. Crooks replace default Chrome with new browser called Outfire This malware dropper downloads the Outfire browser and installs it automatically. After the installation ends, the BAT (Windows Batch) file deletes the malware dropper. During installation, Outfire adds itself to the Windows Registry to gain boot persistence, removes Google Chrome shortcuts from the system, and imports Chrome settings into its own. At the end of the installation, Outfire uses a list of 56 names for known browsers and kills all their Windows processes. The modified Outfire version features a non-changeable homepage, a fixed extension that inserts ads on all visited web pages, and a custom search engine instead of Google. Source
  19. When fabs go rogue Scientists at the NYU Tandon School of Engineering have designed a new form of application-specific integrated circuit (ASIC) designed to spot hidden vulnerabilities deep within a processor's design. Very few people run their own chip fabrication plants these days. Most processors are designed by one firm, which then outsources the actual building of the hardware to a company that has already spent many billions putting together a manufacturing facility. The fear is that a contractor might try and slip a hidden piece of architecture that could make the hardware insecure. The ASIC that he and his team have designed would constantly scan the main processor for errors that could be indicative of a hardware trojan at work. You'd have to make sure the ASIC was built by a totally trusted fab operator, but once that was done, it should protect against built-in problems. "Under the current system, I can get a chip back from a foundry with an embedded Trojan. It might not show up during post-fabrication testing, so I'll send it to the customer," said Siddharth Garg, an assistant professor of electrical and computer engineering - part of a five-person US research team. "But two years down the line it could begin misbehaving. The nice thing about our solution is that I don't have to trust the chip because every time I give it a new input, it produces the output and the proofs of correctness, and the external module lets me continuously validate those proofs." The team are now working on improving the design so that it limits the amount of processing time and power needed to check for hidden trojans or security flaws, and then get a chip built for testing - hopefully from a trusted supplier. Article source
  20. File-In-The-Middle Hijackers We are not sure if this is going to be a new trend among browser hijackers, but it seems more than a coincidence that we found two browser hijackers using a very similar approach to reach their goal of taking victims to the sites of their choice. Both are using one of their own files to act as a file-in-the-middle between the user and the browser. Let’s compare them. Dotdo Audio Dotdo is a strain of hijackers that we have discussed before for using different and more “out of bounds” methods to get the job done. I named this variant “audio” because it uses audio advertisements. But that is not our focus here. It’s the replacement of browser executables with their own that raised our interest. The installer renames the files firefox.exe and chrome.exe, if present, and adds a number to the filename. It then hides these renamed files and replaces them with its own files. The screenshot above shows you the hidden and renamed Chrome file, in the same folder as the replacement. I changed the settings for hidden files so that we can see them. In a similar screenshot below we can see that the same was done for Firefox Note that all the changes are misdated, they were all made 8/10/2016. For the hijacker using the method of replacing files this has the advantage that they don’t have to follow the more common method of altering shortcuts. All the shortcuts the user has on his desktop, startmenu, taskbar, and anywhere else, can stay the same as the folder and filename they are pointing to are still valid and now under control of the hijacker. Then, when the false browser is started the hijacker will trigger the renamed chrome.exe and add some extra instructions. As a result the victim will be able to surf as he expected and probably ask himself where the audio advertisements are coming from. HPRewriter2 This one was named after the entry it makes in the list of installed Programs and Features. The browsers are hijacked to open with traffic-media[dot]co by altering the browser shortcuts for: Chrome Firefox Internet Explorer Opera Yandex The target of the shortcuts is altered to C:\Users\{username}\AppData\Roaming\HPRewriter2\RewRun3.exe {version number} as shown in the example below. Triggering Rewrun3.exe without a version number accomplishes nothing (it will not run), but with the version number forwarded by the shortcuts, Rewrun3 opens the targeted browser with the traffic-media[dot]co site or one of their redirects. Summary We discussed two hijackers from very different families and using different methods, but they also had a few things in common. They want the victims to hear/see their advertisements and they used a file-in-the-middle between the browser shortcuts and the actual browser in order to alter the browsers behavior to meet their goals. Additional information File properties: Dotdo hijack installer SHA1: 0d16eae1f5748410fa047daa533d0ebbd994ea1c Firefox.exe (fake) SHA1: 53a77f64595b1fb65a88247a324458f569e3d12a Chrome.exe (fake) SHA1: 501c9a6b224f58773b603675a71624d7e7353d1f HPRewriter2 installer SHA1: f96399f3b91218f30a9e58fce8009eaab5521398 Rewrun3.exe SHA1: 117db3909a2507e162a6361be1f4e5950f017e7d Removal guides: Dotdo Audio HPRewriter2 Protection and detection Because of the intrusive changes the Dotdo installer makes it was classified as a Trojan. The resulting changes to the system are detected and removed as PUP.Optional.DotDo and PUP.Optional.MultiPlug. Likewise some of the main files involved in the HPRewriter2 hijack are detected as Trojans. The resulting changes to the system are detected and removed as PUP.Optional.HPDefender. As a result of the Trojan detections Malwarebytes Anti-Malware Premium users are protected against these threats even if they don’t have the Non-Malware Protection enabled. Save yourself the hassle and get protected too. Source
  21. New infostealer focuses only on the important files New infostealer steals only important files Threat actors are circulating a new type of infostealer trojan that will search for eleven file types and upload them to a C&C server. The files it targets are specific to enterprise environments, being mostly extensions associated with Microsoft Office applications. Based on a sample of the trojan, crooks are distributing this threat as a file named Aug_1st_java.exe, which currently has a very low detection rate on VirusTotal, 34/55. The distribution method is currently unknown, and it could be either via spam or via watering hole attacks. As is the case with almost all malware programs today, when users install this trojan, it will modify the Windows Registry to gain the ability to start automatically after the user reboots their computer. Trojan disguises as Google Chrome process Current versions of this yet unnamed infostealer trojan disguise themselves as the process of the Google Chrome browser, as pictured below. Right after it is installed, the trojan will collect data about the current computer and direct it to its C&C server, to which it sends communications via the MSMQ (Windows Message Queuing) protocol. The data it gathers includes the computer's name, the username, the version of Windows, the service pack version, and a list of currently installed applications. Trojan uses hacked websites to hide its C&C server The server it was caught communicating with by Lawrence Abrams, malware analyst for Bleeping Computer, is located at web4solution.net. When he contacted the company in charge of the domain, it came to light that their site had been compromised and loading a hidden iframe that relayed traffic to the real C&C server. The company cleaned their site, but the C&C server remained active and will continue to work, presumably with another redirect through another hacked website. Infostealer targets only eleven file types After the trojan reports to the C&C server, its malicious operations don't stop here, and it will start scanning the infected computer for eleven file types: INP, SQL, PDF, RTF, TXT, XLSX, XLS, PPTX, PPT, DOCX, and DOC. As you can see, most of them are Office-specific extensions, but others, like INP (Abaqus/CAE, used in engineering), SQL (extension used by database software), and PDF (Adobe Reader extension, document file), are for proprietary software usually found in enterprise networks. The trojan will upload all the files with these extensions to its C&C server and then write a log at C:Users[username]uninst.dll. "Corporate cybercrime and information theft has become a very lucrative business for malware developers," Abrams explains. "Not only does it allow them to steal corporate secrets to sell to the highest bidder, but it can also provide them with undisclosed financial reports that that can be used on the stock market." Trojan hiding as chrome.exe process Article source
  22. Backdoor Trojan Uses TeamViewer Components to Spy on PCs in Europe, Russia, US Crooks also delivering keyloggers and password stealers The concept is not new by any means, and crooks employed TeamViewer in the past, when they packaged the legitimate app alongside their malware and used it to transform the user's PC into a web proxy. That particular trojan, BackDoor.TeamViewer.49, did not allow the crooks to steal anything, only to spy on traffic, but this newer variant does, according to Dr.Web security researchers. In fact, the two variants seem to be related because they both use stripped-down versions of the TeamViewer application, where they replace the avicap32.dll file with a malicious version that loads trojan's malicious features. Trojan includes many self-defense mechanisms The infection process revolves around users installing applications, where the stripped-down TeamViewer version is also installed without their knowledge. Whenever this modified TeamViewer version starts, the avicap32.dll is loaded by default, being a must-run DLL. Crooks modified this DLL to include the BackDoor.TeamViewerENT trojan, which gets loaded into the computer's memory, without needing any files on disk to function. This fileless operation mode makes antivirus detection harder. The modified DLL also contains functions to suppress any TeamViewer error messages, a functionality included to avoid giving away the trojan's presence. Another odd feature is that, whenever the user starts the Windows Task Manager or Process Explorer apps, the trojan automatically shuts down (the parent TeamViewer process) to avoid getting seen by the victim in the process list. Backdoor trojan includes lots of RAT-looking features After this, BackDoor.TeamViewerENT.1 begins to behave like a regular backdoor. It starts communicating with its C&C server, from where it receives various types of commands. The trojan includes the ability to restart or turn off the computer, remove or relaunch its parent TeamViewer process, listen to conversations via the microphone, access the webcam, download and execute files, run command-line instructions, or connect to specified remote servers. As you can see, these are full-on RAT features. Additionally, Dr.Web says it detected a campaign where crooks used the trojan to download and install other malware like keyloggers and password stealers. During their investigation, security researchers found the trojan was very active, especially targeting Russian users, but also users in the UK, Spain, and the US. Attackers switched focus to US targets in August, says the security vendor. Some of this trojan's other names are Spy-Agent, TVSPY, TVRAT, or Teamspy. Last week, Kaspersky detected that the criminal group delivering the Shade ransomware also integrated this trojan in their distribution channel. Crooks were using it to spy on infected targets and see if they were valuable targets. Kaspersky says the crooks specifically focused on accounting departments at Russian-speaking companies. TeamViewer, which is a legitimate application, is not the only application that's been abused by cyber-criminals in the past month. The same happened to LogMeIn, another remote desktop utility, which crooks used together with the PosCardStealer PoS malware. The criminal group was hacking into computers that had LogMeIn installed and leaving their PoS malware behind. Source
  23. Crooks use RAT to assess the financial status of infected victims and decide on how much money to ask for New Shade ransomware version delivers a RAT to Russian businesses The crooks behind the most recent versions of Shade have added an interesting new tidbit to their malware, installing a modified version of TeamViewer on infected systems so they could spy on their targets and adjust the ransom note accordingly. This new Shade version only targets Russian companies that are running accounting software on their computers. New Shade version delivers a RAT, but only to Russian businesses Kaspersky researchers say that this new Shade version, prior to infecting the target, during its installation routine, actively scans the computer name for strings such as "BUH," "BUGAL," "БУХ," "БУГАЛ." These strings are likely to be found on computers used by the accounting departments at Russian-speaking companies. If Shade finds any of these strings, it stops the ransomware installation process and delivers another trojan called Teamspy, also known TVSPY, TVRAT, or SpY-Agent. The trojan contains a modified version of TeamViewer 6 that the malware authors have altered to hide its GUI. The trojan also includes the legitimate 7Zip archiving tool and the NirCmd command-line utility. Furthermore, the crooks are also installing the TeamViewer VPN driver and the RDP Wrapper Library, used to open VPN connections and interact with the RDP protocol. All of these utilities delivered inside Teamspy allow the crooks to modify OS settings on infected systems, open an RDP connection, and use TeamViewer to connect to the infected system. Crooks using Teamspy to determine the proper ransom sum Kaspersky suggests that the crooks are using Teamspy's RAT (Remote Access Trojan) features to gather intelligence on the infected computer, to determine the appropriate ransom sum. "The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash," suggests Kaspersky's Fedor Sinitsyn. Teamspy is quite a powerful RAT and allows a crook to record audio from infected systems, record the victim's desktop, run terminal commands, and download and install other executables. Crooks are delivering the Shade ransomware at a later point This last feature is most likely used to deliver the Shade ransomware at a later point in time, after crooks deemed the target important and decided on the ransom amount. Shade is one of today's most popular ransomware families, but Kaspersky researchers cracked its encryption and have provided a free decrypter via the No More Ransom initiative. Another name for the Shade ransomware is Troldesh. This is not the first time malware specifically targets Russian businesses. During late June, Dr.Web discovered a trojan coded in 1C, a programming language used mostly in Russa. This trojan was delivering ransomware to companies using 1C:Enterprise, a popular accounting software in Russia. Shade ransomware website Article source
  24. The trojan downloader Nemucod is back with a new campaign. This time however, it has changed the payload served to its victims – ransomware is not its go-to malware. Currently the “weapon of choice” is a backdoor detected by ESET as Win32/Kovter, in this instance mainly focusing on ad-clicking. As a backdoor, this trojan allows the attacker to control the machine remotely without the victim’s consent or knowledge. The currently used variant can perform four main activities: 1. Download and run a file, 2. Gather various information and send it to a C&C server, 3. Store its own configuration data in Windows Registry entries, and 4. Control its own “click-function”. “In the recently observed wave, malware operators are mainly focusing on the ad-clicking capability delivered via an embedded browser.” In the recently observed wave, malware operators are mainly focusing on the ad-clicking capability delivered via an embedded browser. The trojan can activate as many as 30 separate threads, each visiting websites and clicking on ads. The number of threads can change according to commands from the attacker and can also alter them automatically – since Kovter is monitoring free memory and CPU usage. This helps the trojan not to overload the system and keep a low profile. However, when the computer is idle, the malware may allocate more resources to its activities until further user activity is detected. When set in Kovter’s configuration it can also check whether the infected machine runs in a controlled or virtual environment and reports this fact to the attacker. To deliver Kovter, the attackers behind the campaign use the Nemucod downloader disguised as an email ZIP attachment. Posing as a fake invoice, cybercriminals try to convince users to open it (unaware that it contains an infected executable JavaScript file). This technique is used to avoid detection in some mail scanners and to reach as many victims as possible. If the user falls for the trap and executes the infected file – the Nemucod downloader – it downloads Kovter onto the machine and executes it. Similar Nemucod campaigns have been around for quite some time. ESET warned the public of the threat in late December, 2015, and again in March, 2016. However, past waves primarily tried to download ransomware families, most frequently Locky or the now discontinued TeslaCrypt, instead of the current ad-clicking backdoor. How can you avoid this threat? If your email client or server offers attachment blocking by extension, you may want to block emails sent with .EXE, *.BAT, *.CMD, *.SCR and *.JS. files attached Make sure your operating system displays file extensions. This helps to identify the true type of a file in case of dual extension spoofing (e.g. “INVOICE.PDF.EXE” is not displayed as “INVOICE.PDF”). If you frequently and legitimately receive this type of files, check who the sender is and if there is anything suspicious, scan the message and its attachments with reliable security solution. Article source
  25. Cybercriminals have always retained an interest in creating malware for POS (Point-of-Sale) terminals used to process card payments. IT security specialists are aware of many POS Trojans that facilitate the transfer of intercepted consumer data to criminals. A modification of one such Trojan was recently examined by Doctor Web’s security researchers. The Trojan, named Trojan.Kasidet.1, is a modified version of Trojan.MWZLesson. For more information about this threat, read this article published by Doctor Web in September 2015. Trojan.MWZLesson can also intercept GET and POST requests sent via Mozilla Firefox, Google Chrome, Internet Explorer, and Maxthon browsers. Trojan.Kasidet.1 is distributed as a ZIP archive that contains a SCR file, which is a self-extracting SFX-RAR archive. This file then extracts and runs the main malicious payload. The Trojan first checks whether its copy and any virtual machines, emulators, and debuggers are present in the infected system. If Trojan.Kasidet.1 finds a program that can somehow hinder its operation, it terminates itself. If not, it gains administrator privileges and runs itself. Even though the User Accounts Control (UAC) system demonstrates a warning on the screen, the potential victim is thrown off guard because the running application (wmic.exe) appears to have been developed by Microsoft: The wmic.exe utility then runs the executable file of Trojan.Kasidet.1. Like Trojan.MWZLesson, it scans the computer’s memory for bank card track data obtained with the help of the POS terminal and transmits it to the Trojan’s command and control (C&C) server. In addition, it steals passwords for Outlook, Foxmail, and Thunderbird email applications and can be incorporated into Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, and Maxthon browsers for the purpose of intercepting GET and POST requests. This malware program can also download and run another application or a malicious library on the infected computer, find a particular file on a disk, or generate a list of running processes and transmit it to the C&C server. However, unlike Trojan.MWZLesson, the C&C server addresses of Trojan.Kasidet.1 are placed in a decentralized domain zone—.bit (Namecoin). This is a system of alternative root DNS servers based on Bitcoin technology. Common browsers cannot access such network resources; however, Trojan.Kasidet.1 uses its own algorithm to get the IPs of its C&C servers. Although malware programs that use this Namecoin technology have been known since 2013, they are not frequently detected in the wild, unlike other Trojans. Dr.Web Anti-virus successfully detects and removes this Trojan, and, therefore, this malicious program poses no threat to Dr.Web users. More about this Trojan Article source
×