- Virus -

Last update 09.10.2017 13:47:12

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6 

BackSwap Trojan Uses New Browser Monitoring and Injection Techniques
29.5.2018 securityweek

A newly discovered banking Trojan uses innovative techniques to detect when a bank’s website is accessed and to inject malicious code into targeted pages, ESET warns.

Dubbed BackSwap, the malware no longer relies on complex process injection methods to keep track of browsing activity, but hooks key window message loop events instead.

“This is a seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks,” the security firm explains.

ESET has been tracking the actor behind this Trojan since January 2018, when they were employing clipboard malware. The hackers started using BackSwap only in March but focused heavily on its development, releasing new versions almost daily.

To distribute the malware, the actor uses malicious emails carrying a heavily obfuscated JavaScript downloader known as Nemucod. Mainly targeting Polish users, BackSwap was often found on machines also infected with Nymaim, but a strong connection between the two malware families is yet unclear.

BackSwap is delivered as modified versions of legitimate apps, with the malicious code being launched during initialization and the original code never used again, meaning that the application doesn’t work at all (as would be the case with Trojanized software).

This shows a focus on increasing stealth instead of tricking the user into believing they are running the legitimate app and also makes the malware more difficult to spot. The Trojan immediately copies itself into the startup folder to ensure persistence, and then proceeds with its nefarious functionality.

Unlike typical banking malware that injects itself into the browser’s process address space, then hooks browser-specific functions to start modifying traffic, BackSwap only works with Windows GUI elements and simulates user input.

The malware installs event hooks for a specific range of events to monitor the visited URL. It then looks for bank-specific URLs and window titles in the browser to determine when the victim is getting ready to make a wire transfer. Finally, it loads the malicious JavaScript appropriate for the corresponding bank from its resources and injects it into the browser.

Older variants injected the malicious script into the clipboard, simulate opening the developer’s console to pasting the clipboard content there, execute the content of the console, and then close the console. Now, the script is executed directly from the address bar, via JavaScript protocol URLs.

The malware can target Chrome, Firefox, and Internet Explorer (in most recent versions), but the method should work on most browsers today, as long as they have a JavaScript console available or support execution of JavaScript from the address bar, ESET reveals.

A specific script is used for each targeted bank and injected into pages the malware identifies as initiating a wire transfer request. The script replaces the recipient’s bank account number with a different one, which results in money being sent to the attacker’s account instead.

“Any safeguards against unauthorized payment, such as 2-factor authorization, won’t help in this case, as the account owner is willingly sending the wire transfer,” ESET explains.

BackSwap has targeted five Polish banks in the past (PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao), but recent variants only target three (PKO BP, mBank and ING).

Older versions relied on command and control (C&C) servers hosted on hacked WordPress websites to retrieve the fraudulent bank account numbers, but recent variants store these account numbers directly in the malicious scripts (the account numbers change often, the researchers say).

The Trojan only steals money if the wire transfer amount is in the 10,000 - 20,000 PLN range (around $2,800 – $5,600) USD.

FBI Attribution of 'VPNFilter' Attack Raises Questions
28.5.2018 securityweek  

Information shared by the FBI on the massive VPNFilter attack in which more than half a million devices have been compromised raises some interesting questions about the connection between Russia-linked hacker groups.

The existence of VPNFilter was brought to light last week by Cisco Talos and several other cybersecurity firms. The botnet is powered by at least 500,000 hacked routers and network-attached storage (NAS) devices across 54 countries.

The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

Many of the hijacked devices are located in Ukraine and a separate command and control (C&C) infrastructure has been set up for devices in this country. Researchers also spotted code similarities to the BlackEnergy malware and pointed out that there are only a few weeks until Ukraine celebrates its Constitution Day, which last year coincided with the destructive NotPetya attack. All this has led experts to believe that VPNFilter may mean Russia is preparing for a new attack on Ukraine.VPNFilter

Shortly after security firms published technical details on the attack, the U.S. Department of Justice announced that the FBI had seized toknowall.com, one of the C&C domains utilized by VPNFilter.

A press release and court documents name the Russia-linked threat actor Sofacy as being behind the attack. While this is not surprising, one noteworthy piece of information is that U.S. authorities say Sofacy is also known as APT28, Pawn Storm, Fancy Bear, Sednit, X-Agent, and Sandworm.

Sandworm, also tracked by some security companies as TeleBots, is a threat actor known to use the BlackEnergy malware in attacks aimed at industrial systems and it’s believed to be responsible for the 2015 power outage in Ukraine. However, Sandworm was until now seen as a separate group from Sofacy.

SecurityWeek has reached out to the Justice Department and the FBI for clarifications, but the organizations say they “do not have a comment outside what is included in the DOJ press release.”

Industry professionals, however, have offered some possible explanations as to why the FBI may see Sofacy and Sandworm as the same group.

“Sandworm is a similar team whose interests overlap with APT 28. We believe these actors are related and act accordingly,” Craig Williams, director of outreach with Cisco Talos, told SecurityWeek.

Vikram Thakur, principal research manager at Symantec Security Response, noted, “The intelligence community has the best shot at attributing attacks to individuals and organizations. Every security vendor groups attackers based on their own vantage into the attack landscape.

“Keeping in mind that attack groups themselves share knowledge, expertise, and resources, we don’t have any reason to question the grouping of Sofacy, Sandworm, X-Agent, and others that the FBI listed in their affidavit to seize a domain related to VPNFilter.”

Researchers at Kaspersky also found it curious that the FBI suggested Sandworm and Sofacy were one and the same.

“This would suggest that Sandworm, also known as BlackEnergy APT, is regarded as subgroup of Sofacy by the FBI,” Kaspersky researchers said. “Most threat intel companies have held these groups separate before, although their activity is known to have overlapped in several cases.”

Advice from the FBI and targeted device vendors

Rebooting a router is typically enough to remove a piece of malware from the device. However, VPNFilter has some clever persistence mechanisms that help its stage 1 component survive a reboot.

An alert issued on Friday by the FBI advises owners of small office and home office routers to reboot their devices to “temporarily disrupt the malware and aid the potential identification of infected devices.”

“Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware,” the FBI said.

The VPNFilter malware has been observed targeting devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. All of these vendors have published advisories to warn their customers about the threat.

There is no evidence that the malware exploits any zero-day vulnerabilities to hack devices. Affected vendors noted that the flaws targeted by VPNFilter have already been patched and advised customers to update the firmware on their devices.

Researchers And The FBI Work Together to Take Down the Russian VPNFilter Botnet Targeting Home Routers
28.5.2018 securityaffairs

Researchers and the FBI are working together to take down the dreaded VPNFilter botnet composed of hundreds of thousands of compromised devices.
For several months, there have been rumors and vague warnings about highly skilled adversaries targeting critical infrastructure. Last week we learned some details about the warning, why you might be impacted and how the FBI is helping victims recover.
On May 23rd, Cisco’s security research arm Talos, released details about a “sophisticated modular malware system” they call VPNFilter.

The malware successfully infected over 500,000 routers manufactured by Linksys, MikroTik, NETGEAR, and TP-Link as well as QNAP brand network storage devices. It appears the malware was targetted at victims in Ukraine, but the ubiquity of the Internet often means these attacks spread to a wider group of victims and infections have been found in over 54 countries.

Following the Talos release, the FBI announced it had taken control of the Command & Control (C&C) server for the botnet, effectively neutering the botnet.

We have seen similar compromises of small to medium business (SMB) equipment in the past (Mirai) where known vulnerabilities were exploited to gain control of Internet of Things (IoT) devices accessible from the Internet.

Researchers have yet to determine the specific method of compromise in this case, but knowing this equipment is often poorly maintained in homes and small business there is a strong likelihood that they were vulnerable to a range of exploits. Despite some similarities to previous IoT attacks, VPNFilter has some unique capabilities that show how this type of malware is evolving.

IoT devices have limited computing resources so malware is normally “memory resident” meaning you can remove the infection simply by rebooting your device. VPNFilter is successful at persisting the first stage of its infection through reboots.

This means that upon reboot, the malware can connect to the C&C server and download the configured modules to reinfect the device. At the time of the announcement several different modules had been identified which could have devastating implications for impacted businesses.

From the Talos report, “The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management.”

In addition, it appears the bad actors had the ability to brick the devices remotely, rendering them useless and denying Internet access to the companies and homes relying on them. They also identified packet sniffing capabilities which would identify usernames and passwords — which is pretty common — but also decoding Modbus SCADA traffic which is used by companies to remotely control equipment in manufacturing, pipelines, and energy.

Based upon the apparent Ukraine focus and the targetting of SCADA protocols, The Daily Beast reports VPNFilter is “linked to the same Russian hacking group, known Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election.”

What can you do?

Since the FBI is in control of the C&C servers rebooting your equipment should remove the malicious modules, but the Stage 1 infection will still be resident. If you have equipment from the identified manufacturers, you should perform a factory reset.

This will remove all of the bad code, but unfortunately also removes all of your settings — so it is impactful. Researchers are still uncovering the extent of the compromise, so it isn’t a bad idea to reboot your edge devices even if they come from a different manufacturer in the SMB space.

Additional advice is the good practice everyone should be following regardless of who manufactured your equipment: change default passwords, disable remote administration from the Internet and install any available updates from your manufacturer.

MalHide Malware uses the compromised system as an eMail relay
28.5.2018 securityaffairs

The cybersecurity experts Marco Ramilli analyzed a new sample of malware dubbed MalHide that implements a quite new attack path to use the compromised system as eMail relay in order to hide the attacker networks.
Today I’d like to share an interesting (at least to me) analysis on a given sample. I have called this sample MalHide but you will see “why” only at the end of my post :D. I believe this is a quite interesting Malware because it firstly implements several obfuscation stages by using different obfuscation techniques and secondly it implements a quite new attack path (not new per-se but new on opportunistic malware families) where the attacker doesn’t want to steal information and/or compromise a system for possession and/or destruction but the attacker uses the compromised system as eMail relay in order to hide the attacker networks. It is amazing to figure out that attackers are primary moving on fraud direction. For example, having a successful privilege access on the victim machine, the attacker might decide to perform several malicious actions, but among all the choices, he decides to spawn an SMTP relay to send anonymously fraud emails. Based on my past experience this is quite wired, isn’t it ?!
Disclaimer: I’m not going into details on every step since I’m not writing a tutorial but mostly I’d like to prove that threats are getting more and more complex on relatively short time and that attack path is quite unique at least for my personal experience.
Everything started with an email attachment. “Nuovo Documento.doc” is its name and it is able to bypass every single AntiSpam and AntiMalware engine the target had. The following image shows the initial stage where the “.DOC” file seems to be benign but not compatible with the running Microsoft Word instance.

MalHide Sample as it looks like on opening.
The sample presents some macro functions on it. Many junk functions have been injected on the VBA side in order to make life harder to reverse engineers, but fortunately, the great Microsoft VBA Editor included in the Microsoft Office suite implements a useful debugger. The analyst observes that the AutoOpen() function is preserved and filled by code. It took almost 3 seconds to figure out it was a malicious code. The following image shows the Microsoft VBA Editor debugging view where is possible to appreciate the variable qZbTUw containing a PowerShell encoded code. Here we are! The second stage is approaching the victim.

Stage 2. A running instance of PowerShell invoked by VBA
The PowerShell code was Base64 Encoded and additionally obfuscated through “variable mess”. This technique is quite common for javascript devs since the code they develop runs on client side and obfuscating code is used technique to protect (sort of) the written code, but on the given scenario it looks like a simple implementation of FileLess Staging, where the attacker runs a PowerShell script directly from memory without saving it on HD, in such a way the victim does not need to enable the “running PowerShell from file” Microsoft register key and it’s much harder from AntiVirus detect the infection stage. Then the script fires it on following the infection. Powershell ISE helps us to reverse the dropped payload. The following images show the decoding process: from the single line of obfuscated code to dropping URLs. I know, it’s almost impossible to see the images since they look like small, but please click on them to make a bigger view, if you wish.

Stage 3. Decoding Powershell Drop-and-Execute

Stage 3. Decoded Powershell Drop-and-Execute
The analyst is now able to identify the dropping websites and block them (please refer to IoC section)! The executed actions are quite standard. From an array of dropping website lets cycle over them and take the one who drops! The cycling policy could differ from sample to sample since they could use a pseudo-random seed generator or adopting an increment rotation or a round robin rotation and son. For this analysis is not interesting cycling policy at all since we decoded all the possible dropping files. The Powershell command gets the 52887.exe from an external source (dropping websites) and places it on C:\Users\Public\52887.exe. Finally, it runs it. Stage 4 has began, a new PE sample has been executed. The following image shows the Stage 4 dropping another stage into C:\Windows\SysWOW64\fonduewwa.exe. Fortunately, this stage drops the code from itself without getting on the network side. The fonduewwa.exe is then executed.

Stage 4. 52887.exe dropping to C:\Windows\SysWOW64\fonduewwa.exe
The new stage (Stage 4) performs the following steps:
1) It fires up services which act as SMTP client.
2) Connects to a Command and Control which provides emails addresses, SMTP relays, and eMails body to be sent.
3) Sends eMail to exploit BeC communications.
The following images show the Command and Control address. The first image shows the used Windows API while the second one addresses the opened connections directly on the infected machine.

Command and Control IP Address (click to make it bigger)

Command and Control DNS resolution (click to make it bigger)
The Command and Control (c2) listen to: c-67-176-238-209.hsd1.il.comcast.net which today resolves in: The C2 seems to answers to http queries having a specific set of cookies as the following image shows. The C2 crafted and rebuilt communication, made possible by reconstructing cookies from sniffed internal communications, gets back from C2 a kB of encoded data.

Command and Control Communication through HTTP
From C2 comes actions, victims addresses, SMTP servers, and passwords. The sample connects to a given SMTP relays, it authenticates itself and sends email to the victims. The following images prove that the attackers have plenty of credentials to SMTP relays around the globe.

MalHide Connection to real SMTP relays
As now I will not disclose Username e Password for getting access to SMTP relays, but if you can prove to be the owner (or at least to be working for the company owning) of one of them let’s have a chat on that, many interesting things are happening into your network. The emails sent from the analyzed sample are targeting specific victims. It was pretty easy to figure out that we were facing a new attack vector! This attack vector looks like a BeC (or CEO Scam) to specific targets. For those of you not familiar with this attack I am copying the definition provided by SANS (here).
“Cyber criminals have developed a new attack called CEO Fraud, also known as Business Email Compromise (BEC). In these attacks, a cyber criminal pretends to be a CEO or other senior executive from your organization. The criminals send an email to staff members like yourself that try to trick you into doing something you should not do. These types of attacks are extremely effective because the cyber criminals do their research. They search your organization’s website for information, such as where it is located, who your executives are, and other organizations you work with. The cyber criminals then learn everything they can about your coworkers on sites like LinkedIn, Facebook, or Twitter. Once they know your organization’s structure, they begin to research and target specific employees. They pick their targets based on their specific goals. If the cyber criminals are looking for money, they may target staff in the accounts payable department. If they are looking for tax information, they may target human resources. If they want access to database servers, they could target someone in IT.Once they determine what they want and whom they will target, they begin crafting their attack. Most often, they use spear phishing. Phishing is when an attacker sends an email to millions of people with the goal of tricking them into doing something, for example, opening an infected attachment or visiting a malicious website. Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a very small, select number of people. These spear phishing emails are extremely realistic looking and hard to detect. They often appear to come from someone you know or work with, such as a fellow employee or perhaps even your boss. The emails may use the same jargon your coworkers use; they may use your organization’s logo or even the official signature of an executive. These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone.”
Following few examples of the sent emails coming from C2 and delivering through the analyzed MalHide sample.

Here we are, another email has been sent, another Malware has been thought and developed, another analysis I’ve been made but this time it looks like the “Malware economy” is seriously moving to fraud, there is much money respect to information stealing which is an ancient and romantic way to attack victims. Is this attack a significative example expressing the will of the new underground economy? Is this attack a small and silent change of paradigm, where previously the attacker was interested in your data in order to sell them but now he gets more interested on fraud third parties (such as companies) through you? I do not have such answer here.

Ok, now it’s time to explain why I called this Malware MalHide. Well, it’s a complex Malware, it hides several times BUT most important it has been developed to hide the attacker from sending emails in a way that is not possible to trace back the Attacker IP from the attack path. So I believe MalHide would be a nice name 😀

Further details on the MalHide malware, including the IoCs are reported in the original analysis published by Marco Ramilli


BackSwap Trojan implements new techniques to steal funds from your bank account
28.5.2018 securityaffairs

Security experts at ESET have spotted a new strain of banking trojan named BackSwap Trojan that implements new techniques to steal money from bank customers.
The new techniques allow the malware to bypass anti-malware solutions and security features implemented by browsers to prevent Man-In-The-Browser attacks.

Banking malware use to inject malicious code into the web page, either via the browser’s JavaScript console or directly into the address bar when the user access to the bank account. Injection mechanisms are the most popular techniques used by popular banking malware, including Dridex, Ursnif, Zbot, Trickbot, and Qbot.

Unfortunately for crooks, modern anti-malware are able to detect process injection activity and neutralize it, for this reason, cybercriminals are focusing their activities on more profitable malware such as ransomware and cryptocurrency miners.

The BackSwap Trojan overwhelms these obstacles using three completely new techniques that don’t tamper with the browser processes.

The first technique implemented by BackSwap allows the Trojan to detect when the user is accessing online banking services, the malicious code leverages a native Windows mechanism named the “message loop.”

“We have discovered a new banking malware family that uses an innovative technique to manipulate the browser: instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.” reads the analysis published by ESET.

“The malware monitors the URL currently being visited by installing event hooks for a specific range of relevant events available through the Windows message loop, such as EVENT_OBJECT_FOCUS, EVENT_OBJECT_SELECTION, EVENT_OBJECT_NAMECHANGE and a few others. The hook will look for URL patterns by searching the objects for strings starting with “https” retrieved by calling the get_accValue method from the event’s IAccessible interface.”

BackSwap simply taps into the Windows message loop searching for URL-like patterns, such as “https” strings and any other terms that are associated with bank’s website.

When the malware detects the browser is accessing the website of a bank it simulates key presses to perform the injection of the JavaScript appropriate for the corresponding bank.

“In older samples, the malware inserts the malicious script into the clipboard and simulates pressing the key combination for opening the developer’s console (CTRL+SHIFT+J in Google Chrome, CTRL+SHIFT+K in Mozilla Firefox) followed by CTRL+V, which pastes the content of the clipboard and then sends ENTER to execute the contents of the console. Finally, the malware sends the console key combination again to close the console. The browser window is also made invisible during this process – to regular users it might seem as if their browser simply froze for a moment.” reads the analysis published by ESET.

“In the newer variants of the malware, this approach has been upgraded – instead of interacting with the developer’s console, the malicious script is executed directly from the address bar, via JavaScript protocol URLs; a little-used feature supported by most browsers. The malware simply simulates pressing CTRL+L to select the address bar followed by the DELETE key to clear the field, then “types” in “javascript:” by calling SendMessageA in a loop, and then pastes the malicious script with the CTRL+V combination. It then executes the script by sending the ENTER key. At the end of the process, the address bar is cleared to remove any signs of compromise.”

Current versions of the BackSwap Trojan could be used against most popular browsers such as Google Chrome, Mozilla Firefox and Internet Explorer.

The experts believe that many other malware will adopt the same technique in a short time, it is easy to implement and very effective.

ESET confirmed that current versions of the BackSwap Trojan include the scripts to interact with five Polish banks, PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING, and Pekao.

BackSwap Trojan

“Nonetheless, ESET said it notified browser vendors about BackSwap’s new techniques in the hopes they’d deploy countermeasures in upcoming browser versions, and mitigate these types of attacks before they go mainstream with other malware families.” concluded ESET.

VPNFilter EXIF to C2 mechanism analysed
27.5.2018 Kaspersky

On May 23 2018, our colleagues from Cisco Talos published their excellent analysis of VPNFilter, an IoT / router malware which exhibits some worrying characteristics.

Some of the things which stand out about VPNFilter are:

It has a redundant, multi-stage command and control mechanism which uses three different channels to receive information
It has a multi-stage architecture, in which some of the more complex functionality runs only in the memory of the infected devices
It contains a destructive payload which is capable of rendering the infected devices unbootable
It uses a broken (or incorrect) RC4 implementation which has been observed before with the BlackEnergy malware
Stage 2 command and control can be executed over TOR, meaning it will be hard to notice for someone checking the network traffic
We’ve decided to look a bit into the C&C mechanism for the persistent malware payload. As described in the Talos blog, this mechanism has several stages:

First, the malware tries to visit a number of gallery pages hosted on photobucket[.]com and fetches the first image from the page.
If this fails, the malware tries fetching an image file from a hardcoded domain, toknowall[.]com. This C2 domain is currently sinkholed by the FBI.
If that fails as well, the malware goes into a passive backdoor mode, in which it processes network traffic on the infected device waiting for the attacker’s commands.
For the first two scenarios in which the malware successfully receives an image file, a C2 extraction subroutine is called which converts the image EXIF coordinates into an IPv4 address. This is used as an easy way to avoid using DNS lookups to reach the C&C. Of course, in case this fails, the malware will indeed lookup the hardcoded domain (toknownall[.]com). It may be worth pointing that in the past, the BlackEnergy APT devs have shown a preference for using IP addresses for C&C instead of hardcoded domain names, which can be easily sinkholed.

To analyse the EXIF processing mechanism, we looked into the sample 5f358afee76f2a74b1a3443c6012b27b, mentioned in the Talos blog. The sample is an i386 ELF binary and is about 280KB in size.

Unfortunately for researchers, it appears that the photobucket.com galleries used by the malware have been deleted, so the malware cannot use the first C2 mechanism anymore. For instance:

With these galleries unavailable, the malware tries to reach the hardcoded domain toknowall[.]com.
While looking at the pDNS history for this domain, we noticed that it resolved to an IP addresses in France, at OVH, between Jan and Feb 2018:

Interestingly, when visiting this website’s C2 URL, we are presented with a JPG image, suggesting it is still an active C2:

Here’s how it looks when viewed as an image:

When we look into the EXIF data for the picture, for instance using IrfanView, it looks as following:

Filename – update.jpg

GPS information: –
GPSLatitude – 97 30 -175 (97.451389)
GPSLongitude – -118 140 -22 (-115.672778)
How to get the IP out of these? The subroutine which calculates the C2 IP from the Latitude and Longitude can be found at offset 0x08049160 in the sample.

As it turns out, VPNFilter implements an actual EXIF parser to get the required information.

First, it searches for a binary value 0xE1. This makes sense because the EXIF attribute information begins with a tag “0xFF 0xE1”. Then, it verifies that the tag is followed by a string “Exif”. This is the exact data that should appear in a correct header of the Exif tag:

Exif tag
FF E1 Exif tag
xx Length of field
45 78 69 66 00 ‘Exif’
00 Padding

The tag is followed by an additional header:

“Attribute information” header
49 49 (or 4D 4D) Byte order, ‘II’ for little endian (‘MM’ for big endian)
2A 00 Fixed value
xx xx Offset of the first IFD

The data following this header is supposed to be the actual “attribute information” that is organized in so-called IFDs (Image File Directory) that are data records of a specific format. Each IFD consists of the following data:

IFD record
xx xx IFD tag
xx xx Data type
xx xx xx xx Number of data records of the same data type
xx xx xx xx Offset of the actual data, from the beginning of the EXIF

The malware’s parser carefully traverses each record until it finds the one with a tag ’25 88′ (0x8825 little endian). This is the tag value for “GPS Info”. That IFD record is, in turn, a list of tagged IFD records that hold separate values for latitude, longitude, timestamp, speed, etc. In our case, the code is looking for the tags ‘2’ (latitude) and ‘4’ (longitude). The data for latitude and longitude are stored as three values in the “rational” format : two 32-bit values, the first is the enumerator and the second one is the denominator. Each of these three values corresponds to degrees, minutes and seconds, respectively.

Then, for each record of interest, the code extracts the enumerator part and produces a string of three integers (i.e. “97 30 4294967121” and “4294967178 140 4294967274″ that will be displayed by a typical EXIF parser as 1193143 deg 55′ 21.00″, 4296160226 deg 47′ 54.00”). Then, curiously enough, it uses sscanf() to convert these strings back to integers. This may indicate that the GPS Info parser was taken from a third-party source file and used as-is. The extracted integers are then used to produce an actual IP address. The pseudocode in C is as follows:

const char lat[] = "97 30 4294967121"; // from Exif data
const char lon[] = "4294967178 140 4294967274"; // from Exif data
int o1p1, o1p2, o2p1, o3p1, o3p2, o4p1;
uint8_t octets[4];

sscanf(lat, "%d %d %d", &o1p2, &o1p1, &o2p1);
sscanf(lon, "%d %d %d", &o3p2, &o3p1, &o4p1);
octets[0] = o1p1 + ( o1p2 + 0x5A );
octets[1] = o2p1 + ( o1p2 + 0x5A );
octets[2] = o3p1 + ( o3p2 + 0xB4 );
octets[3] = o4p1 + ( o3p2 + 0xB4 );

printf("%u.%u.%u.%u\n", octets[0], octets[1], octets[2], octets[3]);

The implementation of the EXIF parser appears to be pretty generic. The fact that it correctly handles the byte order (swapping the data, if required) and traverses all EXIF records skipping them correctly, and that the GPS data is converted to a string and then back to integers most likely indicates that the code was reused from an EXIF-parsing library or toolkit.

For the values provided here, the code will produce the IP address “” that is a known C&C of VPNFilter.

It should be noted that this IP is included in Cisco Talos’ IOCs list as a known C&C. Currently, it appears to be down.

What’s next?
Perhaps the most interesting question is who is behind VPNFilter. In their Affidavit for sinkholing the malware C2, FBI suggests it is related to Sofacy:

Interestingly, the same Affidavit contains the following phrase: “Sofacy Group, also known as apt28, sandworm, x-agent, pawn storm, fancy bear and sednit”. This would suggest that Sandworm, also known as BlackEnergy APT, is regarded as subgroup of Sofacy by the FBI. Most threat intel companies have held these groups separate before, although their activity is known to have overlapped in several cases.

Perhaps the most interesting technical detail, which Cisco Talos points in their blog linking VPNFilter to BlackEnergy, is the usage of a flawed RC4 algorithm.The RC4 key scheduling algorithm implementation from these is missing the typical “swap” at the end of the loop. While rare, this mistake or perhaps optimization from BlackEnergy, has been spotted by researchers and described publicly going as far back as 2010. For instance, Joe Stewart’s excellent analysis of Blackenergy2 explains this peculiarity.

So, is VPNFilter related to BlackEnergy? If we are to consider only the RC4 key scheduling implementation alone, we can say there is only a low confidence link. However, it should be noted that BlackEnergy is known to have deployed router malware going back as far as 2014, which we described in our blogpost: “BE2 custom plugins, router abuse, and target profiles“. We continue to look for other similarities which could support this theory.

Russian Police Arrest Man Involved in Android Banking Trojan Scheme
25.5.2018 securityweek Crime 

Law enforcement authorities in Russia have arrested an unnamed 32-year-old man who is believed to be part of a cybercrime ring that made up to $8,000 per day using Android banking Trojans.

According to Russia-based cybersecurity firm Group-IB, the suspect is an unemployed Russian national who had previously been convicted for arms trafficking. He was arrested earlier this month and reportedly already confessed.

The cybercrime group used a malicious Android app named “Banks at your fingertips” to trick the customers of Russian banks into handing over their financial information. The banking Trojan was disguised as a tool that claimed to allow users to access all their bank accounts from one Android app. It offered users the possibility to view balances, transfer money between payment cards, and pay for online services.

The malicious app, distributed via spam emails since 2016, instructed users to enter their card details, which were then sent to a server controlled by the attackers. The cybercrooks transferred between $1,500 and $8,000 per day from victims’ bank accounts, $200-$500 at a time. The criminal proceeds were laundered using cryptocurrencies.

The malware also helped the attackers intercept the SMS confirmation codes sent by banks, at the same time blocking all text messages confirming transactions in an effort to avoid raising suspicion.

While Russia has occasionally collaborated with Western law enforcement agencies to bring down global cybercrime operations, it has often turned a blind eye to the activities of hackers who have mainly targeted the United States.

Four Russian nationals are currently on the FBI’s Cyber Most Wanted list, including the alleged administrator of a massive cybercrime scheme involving the Zeus Trojan, and three people believed to have been involved in attacks on Yahoo that resulted in roughly 500 million accounts getting compromised.

The Russian government has defended some of the alleged hackers arrested by the United States – in one case Moscow accused Washington of abducting the son of a lawmaker.

On the other hand, the government has been known to crack down on cybercrime rings that target Russian citizens. Police have arrested 50 hackers believed to have used the Lurk Trojan, the creator of the Svpeng Android malware, and nine people who allegedly stole $17 million from bank accounts.

Russian speaking hacker arrested for stealing $8,000 per day leveraging mobile malware
25.5.2018 securityaffairs  

Moscow, May 24, 2018 – law enforcement, with support from Group-IB, has arrested a 32-year-old hacker, accused of stealing funds from Russian banks’ customers using Android mobile malware.
At the height of their activity, victims reportedly lost between 1,500 to 8,000 dollars daily and levered cryptocurrency for laundering.

Group-IB’s analysis reviewed the tools and techniques leveraged in the group’s attack revealing that the gang tricked customers of Russian banks into downloading malicious mobile applications “Banks at your fingertips”. The app claimed to be an aggregator of the country’s leading mobile banking systems and promised users a ‘one-click’ access to all bank cards to view balances, transfer money from card to card, and pay for online services. The app was first discovered in 2016 and was distributed through spam emails.

The criminal group’s approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.

The investigation by authorities identified a member of the criminal group, who was responsible for transferring money from user accounts to attacker’s cards, a 32-year-old unemployed Russian national who had previous convictions connected to arms trafficking. During the suspect’s arrest in May 2018, authorities identified SIM cards and fraudulent bank cards to which stolen funds were transferred. The suspect has confessed to his actions and the investigation/ prosecution continues.

mobile malware

Seems, we need to keep our mobiles safe. Well, this is not the first case of stealing. We’ve seen many cases in the past too. One of the cases happened on March 2018 – in which a malware campaign that attempted to install a resource-draining currency miner on more than 400,000 computers in 12 hours was caused by a malicious backdoor that was sneaked into a BitTorrent application called Mediaget, a Microsoft researcher said. Researchers called it a supply-chain attack, which aims to infect large numbers of people by compromising a popular piece of hardware or software.

Many people have a question about torrenting. Millions of the people don’t know whether torrenting is legal or illegal. Well, torrenting carries risks. Authorities will catch and punish you if you torrent copyright material. Also, there is a risk of downloading infected files. All you need is the best tool or any software that will keep you safe from this kind of threats.

I have reached Sergey Lupanin, Head of cyber investigation department, Group-IB for a comment:

“Actually this trojan is quite simple and private, means there is no any descriptions or screenshots on Dark-web forums. And it’s early versions didn’t interact with any mobile banks services. Users entered their card data and permitted this application to work with SMS-messages.

Trojan used https protocol with a self-signed certificate to work with C2 servers and sent user’s card data to the actor. The actor entered this data (which included card number, cvv code, expiration date, and owner name) to card2card service. User received SMS with transaction authorization code, that was intercepted by this application and sent to Actor for transaction approval. And that’s it. Later this trojan received addition functionality – ability to work with mobile banks via SMS, thus not requiring from Threat actor to use any Card2Card service.”

Hackers Behind 'Triton' Malware Attack Expand Targets
24.5.2018 securityweek 

The threat group responsible for the recently uncovered attack involving a piece of malware known as Triton, Trisis and HatMan is still active, targeting organizations worldwide and safety systems other than Schneider Electric’s Triconex.

The actor, which industrial cybersecurity firm Dragos tracks as Xenotime, is believed to have been around since at least 2014, but its activities were only discovered in 2017 after it targeted a critical infrastructure organization in the Middle East.

The attack that led to the cybersecurity industry uncovering Xenotime was reportedly aimed at an oil and gas plant in Saudi Arabia. It specifically targeted Schneider Electric’s Triconex safety instrumented systems (SIS) through a zero-day vulnerability.Xenotime hackers behind Triton/Trisis attack

The targeted organization launched an investigation and called in third-party experts, including Dragos and FireEye, after the SIS caused some industrial systems to unexpectedly shut down. Researchers believe the shutdown was caused by the attackers by accident.

Dragos continues to analyze the initial Triton/Trisis incident and more recent attacks launched by Xenotime. The company says the group has targeted organizations globally, far outside the Middle East.

The security firm has not shared any details on present attacks, but it did note that the hackers are active in multiple facilities, targeting safety controllers other than Triconex.

Xenotime hackers behind Triton/Trisis attack

Some researchers believe Iran is behind the attacks, but Dragos has not shared any information on attribution. The company did point out that it has not found any links between Xenotime and other known groups.

“Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential future disruptive or even destructive event,” the company wrote in a blog post. “Compromising safety systems provides little value outside of disrupting operations. The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As Xenotime matures, it is less likely that the group will make this mistake in the future.”

Dragos has been tracking the activities of several threat actors that target industrial control systems (ICS). The company has published brief reports for three of the seven hacker groups it monitors, including the Russia-linked Allanite, which targets electric utilities in the US and UK, and Iran-linked Chrysene, which has attacked ICS networks in the Middle East and the UK.

Xenotime, Threat actors Behind Triton Malware broadens its activities
24.5.2018 securityaffairs

The threat actor behind the Triton malware (aka Trisis, Xenotime, and HatMan) is now targeting organizations worldwide and safety systems.
The attackers are expanding their targets and new variants are able to attacks also other than Schneider Electric’s Triconex systems.

The malware was first spotted in December 2017 by researchers at FireEye that discovered that it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Triton malware

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

According to experts at Dragos, threat actors have been around since at least 2014, they were discovered in 2017 after they caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

Dragos researchers warn of new cyber attacks powered by the same group against organizations globally.

“Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential future disruptive or even destructive event,” states Dragos Security. “Compromising safety systems provides little value outside of disrupting operations. The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As Xenotime matures, it is less likely that the group will make this mistake in the future.”

Experts at Dragos have published a collection of reports related to threat groups targeting critical infrastructure, the first one was on the activities of the Russia-linked Allanite group.

Summary info on threat actors will be made available through an Activity Groups dashboard, but users interested in the full technical report need to pay it.

Justice Department announces actions to disrupt the VPNFilter botnet
24.5.2018 securityaffairs APT 

The Justice Department announced an effort to disrupt the VPNFilter botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a Russia-linked APT group.
Yesterday Talos and other security firm revealed the discovery of a huge botnet tracked as VPNFilter composed of more than 500,000 compromised routers and network-attached storage (NAS) devices, now more details emerged on the case.

The experts believe the VPNFilter was developed by Russia, the associated malware compromised devices across 54 countries, most of them in Ukraine.

On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

The US Justice Department announced it had seized a domain used as part of the command and control infrastructure, it explicitly refers the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,

“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”).” reads the press release published by the DoJ.

“Today’s announcement highlights the FBI’s ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said Assistant Director Scott Smith. “By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI’s work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”

The VPNFilter botnet targets SOHO routers and network-access storage (NAS) devices and uses several stages of malware. The experts highlighted that the second stage of malware that implements malicious capabilities can be cleared from a device by rebooting it, while the first stage of malware implements a persistence mechanism.

The Justice Department had obtained a warrant authorizing the FBI to seize the domain that is part of the command and control infrastructure of the VPNFilter botnet.

Technically the operation conducted by the US authorities is called “sink holing,” the seizure of the domain will allow law enforcement and security experts to analyze the traffic associated with the botnet to gather further info on the threat and temporarily neutralize it.

“In order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western District of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure.” continues the DoJ.

“This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs).”

The owners of the compromised SOHO and NAS devices should reboot their devices as soon as possible, the operation will temporarily remove the second stage malware and will cause the first stage malware to connect the C&C domain for instructions.

“Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.” continues the DoJ.

VPNFilter malware

Experts are particularly concerned by the destructive features implemented by the malware that could allow attackers to burn users’ devices to cover up their tracks.

Experts believe that the attack could be launched by threat actors during the Ukrainian celebration of the Constitution Day, last year the NotPetya wiper attack was launched on the same period.

Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain.

The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.

Hacked Drupal sites involved in mining campaigns, RATs distributions, scams
21.5.2018 securityaffairs  

Crooks are exploiting known vulnerabilities in the popular Drupal CMS such as Drupalgeddon2 and Drupalgeddon3 to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.
Security experts at Malwarebytes reported that compromised Drupal websites are used to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Crooks are exploiting known vulnerabilities in the popular Drupal CMS such as Drupalgeddon2 and Drupalgeddon3 to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

The two remote code execution security vulnerabilities, tracked as CVE-2018-7600 and CVE-2018-7602 have been already fixed by Drupal developers.

At the end of March, the Drupal Security Team confirmed that a “highly critical” vulnerability (dubbed Drupalgeddon2), tracked as CVE-2018-7600, was affecting Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are no more supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates and experts called it Drupalgeddon2.

The development team released the security update in time to address CVE-2018-7600.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes,” experts started observing bad actors attempting to exploit the flaw.

A week after the release of the security update, the experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

After the publication of the report. the expert Vitalii Rudnykh shared a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.

Other security firms observed threat actors have started exploiting the flaw to install malware on the vulnerable websites, mainly cryptocurrency miners.

The experts at the SANS Internet Storm Center reported several attacks delivering a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl.

At the end of April, the Drupal team fixed a new highly critical remote code execution issue (dubbed Drupalgeddon 3) tracked as CVE-2018-7602 with the release of versions 7.59, 8.4.8 and 8.5.3.

Also in this case, cybercriminals started exploiting the CVE-2018-7602 to hijack servers and install cryptocurrency miners.

The experts from Malwarebytes conducted an analysis of attacks involving Drupalgeddon2 and Drupalgeddon3 and discovered that most of the compromised Drupal sites had been running version 7.5.x, while roughly 30 percent had been running version 7.3.x, which was last updated in August 2015.

“Almost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in August 2015. Many security flaws have been discovered (and exploited) since then.” reads the analysis published by Malwarebytes.

Drupal hacked websites

More than 80 percent of the compromised websites had been web cryptocurrency miners, Coinhive injections remain by far the most popular choice, followed by public or private Monero pools.

“We collected different types of code injection, from simple and clear text to long obfuscated blurbs. It’s worth noting that in many cases the code is dynamic—most likely a technique to evade detection,” continues the report.

Roughly 12 percent of the attacks delivered RATs or password stealers disguised as web browser updates, while Tech support scams accounted for nearly 7 percent of the client-side attacks.

Hacked Drupal Sites Deliver Miners, RATs, Scams
20.5.2018 securityweek 

The Drupal websites hacked by cybercriminals using the vulnerabilities known as Drupalgeddon2 and Drupalgeddon3 deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Two highly critical flaws were patched in recent months in the Drupal content management system (CMS). The security holes are tracked as CVE-2018-7600 and CVE-2018-7602, and they both allow remote code execution.

Malicious actors started exploiting CVE-2018-7600, dubbed Drupalgeddon2, roughly two weeks after a patch was released and shortly after a proof-of-concept (PoC) exploit was made public.

CVE-2018-7602, dubbed Drupalgeddon 3, was discovered during an analysis of CVE-2018-7600 by the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability. Hackers started exploiting CVE-2018-7602 immediately after the release of a patch.

Cybercriminals have exploited the vulnerabilities to hijack servers and abuse them for cryptocurrency mining. Some websites have been targeted by botnets known to also be involved in distributed denial-of-service (DDoS) attacks.

Researchers at security firm Malwarebytes recently conducted an analysis of client-side attacks involving Drupalgeddon2 and Drupalgeddon3, i.e. the threats pushed by the compromised sites to their visitors.

Experts noticed that nearly half of the hacked Drupal sites had been running version 7.5.x of the CMS, while roughly 30 percent had been running version 7.3.x, which was last updated in August 2015.

Unsurprisingly, more than 80 percent of the hacked sites had been serving cryptocurrency miners, mostly through Coinhive injections.

“We collected different types of code injection, from simple and clear text to long obfuscated blurbs. It’s worth noting that in many cases the code is dynamic—most likely a technique to evade detection,” researchers said in a blog post.

Hacker plant cryptocurrency miner on university site via Drupal vulnerability

Just over 12 percent of the attacks observed by Malwarebytes delivered RATs or password stealers disguised as web browser updates.

Tech support scams accounted for nearly 7 percent of the client-side attacks spotted by the security firm. In these attacks, website visitors are typically redirected to a page that locks their browser and instructs them to call a “tech support” number.

Malwarebytes says it has notified the organizations whose websites have been compromised.

New PowerShell Backdoor Discovered
14.5.2018 securityweek

A recently detected PowerShell backdoor can steal information and execute various commands on the infected machines.

Dubbed PRB-Backdoor, the malware has been distributed via a Word document containing malicious macros. The document was named “Egyptairplus.doc” and was initially believed to deliver malware linked to the MuddyWater campaigns targeting the Middle East.

Analysis of the document’s macro revealed a function called Worker(), designed to call multiple other functions embedded in the document, to ultimately run a PowerShell command.

The command would look within the document for a chunk of embedded data that is Base64 encoded and decodes it, the security researcher behind Security 0wnage explains. This eventually results in an obfuscated PowerShell script.

“Replacing iex with Write-Output and running this code will result in a second layer PowerShell script that is shown earlier in the blog and has similarities with MuddyWater code due to the use of the Character Substitution functions,” the security researcher notes.

Replacing all the iex with Write-Output reveals more readable code that still contains encoded chunks of data. Further analysis of the code revealed an Invoker.ps1 script designed to decrypt the main backdoor code.

The backdoor contains over 2000 lines of code when properly formatted. Because of the main function is named PRB, the researcher decided to call the malware PRB-Backdoor.

Although execution of the sample in a sandbox did not reveal network communication, the code does include a variable that appears to point to the main domain that the backdoor communicates with to retrieve commands, namely outl00k[.]net.

The researcher discovered that the email address used to register the domain was also used for the domain LinLedin[.]net. The researcher also found the IPs the two domains were resolving to, but no additional information on either of them was discovered.

Looking into the PRB-Backdoor code, the security researcher found functions supposedly related to initial communication and registration with the command and control (C&C) server, along with a function designed to retrieve the browsing history from different browsers, including Chrome, Internet Explorer, and Firefox.

Other functions revealed the backdoor’s ability to steal passwords, write files to disk, read files, update itself, launch a shell, log keystrokes, take a screenshot of the screen, get the system info, and more.

“The PRB-Backdoor seems to be a very interesting piece of malware that is aimed to run on the victim machine and gather information, steal passwords, log keystrokes and perform many other functions. I could not find any reference to the backdoor or its code in any public source,” the researcher notes.

Nigelthorn malware infected over 100,000 systems abusing Chrome extensions
14.5.2018 securityaffairs 

The Nigelthorn malware has already infected over 100,000 systems in 100 countries by abusing a Google Chrome extension called Nigelify.
A new strain of malware, dubbed Nigelthorn malware because it abuses a Google Chrome extension called Nigelify, has already infected over 100,000 systems in 100 countries, most of them in the Philippines, Venezuela, and Ecuador (Over 75%).

The new malware family is capable of credential theft, cryptomining, click fraud, and other malicious activities.

According to the experts, the threat actor behind this campaign has been active since at least March 2018.

The Nigelthorn malware is spreading through links on Facebook, victims are redirected to a fake YouTube page that asks them to download and install a Chrome extension to play the video. Once the victims accepted the installation, the malicious extension will be added to their browser.

“Radware has dubbed the malware “Nigelthorn” since the original Nigelify application replaces pictures to “Nigel Thornberry” and is responsible for a large portion of the observed infections.” reads the analysis published by Radware.

“The malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video.”

The malware was specifically developed to target both Windows and Linux machines using the Chrome browser.

When a victim clicks on “Add Extension” is redirected to a Bitly URL from which they will be redirected to Facebook in the attempt to provide the credentials for his account.

In order to bypass Google Application validation tools, the threat actors used copycat versions of legitimate extensions and injected a short, obfuscated malicious script into them.

“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” reads the analysis.

After the malicious extension is installed, a JavaScript is executed to start the attack by downloading the malware configuration from the command and control (C&C) server, after which a set of requests is deployed.

The Nigelthorn malware is able to steal Facebook login credentials and Instagram cookies. The malware also redirects users to a Facebook API to generate an access token that is then sent to the Command and Control servers.

The malware propagated by using the stolen credentials, it sends the malicious link to the victim’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts.

The Nigelthorn malware also downloads a cryptomining tool to the victim’s computer.

“The attackers are using a publicly available browser-mining tool to get the infected machines to start mining cryptocurrencies.” states Radware. “The JavaScript code is downloaded from external sites that the group controls and contains the mining pool. Radware observed that in the last several days the group was trying to mine three different coins (Monero, Bytecoin and Electroneum) that are all based on the “CryptoNight” algorithm that allows mining via any CPU.”

The malicious code uses numerous techniques to gain persistence on the infected system, such as closing the extensions tab if the user attempts to access it, or downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.

Experts also described a YouTube fraud, the YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” concludes Radware.

PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media
14.5.2018 securityaffairs
Virus  Cryptocurrency

Security firm F5 detailed recently discovered campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.
Researchers at security firm F5 recently detected several campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

In March, security researchers at Arbor Networks discovered a threat actor targeting financial institutions in Japan using the latest variant of the Panda Banker banking malware (aka Zeus Panda, PandaBot).

Panda Banker was first spotted in 2016 by Fox-IT, it borrows code from the Zeus banking Trojan and is sold as a kit on underground forums, In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.

The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.

According to F5, the malware continues to target Japanese institutions and it is also targeting users in the United States, Canada, and Latin America.

“We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers.” reads the analysis published by F5.

“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda.”

Experts observed a spike in the activity associated with the malware in February when the malicious code was used to target financial services and cryptocurrency sites in Italy with screenshots rather than webinjects. With this technique, the attackers are able to spy on user interaction at cryptocurrency accounts.

“The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.” states the analysis.


In May, the experts monitored three different Panda Banker campaigns each focused on different countries.

One of them, tracked by F5 as botnet “2.6.8,” had targets in 8 industries in North America, most of the targets (78%) are US financial organizations.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” says F5.

Experts discovered that the same botnet 2.6.8 is also targeting Japanese financials as well.

Comparison of the two botnet configurations reveals that when Zeus.Panda is targeting Japan, the authors removed the Content Security Policy (CSP) headers: remove_csp – 1 : The CSP header is a security standard for preventing cross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an otherwise trusted site.

This last campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com, Facebook, Twitter, and a couple of two sites.

The third campaign aimed at financial institutions in Latin America, most of them in Argentina, Columbia, and Ecuador, The same campaign also targeted social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.

Nigelthorn Malware Infects Over 100,000 Systems
13.5.2018 securityweek

A newly discovered malware family capable of credential theft, cryptomining, click fraud, and other nefarious actions has already infected over 100,000 computers, Radware reveals.

Dubbed Nigelthorn because it abuses a Google Chrome extension called Nigelify, the malware is propagating via socially-engineered links on Facebook. The group behind the campaign has been active since at least March 2018 and has already managed to infect users in 100 countries.

Victims are redirected to a fake YouTube page that asks them to install a Chrome extension to play the video. Once they accept the installation, the malicious extension is added to their browser, and the machine is enrolled in the botnet.

Impacting both Windows and Linux machines, the malware depends on Chrome, which suggests that those who do not use this browser are not at risk, the security researchers point out.

The actor behind the campaign uses the Bitly URL shortening service when redirecting victims to Facebook to trick users into revealing their login credentials. Based on statistics from Bitly and the Chrome web store, Radware determined that 75% of the infections occurred in the Philippines, Venezuela and Ecuador, with the remaining 25% distributed over 97 other countries.

In order to bypass Google’s validation checks, the malware developers created copies of legitimate extensions and injected a short, obfuscated malicious script into them, to start the malware operation.

“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” the security researchers note.

When the extension is installed, a malicious JavaScript is executed to download the initial malware configuration from the command and control (C&C) server, after which a set of requests is deployed.

The Nigelthorn malware itself is focused on stealing Facebook login credentials and Instagram cookies. It also redirects users to a Facebook API to generate an access token that is then sent to the C&C.

The stolen credentials are used for propagation, to spread the malicious link to the user’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts. Should any of the victim’s contacts click on the link, the infection process is repeated.

The malware also downloads a cryptomining tool to the victim’s machine. A publicly available browser-mining tool is used for this, downloaded from external sites that the group controls. Over the past several days, the actor was observed attempting to mine Monero, Bytecoin and Electroneum, all of which require CPU power to mine.

Persistence is achieved through closing the extensions tab if the user attempts to access it, and through downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.

A YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” the researchers

Malicious package containing Bytecoin cryptocurrency miner found on the Ubuntu Snap Store
13.5.2018 securityaffairs
Virus  Cryptocurrency

An Ubuntu user has spotted a Bytecoin cryptocurrency miner hidden in the source code of an Ubuntu Snap Pack in the Official Ubuntu Snap Store.
An Ubuntu user that goes online with the GitHub moniker “Tarwirdur” has discovered a malware in the source code of an Ubuntu snap package hosted on the official Ubuntu Snap Store, a first analysis revealed that it is a cryptocurrency miner.

The malicious code was able to mine the Bytecoin (BCN) cryptocurrency, the account hardcoded in the malware is “myfirstferrari@protonmail.com.”

The malicious app is 2048buntu, it is a copycat of the legitimate of the 2024 game included as an Ubuntu snap.

2048buntu-game ubuntu snap store

Tarwirdur discovered the app contained a cryptocurrency mining application disguised as the “systemd” daemon, the package also includes an init script that allows gaining boot persistence on the target.

Tarwirdur reported his discovery to the maintainers at the Ubuntu Snap Store team that promptly removed the app. The user also noticed another app uploaded by the same developers and after a check, he discovered it also contained a malicious code and for this reason, it was removed too.

“At least two of the snap packages, 2048buntu and Hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, “pending further investigations“.” states a post published on the website linuxuprising.com.

Currently, it is impossible to establish the number of affected users because the Ubuntu Snap Store does not provide an install count.

The problem is that submitted snaps do not go through a security check, this means that ill-intentioned can upload malicious snap packages to the Ubuntu Snap Store.

Panda Banker Campaign Hits U.S. Banks
11.5.2018 securityweek

Recently detected campaigns using the Panda Banker malware are targeting financial institutions worldwide, with those in the United States taking the largest hit, F5 reports.

First seen in 2016, Panda is based on the leaked source code of the infamous Zeus banking Trojan and has been involved in multiple infection campaigns globally. Sold as a kit on underground forums, the malware uses man-in-the-browser and webinjects to steal user credentials.

Historically, the threat has been targeting financial institutions in Italy, Canada, Australia, Germany, the United States, and the United Kingdom, but also started focusing on Japan earlier this year.

Now, F5 reports that, while Japan continues to be hit, the malware is also targeting users in the United States, Canada, and Latin America.

In February, the malware was targeting financial services and cryptocurrency sites in Italy with screenshots rather than webinjects, likely “to document and spy on user interaction at cryptocurrency accounts.”

In May, three different Panda Banker campaigns were observed, each focused on another geography.

One of them, F5 reports, hit 8 industries in North America, with 78% of the targets being US financial organizations. Canadian financial organizations, cryptocurrency sites, global social media providers, search and email providers, payroll, entertainment, and tech providers were also targeted.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” F5 reports.

The same Panda botnet, marked as 2.6.8, is targeting Japanese financials as well. For that, however, the malware authors removed the Content Security Policy (CSP) headers, a security standard for preventing cross-site scripting (XSS), clickjacking and other injection attacks that could lead to the execution of malicious code from an otherwise trusted site.

This campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com (likely targeting email accounts), along with Facebook and Twitter, and a couple of adult sites.

A third parallel campaign is hitting Latin America, focused on banks in Argentina, Columbia, and Ecuador, and the same social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.

The source code of the TreasureHunter PoS Malware leaked online

10.5.2018 securityaffairs Virus

Security experts at Flashpoint confirmed the availability online for the source code of the TreasureHunter PoS malware since March.
The researchers found evidence that the threat has been around since at least late 2014. TreasureHunt was first discovered by researchers at the SANS Institute who noticed the malware generating mutex names to evade detection.

TreasureHunt enumerates the processes running on the infected systems and implement memory scraping functions to extract credit and debit card information. Stolen payment card data are sent to C&C servers through HTTP POST requests.

The experts at FireEye believe who analyzed the malware back in 2016, discovered that cyber criminals compromised the PoS systems by using stolen or weak credentials. Once the TreasureHunt malware infects the systems, it installs itself in the “%APPDATA%” directory and maintains persistence by creating the registry entry:

Flashpoint experts discovered the source code of TreasureHunter on a top-tier Russian-speaking forum, the guy who posted the code also leaked the source code for the graphical user interface builder and administrator panel.

The original developer of the PoS malware appears to be a Russian speaker who is proficient in English.

“The source code for a longstanding point-of-sale (PoS) malware family called TreasureHunter has been leaked on a top-tier Russian-speaking forum. Compounding the issue is the coinciding leak by the same actor of the source code for the malware’s graphical user interface builder and administrator panel.” reads the analysis published by Flashpoint.

“The availability of both code bases lowers the barrier for entry for cybercriminals wishing to capitalize on the leaks to build their own variants of the PoS malware.”

Cybercriminals could take advantage of the availability of the above code bases to create their own version of the TreasureHunter PoS malware, according to the experts, the number of attacks leveraging this threat could rapidly increase.

The actor behind the TreasureHunter leak said: “Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs ( not at a very high rate, but it still does ) and besides that , since now you have the source code, it can be update anytime for your own needs.”

The good news is that that availability of the source code could allow security firms to analyze the threat and take the necessary countermeasures.

Flashpoint proactively collaborated with researchers at Cisco Talos to prevent the diffusion of the malicious code.

“In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code,” continues the analysis.

“Originally, this malware appears to have been developed for the notorious underground shop dump seller “BearsInc,” who maintained presence on various low-tier and mid-tier hacking and carding communities (below is a graphical representation of such an operation on the Deep & Dark Web). It’s unknown why the source code was leaked at this time.”

TreasureHunter PoS Malware

The malicious code is written in pure C, it doesn’t include C++ features, and was originally compiled in Visual Studio 2013 on Windows XP.

The code project appears to be called internally trhutt34C, according to the researchers the author was working to improve it by redesign several features, including anti-debugging, code structure, and gate communication logic.

“The source code is consistent with the various samples that have been seen in the wild over the last few years. TreasureHunter\config.h shows definite signs of modification over the lifespan of the malware.” concluded the analysis.

“Early samples filled all of the configurable fields with FIELDNAME_PLACEHOLDER to be overwritten by the builder. More recent samples, and the source code, instead writes useful config values directly into the fields. This makes the samples slightly smaller and uses fresh compiles to create reconfigured files.”

TreasureHunter PoS Malware Source Code Leaked Online
10.5.2018 securityweek

New variants of the TreasureHunter point-of-sale (PoS) malware are expected to emerge after its source code was leaked online in March, Flashpoint warns.

Capable of extracting credit and debit card information from processes running on infected systems, the PoS malware family has been around since at least 2014. To perform its nefarious activities, it scans all processes on the machine to search for payment card data, and then sends the information to the command and control (C&C) servers.

The malware’s source code was posted on a top-tier Russian-speaking forum by an actor who also leaked the source code for the malware’s graphical user interface builder and administrator panel.

The availability of both code bases is expected to allow more cybercriminals to build their own PoS malware variants and start using them in attacks. However, the availability of the code also provides security researchers with the possibility to better analyze the threat. In fact, Flashpoint, which discovered the leak in March, has been working together with Cisco Talos to improve protections and disrupt potential copycats who may have obtained the leaked source code.

“In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code,” the security researchers explain in a report shared with SecurityWeek.

The original malware developer is likely a Russian speaker who is proficient in English. According to Flashpoint, the threat might have been originally developed for the notorious underground shop dump seller BearsInc, but the reason why the code was leaked is unknown.

TreasureHunter likely installed using weak credentials. The attacker accesses a Windows-based server and the point-of-sale terminal, installs the threat, and then establishes persistence through creating a registry key to execute the malware at startup.

The threat then enumerates running processes and starts scanning the device memory for track data such as primary account numbers (PANs), separators, service codes, and more. Next, it establishes a connection with the C&C and sends the stolen data to the attacker.

“Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs (not at a very high rate, but it still does) and besides that, since now you have the source code, it can be update anytime for your own needs,” the actor behind the TreasureHunter leak apparently said.

Internally, the code project was supposedly called trhutt34C. The malware is written in pure C with no C++ features and was originally compiled in Visual Studio 2013 on Windows XP. The researchers believe the malware author was also looking to improve and redesign various features including anti-debugging, code structure, and gate communication logic.

The source code is consistent with the previously analyzed TreasureHunter samples and a config.h file shows “definite signs of modification over the lifespan of the malware.” More recent samples write useful config values directly into the fields, which makes them smaller.

Backdoored Module Removed from npm Registry
4.5.2018 securityweek 

A malicious package masquerading as a cookie parsing library but delivering a backdoor instead was unpublished from the npm Registry along with three other packages.

npm is a highly popular package manager for JavaScript, allowing users to discover packages of reusable code and assemble them in new ways. Claiming to be the world’s largest software registry, npm helps users install, share, and distribute code, as well as manage dependencies in their projects and receive feedback from others.

The npm Registry represents a public collection of packages of open-source code for Node.js, front-end web apps, mobile apps, robots, routers, and more.

The malicious module that made its way to the npm Registry was named getcookies. On May 2, npm was informed on the package containing a potential backdoor, on the express-cookies and http-fetch-cookies modules depending upon the malicious package, and on the popular mailparser package depending upon http-fetch-cookies.

After receiving the report, npm’s security team started investigating the module to determine whether it indeed contained malicious code and how it might impact the community.

The team discovered that the backdoor was indeed there. It “worked by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor,” npm says.

Control code flaws in the package allowed for an attacker to input arbitrary code into a running server and execute it.

The investigation also revealed that the profile image of the user who published getcookies was a stock photo and that the GitHub account linked from the packages was created in March.

Furthermore, download counts for getcookies, express-cookies, and http-fetch-cookies spiked a few weeks back, supposedly after a version of mailparser that depended upon http-fetch-cookie was published. Although deprecated, mailparser receives around 64,000 weekly downloads.

“We determined the published versions of mailparser that depended on http-fetch-cookies did not use the module in any way, eliminating any risk the backdoor posed. We speculate that mailparser’s requiring http-fetch-cookies was to execute an attack in the future or to inflate download counts of express-cookies to add to its legitimacy,” npm notes.

Less than two hours after receiving the initial report, the security team unpublished the getcookies, express-cookies, and http-fetch-cookies packages and also removed the dustin87 user.

Furthermore, they removed three versions of mailparser (2.2.3, 2.2.2, and 2.2.1) that depended on the http-fetch-cookies module and also reset npm tokens for the author of mailparser to prevent further unauthorized publishing.

Because mailparser didn’t use the malicious module in any way, its users weren’t impacted. Those who directly required and used the express-cookies and getcookies packages were affected.

Over 20 Million Users Installed Malicious Ad Blockers From Chrome Store

25.4.2018 thehackernews  Virus

If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked.
A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users.
Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details.
Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.
Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them.
"All the extensions I've highlighted are simple rip-offs with a few lines of code and some analytics code added by the authors," Meshkov says.

After Meshkov reported his findings to Google on Tuesday, the tech giant immediately removed all of the following mentioned malicious ad blockers extension from its Chrome Store:
AdRemover for Google Chrome™ (10 million+ users)
uBlock Plus (8 million+ users)
[Fake] Adblock Pro (2 million+ users)
HD for YouTube™ (400,000+ users)
Webutation (30,000+ users)
Meshkov downloaded the ‘AdRemover’ extension for Chrome, and after analyzing it, he discovered that malicious code hidden inside the modified version of jQuery, a well-known JavaScript library, sends information about some websites a user visits back to a remote server.
Also Read: Someone Hijacks A Popular Chrome Extension to Push Malware
The malicious extension then receives commands from the remote server, which are executed in the extension 'background page' and can change your browser's behavior in any way.
To avoid detection, these commands send by the remote server are hidden inside a harmless-looking image.
"These commands are scripts which are then executed in the privileged context (extension's background page) and can change your browser behavior in any way," Meshkov says.
"Basically, this is a botnet composed of browsers infected with the fake Adblock extensions," Meshkov says. "The browser will do whatever the command center server owner orders it to do."
The researcher also analyzed other extensions on the Chrome Store and found four more extensions using similar tactics.
Also Read: Malicious Chrome Extension Hijacks CryptoCurrencies and Wallets
Since browser extension takes permission to access to all the web pages you visit, it can do practically anything.
So, you are advised to install as few extensions as possible and only from companies you trust.

CSE Malware ZLab – Malware Analysis Report: The Bandios malware suite

25.4.2018 securityaffairs Virus

The researchers at CSE ZLab have spotted a new family of malware, tracked as Bandios malware spreading in the wild.
The peculiarity of Bandios malware is the fact that this malware is in a rapid and constant evolution and development.

Experts observed several versions of the malware stored on the same websites, they represent the evolution of the malicious code that is continuously updated by the authors. ZLab researchers analyzed all these samples and noticed that they have the same behavior, the last compilated and thus the most recent is the sample hosted on the “/OnlineInstaller.exe” path, with the hash “3f11ea10cb7dc4ed8e22de64e9218b1c481beb8b6f4bf0c1ba6b021e9e3f6f72”

Moreover, the site “http://ozkngbvcs[.]bkt[.]gdipper[.]com/” is used as a repository for the entire colony of this malware:

The main malware sample is installable from the simple path “OnlineInstaller.exe.”

During the analysis, the researchers observed several versions of this malware published in the same path, some of them are test versions because they cannot be executed due to the presence of coding errors.

The Bandios malware implements an advanced evasion and anti-analysis technique, the executable leverages a common technique dubbed “TLS callback.”

Another peculiarity of the Bandios malware is the usage of digital certificates revoked by the certification authority.

bandios malware suite

Finally, the above figure shows that we have a punctual separation and categorization of all the samples, based on Windows version (7 or XP), architecture (32 or 64 bit) or the exploit, in particular, the exploit code for the CVE-2017-1182 Microsoft Office Exploit vulnerability.

Further details on the Bandios malware suite, including IoCs and Yara Rules available in the report published by researchers at ZLAb.

'Orangeworm' Cyberspies Target Healthcare Sector in US, Europe, Asia
23.4.2018 securityweek

A threat group tracked by Symantec as Orangeworm has been targeting healthcare organizations in the United States, Europe and Asia, but the attacks do not appear to be the work of a nation state.

A report published on Monday by the security firm revealed that Orangeworm was first identified in January 2015. The group has focused on organizations in the healthcare sector, which accounts for nearly 40% of targets, but it has also launched attacks on other industries that are somehow related to healthcare, including IT (15%), manufacturing (15%), logistics (8%), and agriculture (8%).

Specifically, victims in other sectors include medical device manufacturers, IT firms that provide services to clinics, and logistics companies that deliver healthcare products. Researchers say companies outside the healthcare industry have been targeted in supply chain attacks with the ultimate goal of gaining access to the systems of the intended entity.

The highest percentage of victims has been spotted in the United States (17%), but Orangeworm has also targeted organizations in Saudi Arabia, India, Philippines, Hungary, United Kingdom, Turkey, Germany, Poland, Hong Kong, Sweden, Canada, France, and several other countries around the world.

“While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to Symantec telemetry, we have seen infections in multiple countries due to the nature of the victims operating large international corporations,” Symantec said in its report.

Orangeworm targets

Once they gain access to the targeted organization’s systems, the hackers deploy a custom backdoor tracked by Symantec as Trojan.Kwampirs. The malware allows attackers to remotely access the compromised machine.

The malware first collects information about the computer to determine if it may be of interest or if it’s a device belonging to a researcher. If the victim is of interest, the backdoor is “aggressively” copied to other systems with open network shares.

Symantec points out that Kwampirs has been found on machines hosting software used for high-tech imaging devices, such as MRI and X-Ray machines. The malware was also spotted on devices used to assist patients in completing consent forms. However, experts say the exact motives of Orangeworm are unclear.

The list of commands sent by the attackers to the malware include instructions for collecting system and network data, and obtaining information on running processes, system services, network shares, account policies, and local and domain admin accounts.

Symantec says it does not have any information that could help determine the threat group’s origins, but the company believes Orangeworm is likely conducting corporate espionage and there is no evidence that the operation is backed by a nation state.

Experts noted that the actors behind Orangeworm do not appear to be concerned about their activities being detected. The method used by Kwampirs to propagate over the network has been described as “noisy” and the attackers have done few changes to the malware since it was first discovered by researchers. The trojan uses an older propagation method that mainly works on Windows XP, but the technique may still work in the healthcare sector, which has been known to use legacy systems on older platforms.

Experts spotted spam campaigns delivering XTRAT and DUNIHI backdoors bundled with the Adwind RAT
22.4.2018 securityaffairs

Security experts at Trend Micro have spotted spam campaigns delivering XTRAT and DUNIHI Backdoors and Loki malware bundled with the Adwind RAT.
Malware researchers at Trend Micro have uncovered a spam campaign that delivers the infamous Adwind RAT (aka jRAT) alongside the XTRAT backdoor (aka XtremeRAT) and the Loki info stealer. In a separate Adwind RAT spam campaign, the researchers observed the use of the VBScript with backdoor tracked as DUNIHI.

Both campaigns abuse the legitimate free dynamic DNS server hopto[.]org.

“Notably, cybercriminals behind the Adwind-XTRAT-Loki and Adwind-DUNIHI bundles abuse the legitimate free dynamic DNS server hopto[.]org.” reads the analysis published by Trend Micro. “The delivery of different sets of backdoors is believed to be a ploy used to increase the chances of system infection: If one malware gets detected, the other malware could attempt to finish the job.”

The experts detected 5,535 unique infections of Adwind between January 1 and April 17, most of them in the US, Japan, Australia, Italy, Taiwan, Germany, and the U.K.Adwind RAT detections

Adwind RAT detections

Crooks behind the Adwind, XTRAT, and Loki used weaponized RTF document that triggers the CVE-2017-11882 vulnerability to deliver the Adwind, XTRAT, and Loki bundles.

Below the attack chain:

Adwind RAT detections 2

“The dropped files are effective RATs with multiple backdoor capabilities, anti-VM, anti-AV, and are highly configurable. Notably, Adwind and XTRAT connect to the same C&C server: junpio70[.]hopto[.]org.” continues the analysis.

Adwind is a cross-platform Java backdoor that has been observed in the wild since 2013. XTRAT shares similar capabilities with Adwind, it also implements features to control both device camera and microphone.

Loki was known as a password and cryptocurrency wallet stealer well-known in the cybercrime ecosystem.

The experts also observed Adwind bundled with DUNIHI backdoor, attackers used a JAR dropper that ships a VBS dropper delivered via spam mail. The VBS dropper download and execute both DUNIHI and Adwind.

DUNIHi connects to pm2bitcoin[.]com:62103, while the Adwind/jRAT variant contacts the badnulls[.]hopto[.]org:3011.

Experts suggest a multilayered approach to security when dealing with a cross-platform threat like Adwind.

“IT administrators should regularly keep networks and systems patched and updated.”

“Both variants of Adwind arrive via email, so it is imperative to secure the email gateway to mitigate threats that abuse email as an entry point to the system and network.” concluded Trend Micro.

“Businesses should commit to training employees, review company policies, and develop good security habits.”

Malware researcher have dismantled the EITest Network composed of 52,000
15.4.2018 securityaffairs 

Malware researchers from Abuse.ch, BrillantIT, and Proofpoint have sinkholed the control infrastructure behind EITest campaign and shut down it.
Malware researchers from Abuse.ch, BrillantIT, and Proofpoint have sinkholed the control infrastructure behind EITest campaign that leveraged on a network of hacked servers exploited by crooks to distribute traffic (TDS).

The network was used to redirect users to compromised domains hosting exploit kits, delivering malware or used for other fraudulent activities such as tech scams.

EITest infrastructure was first discovered back in 2011, from middle 2014 crooks started using it as a TDS botnet.

“researchers traced the chain via server side artifacts and some historical analysis of server side compromises to infections as early as 2011 when it was redirecting to a private EK known as Glazunov.” wrote Proofpoint researcher Kafeine.

“The infection chain appears to have paused between the end of 2013 and the beginning of July 2014, when it began directing into Angler“

Hackers installed a backdoor on the compromised machines and used it to redirect legitimate traffic to malicious websites, for this reason, experts defined EITest as the “king of traffic distribution.”

“EITest is one of the longest malicious delivery campaigns that has continued to evolve. In the spring of 2017, it started redirecting Internet Explorer users to tech support scams in addition to the existing redirections with the fake Chrome fonts.” reads the analysis published “Malware don’t need coffee.” website.

“Actors behind this campaign are generating hundreds of domains per day.The only purpose of those domains names is to redirect users to tech support scams or malicious websites.”

According to researcher Kafeine, crooks behind the EITest campaign started selling hijacked traffic from hacked sites for $20 per 1,000 users, selling traffic blocks of 50-70,000 visitors, generating between $1,000 and $1,400 per block of traffic.

“in the past month the activity behind this infection chain has primarily consisted of social engineering [1] and tech support scams [3] leading to ransomware.” added Kafeine.

Early 2018, a malware a researcher at BrillantIT was able to sinkhole the botnet after discovered how to crack the way the bots contact the C&C servers.

EITest campaign shut down

The experts were able to hijack the entire EITest network by seizing just one domain (stat-dns.com) Traffic analysis allowed the researchers to discover that the botnet handled about two million users per day coming from over 52,000 compromised websites, most of which were WordPress sites.

Kafeine added that following the successful sinkhole operation, the operators behind the botnet have shut down their C&C proxies. Kafeine added the experts noticed some encoded calls to the sinkhole that embedded commands they would associate with takeover attempts. At the time it is not clear who sent them, likely the operators or other researchers attempting to interact control infrastructure.

“Following the successful sinkhole operation, the actor shut down their C&C proxies, but we have not observed further overt reactions by the operators of EITest,” concluded Kafeine.

“However, we will continue to monitor EITest activity as the EITest actor may attempt to regain control of a portion of the compromised websites involved in the infection chain.”

Researchers Sinkhole Deep-Rooted "EITest" Infection Chain
14.4.2018 securityweek

Proofpoint on Thursday said that it has managed to sinkhole what could be the oldest “infection chain” out there, which redirected users to exploit kits (EKs), social engineering schemes, and other malicious or fraudulent operations.

Dubbed EITest and supposedly active since 2011, the infection chain has been associated with the distribution of ransomware, information stealers, and other malware. Performing around two million potential malicious redirects a day, the chain has been rendered ineffective after Proofpoint sinkholed it in collaboration with brillantit.com and abuse.ch.

In 2011, the infection chain was redirecting to a private EK known as Glazunov, but switched to Angler in July 2014, after being silent for about half a year. The actor behind EITest started rework on infrastructure around November 2013, the creation dates of command and control (C&C) domains reveal.

When the chain reappeared in July 2014, it was spreading multiple payloads, which suggested that it was either selling loads or traffic. The researchers confirmed the actor was selling traffic, “in blocks of 50-70,000 visitors for US$20 per thousand, generating between $1,000 and $1,400 per block of traffic.”

EITest began using social engineering schemes in January 2017, which over the past several months was primarily concentrated around social engineering and tech support scams leading to ransomware.

Last year, EITest was involved in a malicious campaign targeting Chrome users with fake font update notifications but serving malware instead. Also last year, the infection chain was observed redirecting to the RIG-V EK.

The security researchers managed to fully sinkhole the EITest operation on March 15, 2018.

“The C&C domains were generated from the resolution of a key domain ‘stat-dns[.]com’. Once seized, we pointed that domain to a new IP address to generate four new EITest C&C domains. These, in turn, were pointed to an abuse.ch sinkhole,” Proofpoint security researcher Kafeine explains.

By generating the new domains, the security researchers replaced the malicious server with a sinkhole, which allowed them to receive the traffic from the backdoors on the compromised websites. Thus, they could prevent the resulting malicious traffic and injects from reaching users, but the cleanup efforts are ongoing.

From March 15 to April 4, 2018, the sinkhole received nearly 44 million requests from roughly 52,000 servers, which revealed compromised domains and the IP addresses and user agents of the users who browsed to the compromised servers. The complete list of compromised websites was shared with national CERTs.

Most of the compromised websites were using the WordPress content management system, Kafeine reveals. The United States emerged as the top country accessing EITest-compromised websites, followed by Ukraine, Canada, France, and Ireland.

“EITest is one of the oldest and largest infection chains, which, early in its operation, primarily distributed malware via a private exploit kit. In more recent years, the operators of EITest became prolific sellers of traffic to EK operators and social engineering schemes through their large network of compromised web servers,” Kafeine notes.

Following the sinkhole operation, the EITest C&C proxies were shut down, and the actor behind the infection chain apparently went silent. The researchers did observe some encoded calls to the sinkhole that were associated with takeover attempts, but it’s unclear whether they were initiated by the operator or other researchers or threat actors.

Malware Activity Slows, But Attacks More Sophisticated: Report
9.4.2018 securityweek

Malicious Cryptomining Spikes, While Virtually All Other Malware Declines

Malware activity declined in the first quarter of 2018, with both detections for ransomware and cryptominers lower than the last quarter of 2018, according to anti-malware vendor Malwarebytes. However, major reductions in consumer instances mask an increase in both activities against businesses, the company says.

Consumer cryptominers dropped from a peak of 25 million detections in October 2017 to 16 million detections in March 2018. Business detections spiked in February 2017 to around 550,000 detections dropping down to nearly 400,000 in March -- a downturn that may prove temporary due to "a shift in attack strategy".

Ransomware detections have continued the downward trend that started in the middle of last year. Again, however, the large 34% decrease in consumer detections hides a 27% increase in business detections from the last quarter of 2107 to the first quarter of 2018.

Figures come from Malwarebytes' Cybercrime Tactics and Techniques report (PDF) for Q1 2018. Details are gathered from the firm's consumer and business telemetry, and enhanced with intelligence from the company's research and data science teams. It confirms the findings of other malware researchers: that is, increasing criminal interest in cryptomining, where the proceeds of the criminal activity require less effort -- and are more certain -- than the collection of ransoms from ransomware victims.

They also show a shift (albeit only relative) away from consumers towards businesses. Businesses can afford to pay higher ransoms, and may be forced to pay for reasons outside of their own control (to ensure that service level and other contracts are met, or, for healthcare, to ensure continuous service to patients). At the same time, business computers will likely have greater processing capacity for illicit mining.

The one-time kings of ransomware, Locky and Cerber, have largely disappeared; "the most interesting examples of active ransomware in Q1 came in the form of GandCrab, Scarabey, and Hermes," reports Malwarebytes. GandCrab was first spotted in January 2018, being distributed by a diversified RIG EK and the returning GrandSoft EK. It is also distributed via Necurs email spam and ElTest malware campaigns via compromised websites.

While bitcoin remains the most frequently demanded payment mechanism for ransomware, there has been some recent diversification into other cryptocurrencies. GandCrab, for example, demands payment in Dash, "likely," says Malwarebytes, "a sign that threat actors are opting for currencies with lower transaction fees than BTC, and a touch more anonymity in the bargain."

Scarabey, a variant of the Scarab ransomware, seeks to frighten victims into rapid payment by threatening to permanently delete files every day that the ransom remains unpaid. Malwarebytes' analysis, however, concludes, "there's nothing in the ransomware's code that would allow this. It's just a pressure-filled ruse designed to panic victims into paying faster." The firm recommends that future claims of Scarabey's capabilities should be treated with 'a healthy dose of skepticism'.

Hermes was originally distributed via malicious Office documents. By March, it was using a sophisticated exploit kit called GreenFlash Sundown. "After analyzing Hermes," notes the report, "we found it to be a fully functional ransomware. However, we cannot be sure what the real motivations of the distributors were. Looking at the full context, we may suspect that it was politically motivated rather than a profit-driven attack."

The primary methods for illicit cryptomining are by delivered malware, or via the user's browser (through drive-by mining or malicious extensions). In both cases, attackers seek to compromise or make use of as many computers as possible in order to maximize the mining process. The malware itself is fairly unsophisticated, but the delivery mechanisms are not. Two separate groups, for example, made use of the same exploits used in WannaCry to infect hundreds of thousands of Windows servers and generate millions of dollars in revenue.

Drive-by browser-based cryptomining really started with CoinHive in mid-September 2017. Weaknesses in the API soon led to its abuse. Visitors to compromised websites found their computers being silently used, via their browser, for cryptomining -- a process that continues for as long as the visited page remains open. Some miners have developed pop-under capabilities to ensure that the mining continues in a hidden tab even after the user has 'left' the affected website.

As ad-blockers and security firms have got better at detecting and blocking CoinHive, criminals have gone to greater lengths to mask their activity. "The lowest number of drive-by cryptomining detections recorded in a single day," notes Malwarebytes, "was still over 1 million."

Cryptomining is now the second most detected malware for both businesses and consumers. Top for business is spyware, and top for consumers is adware. Ransomware is sixth for both business and consumer. Malwarebytes predicts that cryptomining will continue to grow -- not least, it suggests, because both spyware and adware have the ability to drive victims to cryptomining landing pages. Indeed, this has already happened with the Trickbot spyware. The future of ransomware is not clear. While it is unlikely to go away, "whether we will see a return to the levels of distribution we observed in previous years is anyone's guess."

Malwarebytes has timed the announcement of a new product with the publication of this report: Malwarebytes Endpoint Protection and Response. This is in keeping with the expansion of anti-malware capabilities into full endpoint protection and response (EDR) products (Barkly did similar last week). The intention is to provide greater visibility into the context of a malware incident in order to improve the security team's ability to respond to it.

"Many businesses don't have the resources to bring on dedicated, highly-specialized EDR technology and talent, leaving them with a tool that simply adds to a long queue of alerts, without fixing the underlying problems," explains Marcin Kleczynski, CEO at Malwarebytes. "Endpoint Protection and Response provides proven endpoint protection with integrated detection and response capabilities via a single agent, so organizations of all sizes can easily protect their endpoints from targeted attacks, thoroughly remediate systems and rollback ransomware."

Crooks distribute malware masquerade as fake software updates and use NetSupport RAT
9.4.2018 securityaffairs

Researchers at FireEye have spotted a hacking campaign leveraging compromised websites to spread fake updates for popular software that were also used to deliver the NetSupport Manager RAT.
NetSupport is an off-the-shelf RAT that could be used by system admins for remote administration of computers. In the past, crooks abuse this legitimate application to deploy malware on victim’s machines.

Researchers at FireEye have spotted a hacking campaign that has been active for the past few months and that has been leveraging compromised websites to spread fake updates for popular software (i.e. Adobe Flash, Chrome, and FireFox) that were also used to deliver the NetSupport Manager remote access tool (RAT).

Once the victims have executed the updates, a malicious JavaScript file is downloaded, in most cases from a Dropbox link.

“Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool (RAT).” reads the analysis published by FireEye.

“The operator behind these campaigns uses compromised sites to spread fake updates masquerading as Adobe Flash, Chrome, and FireFox updates.”

The JavaScript file gathers info on the target machine and sends it to the server that in turn sends additional commands, then it executes a JavaScript to deliver the final payload. The JavaScript that delivers the final payload is dubbed Update.js, it is executed from %AppData% with the help of wscript.exe.

netsupport RAT Update.js
According to FireEye, vxers used multiple layers of obfuscation to the initial JavaScript, while the second layer of the JavaScript contains the dec function that allows to decrypt and execute more JavaScript code.

“since the malware uses the caller and callee function code to derive the key, if the analyst adds or removes anything from the first or second layer script, the script will not be able to retrieve the key and will terminate with an exception.” continue the analysis.

Once executed, the JavaScript contacts the command and control (C&C) server and sends a value named ‘tid’ and the current date of the system in an encoded format, the server, in turn, provides a response that the script then decodes and executes it as a function named step2.

The step2 function collects and encodes various system information, then sends it to the server: architecture, computer name, user name, processors, OS, domain, manufacturer, model, BIOS version, anti-spyware product, anti-virus product, MAC address, keyboard, pointing device, display controller configuration, and process list.

The server then responds with a function named step3 and Update.js, which it the script to downloads and executes the final payload.

The Javascript uses PowerShell commands to download multiple files from the server, including:

7za.exe: 7zip standalone executable
LogList.rtf: Password-protected archive file
Upd.cmd: Batch script to install the NetSupport Client
Downloads.txt: List of IPs (possibly the infected systems)
Get.php: Downloads LogList.rtf
The script performs the following tasks:

Extract the archive using the 7zip executable with the password mentioned in the script.
After extraction, delete the downloaded archive file (loglist.rtf).
Disable Windows Error Reporting and App Compatibility.
Add the remote control client executable to the firewall’s allowed program list.
Run remote control tool (client32.exe).
Add Run registry entry with the name “ManifestStore” or downloads shortcut file to Startup folder.
Hide the files using attributes.
Delete all the artifacts (7zip executable, script, archive file).
Attackers use the NetSupport Manager to gain remote access to the compromised systems and control it.

The final JavaScript also downloaded a list of IP addresses that could be compromised systems, most of them in the U.S., Germany, and the Netherlands.

Further details, including the IOCs are reported in the analysis.

NetSupport Manager RAT Spread via Fake Updates
9.4.2018 securityweek

A campaign that has been active for the past few months has been leveraging compromised websites to spread fake software updates that in some cases delivered the NetSupport Manager remote access tool (RAT), FireEye reports.

A commercially available RAT, NetSupport Manager is employed by administrators for remote access to client computers. However, the legitimate application can also be abused by malicious actors who install it on victim computers without the owners’ knowledge, to gain unauthorized access to their machines.

For distribution, the actors abuse compromised websites and masquerade the RAT as fake updates for popular applications, including Adobe Flash, Chrome, and FireFox. Should the user accept the update, a malicious JavaScript file is downloaded, mostly from a Dropbox link.

The file collects basic system information and sends it to the server, receives additional commands from the server, and then executes a JavaScript to deliver the final payload. Named Update.js, the JavaScript that delivers the payload is executed from %AppData% with the help of wscript.exe, FireEye says.

The malware authors applied multiple layers of obfuscation to the initial JavaScript and attempted to make analysis harder for the second JavaScript file. By using the caller and callee function code to get the key for decryption, the attackers ensured that, once an analyst adds or removes anything from it, the script won’t retrieve the key and will terminate with an exception.

After initial execution, the JavaScript initiates the connection to the command and control (C&C) server and sends a value named tid and the current date of the system in encoded format. The script then decodes the server response and executes it as a function named step2.

This function collects various system information, encodes it and sends it to the server: architecture, computer name, user name, processors, OS, domain, manufacturer, model, BIOS version, anti-spyware product, anti-virus product, MAC address, keyboard, pointing device, display controller configuration, and process list.

The server then responds with encoded content: a function named step3 and Update.js, which downloads and executes the final payload.

The code leverages PowerShell commands to download multiple files from the server, including a 7zip standalone executable, a password-protected archive file containing the RAT, and a batch script to install the NetSupport client on the system.

The batch script was also designed to disable Windows Error Reporting and App Compatibility, add the remote control client executable to the firewall’s allowed program list, add a Run registry entry or download a shortcut file to Startup folder for persistence, hide files, delete artefacts, and execute the RAT. During analysis, the researchers noticed that the script was regularly updated by the malware.

With the help of NetSupport Manager, attackers could gain remote access to the compromised systems, transfer files, launch applications, get the system’s location, and remotely retrieve inventory and system information.

The final JavaScript also downloaded a txt file containing a list of IP addresses that the researchers say could be compromised systems. These IPs belong mostly to the U.S., Germany, and the Netherlands, but to other regions as well.

ATMJackpot, a new strain of ATM Malware discovered by experts
9.4.2018 securityaffairs

A new strain of ATM jackpotting malware dubbed ATMJackpot has been discovered by experts at Netskope Threat Research Labs.
The malware is still under development and appears to have originated in Hong Kong, it has a smaller system footprint compared with similar threats.

“Netskope Threat Research Labs has discovered a new ATM malware, “ATMJackpot.” The malware seems to have originated from Hong Kong and has a time stamp on the binary as 28th March 2018.” reads the analysis published by the experts at Netskope.

“It is likely that this malware is still under development. Compared with previously-discovered malware, this malware has a smaller system footprint,”

The malware has a smaller system footprint, it has a simple graphical user interface that displays a limited number of information, including the hostname, the service provider information such as cash dispenser, PIN pad, and card reader information.

ATMJackpot malware

At the time, it is not clear that attack vector for the ATMJackpot malware, usually this kind of malware are manually installed via USB on ATMs, or downloaded from a compromised network.

“ATM Malware propagates via physical access to the ATM using USB, and also via the network by downloading the malware on to already-compromised ATM machines using sophisticated techniques.” continues the analysis.

ATMJackpot malware first registers the windows class name ‘Win’ with a procedure for the malware activity, then the malicious code creates the window, populates the options on the window, and initiates the connection with the XFS manager.

The XFS manager implements API to access that allow controlling the ATM devices from different vendors. The malware opens a session with the service providers and registers to monitor events, then it opens a session with the cash dispenser, the card reader, and the PIN pad service providers.

Once the session with service providers are opened, the malware is able to monitor events and issue commands.

Experts believe authors of the malware will continue to improve it and they expect it will be soon detected in attacks in the wild.

The number of ATM jackpot attacks is increasing in recent years, in January US Secret Service warned of cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

In May 2017, Europol arrested 27 for jackpotting attacks on ATM across Europe, in September 2017 Europol warned that ATM attacks were increasing.

Criminal organizations are targeting ATM machines through the banks’ networks, the operations involve squads of money mules for the cashout.

“The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately,” said Steven Wilson, head of Europol’s EC3 cyber crime centre.

A few weeks ago, the alleged head of the Carbanak group was arrested in Spain by the police, the gang is suspected of stealing about £870m (€1bn) in a bank cyberheist.

Further information on ATM Malware and jackpotting are available here.

Experts spotted a campaign spreading a new Agent Tesla Spyware variant
9.4.2018 securityaffairs

A new variant of the infamous Agent Tesla spyware was spotted by experts at Fortinet, the malware has been spreading via weaponize Microsoft Word documents.
Agent Tesla is a spyware that is used to spy on the victims by collecting keystrokes, system clipboard, screenshots, and credentials from the infected system. To do this, the spyware creates different threads and timer functions in the main function.

The experts first discovered the malware in June, when they observed threat actors spreading it via a Microsoft Word document containing an auto-executable malicious VBA Macro.

Once the users have enables the macro, the spyware will be installed on the victim’s machine

The mail used in the last campaign contains text that appears not clear and it asks users to double click to enable the clear view.

Agent Tesla

“As you can see, it asks the victim to double click the blue icon to enable a “clear view.” Once clicked, it extracts an exe file from the embedded object into the system’s temporary folder and runs it. In this case, the exe file is called “POM.exe”.” continues the blog post.

When the users click on the blue icon, a POM.exe file written in Visual Basic being extracted from the embedded object, then it is saved to the system’s temporary folder and executed.

According to Fortinet, the POM.exe is a sort of installer for the final malware.

“Based on my analysis, it’s a kind of installer program. When it runs, it drops two files: “filename.exe” and “filename.vbs” into the “%temp%\subfolder”. It then exits the process after executing the file “filename.vbs”. Below, in figure 4, is the content of “filename.vbs”.” continues the analysis.

The variant used in the last campaign is similar to the older one except for the usage of the SMTPS to send the collected data to the attacker’s email box, instead of HTTP POST requests.

“However, the way of submitting data to the C&C server has changed. It used to use HTTP POST to send the collected data. In this variant, it uses SMTPS to send the collected data to the attacker’s email box.” continues the analysis.

“Based on my analysis, the commands used in the SMTP method include “Passwords Recovered”, “Screen Capture”, and “Keystrokes”, etc. The commands are identified within the email’s “Subject” field. For example:

“System user name/computer name Screen Capture From: victim’s IP”

The attackers used a free Zoho email account for this campaign.

New Agent Tesla Spyware Variant Discovered
8.4.2018 securityweek

A new variant of the Agent Tesla spyware has been spreading via malicious Microsoft Word documents, Fortinet reports.

The malware was initially detailed last June, when security researchers discovered it was spreading via a Microsoft Word document containing an auto-executable malicious VBA Macro. When opening the document, users were asked to “enable content,” which resulted in the spyware being covertly installed if they did so.

The malicious documents observed in the recent campaign instead ask the victim to double click a blue icon to enable a “clear view.” This action, however, results in a POM.exe file being extracted from the embedded object, which is saved to the system’s temporary folder and executed.

The POM.exe executable is written in Visual Basic and acts as an installer, Fortinet’s Xiaopeng Zhang reveals.

The Agent Tesla spyware was designed to collect keystrokes, system clipboard, screenshots, and credentials from a variety of installed software. To perform its nefarious activities, the malware creates different threads and timer functions in the main function.

The new malware variant has the same capabilities as the previously observed version, but uses SMTPS to send the collected data to the attacker’s email box, instead of HTTP POST requests.

“Based on my analysis, the commands used in the SMTP method include ‘Passwords Recovered’, ‘Screen Capture’, and ‘Keystrokes’, etc. The commands are identified within the email’s ‘Subject’ field,” the security researcher explains.

To receive the stolen information, the attacker registered a free Zoho email account for this campaign. The email service provider has been informed on the abuse, Fortinet says.

New Strain of ATM Jackpotting Malware Discovered
7.4.2018 securityweek 

A new type of ATM jackpotting malware has been discovered. Dubbed ATMJackpot, the malware appears to be still under development, and to have originated in Hong Kong. There are no current details of any deployment or use.

ATMJackpot was discovered and analyzed by Netskope Threat Research Labs. It has a smaller footprint than earlier strains of jackpotting malware, but serves the same purpose: to steal money from automated teller machines (ATMs).

ATM jackpotting -- also known as a logical attack -- is the use of malware to control cash dispensing from individual ATMs. The malware can be delivered locally to each ATM via a USB port, or remotely by compromising the ATM operator network.

Jackpotting has become an increasing problem in recent years, originally and primarily in Europe and Asia. In 2017, Europol warned that ATM attacks were increasing. "The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately," said Steven Wilson, head of Europol's EC3 cybercrime center.

The first attacks against ATMs in the U.S. were discovered in January 2018 following an alert issued by the Secret Service. In March 2018, the alleged leader of the Carbanak group was arrested in Spain. Carbanak is believed to have stolen around $1.24 million over the preceding years. Its method was to compromise the servers controlling ATM networks by spear-phishing bank employers, and then use foot soldiers (mules) to collect money dispensed from specific ATMs at specific times.

It is not clear whether the ATMJackpot malware discovered by Netskope is intended to be manually installed via USB on individual ATMs, or downloaded from a compromised network. Physical installation on an ATM is not always difficult. In July 2017, IOActive described how its researchers could gain access to the Diebold Opteva ATM. It was achieved by inserting a metal rod through a speaker hole and raising a metal locking bar. From there they were able to reverse engineer software to get access to the money vault.

Jackpotting malware is designed to avoid the need to physically break into the vault. It can be transferred via a USB port to the computer part of the ATM that controls the vault. Most ATMs use a version of Windows that is well understood by criminals. ATMJackpot malware first registers the windows class name 'Win' with a procedure for the malware activity.

The malware then populates the options on the window and initiates a connection with the XFS manager. The XFS subsystem provides a common API to access and manipulate the ATM devices from different vendors. The malware then opens a session with the service providers and registers to monitor events. It opens a session with the cash dispenser, the card reader and the PIN pad service providers.

It is then able to monitor events and issue commands. It can read data from the PIN pad, dispense cash, and eject cards.

Whether ATMJackpot will be used in earnest is not yet known. Nevertheless, it is a new example of the malware used in a growing problem -- stealing money from the world's automated teller machines.

Los Altos, CA-based Netskope is a cloud access security broker (CASB). Founded in 2012, it announced an oversubscribed Series E funding round that raised $100 million in June 2017, bringing the total raised by the company to $231.4 million.

Thousands of compromised Magento websites delivering Malware
5.4.2018 securityaffairs Cryptocurrency 

Hackers compromised hundreds of Magento e-commerce websites to steal credit card numbers and install crypto-mining malware.
According to the security firm Flashpoint, hackers launched brute-force attacks against Magento installs, they used a dictionary composed of common and known default Magento credentials.

“Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.” reads the analysis published by Flashpoint.

“The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials.”

The security firms revealed that at hackers already compromised at least 1,000 Magento admin panels, most of the victims are in the US and Europe and operate in the education and healthcare industries.

The threat actors behind this campaign are also targeting other popular e-commerce-processing CMS such as Powerfront CMS and OpenCarts.

According to the experts, it quite easy to find discussions on crime forums about how to compromise CMS platforms

The lack of proper security measures makes it easy for crooks to compromise websites, sometimes just using a simple script.

“Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.” continues the post.

When hackers successfully compromised a Magento installation, they can inject malicious code into the core file to perform a wide range of malicious activities, such as stealing payment card data from the website.

The attackers can also use the compromised Magento installs to mine cryptocurrency by using a malware such as the Rarog cryptocurrency miner.

The compromised sites return an exploit masquerades as a phony Adobe Flash Player update, once the victims will launch it a malicious JavaScript is executed, its function is to download malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.

“Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner.” continues the analysis.

“The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.”

Magento Infographic-813x1024

Flashpoint, with the support of law enforcement, is notifying victims of the security breaches.

Magento admins are recommended to review CMS account logins and adopt mitigation measured against brute-force attacks, for example by limiting the number of attempts or enforcing two-factor authentication.

Fauxpersky Keylogger masqueraded as Kaspersky Antivirus and spreads via USB drives
31.3.2018 securityaffairs 

Security researchers at Cybereason recently discovered a credential-stealing malware dubbed Fauxpersky, that is masquerading as Kaspersky Antivirus and spreading via infected USB drives.
Fauxpersky was written in AutoIT or AutoHotKey, which respectively are a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting and a free keyboard macro program to send keystrokes to other applications.

The analysis of infected systems revealed the existence of four dropped files, attackers named them as Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.

After initial execution, the Fauxpersky keylogger gathers the listed drives on the machine and starts replicating itself to them.

“This AHK keylogger utilizes a fairly straightforward method of self propagation to spread. After the initial execution, the keylogger gathers the listed drives on the machine and begins to replicate itself to them. Let’s examine the process:” reads the analysis.

“This allows the keylogger to spread from a host machine to any connected external drives. If the keylogger is propagating to an external drive, it will rename the drive to match it’s naming scheme.”

The malware renames the external drives to match its naming scheme, the new name is composed of the following convention:

original name:size:”Secured by Kaspersky Internet Security 2017”

it also creates an autorun.inf file to point to a batch script.

One of the dropper files, Explorers.exe, includes a function called CheckRPath() designed creates the files if they are not already present on the drive.

The keylogger created the files with attributes System and Hidden and also creates the necessary directories, with parameters of Read-Only, System, and Hidden.

“When starting the process of creating the component files (HideRFiles()) we begin by starting a loop. This loop allows the keylogger to iterate over the various output files it needs to write to disk in a structured way.” continues the analysis. “We can see that the link (a .lnk shourtcut file), text, and batch files will all be created for each disk to start. Then the value passed to the function gets incremented to allow the created directory to be moved as a whole once the files have been placed there. “

The files are stored in the source directory named Kaspersky Internet Security 2017 when it is copied to the new destination. The folder included a Kaspersky image named Logo.png and a text file containing instructions for users to disable their antivirus if execution fails. The instructions also include a list of security tools “incompatible with Kaspersky Internet Security 2017” (Kaspersky Internet Security included).

Fauxpersky monitors the currently active window using the AHK functions WinGetActiveTitle() and input(), Keystrokes are appended to the file Log.txt that is stored in %APPDATA%\Kaspersky Internet Security 2017.

The malware gains persistence by changing the working directory of the malware to %APPDATA% and creating the Kaspersky Internet Security 2017 folder. It checks that all the necessary files are created in %APPDATA% and copies them there if they aren’t.

The files Spoolsvc.exe is used to change the values of registry keys to prevent the system from displaying hidden files and to hide system files, then it verifies if explorers.exe is running and launches it if not.

Fauxpersky keylogger

Fauxpersky exfiltrates the keylogged data using a Google form.

“Exfiltrating data to a Google form is a very simple and clever way to overcome a lot of the “logistics” involved in data exfiltration. Using this technique means there’s no need to maintain an anonymized command and control server plus data transmissions to docs.google.com is encrypted and doesn’t look suspicious in various traffic monitoring solutions.” Cybereason concluded.

The latest variant of the Panda Banker Trojan target Japan
30.3.2018 securityaffairs

Security researchers at Arbor Networks have discovered a threat actor targeting financial institutions in Japan using the Panda Banker banking malware (aka Zeus Panda, PandaBot)
Panda Banker was first spotted 2016 by Fox-IT, it borrows code from the Zeus banking Trojan.

In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.

The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.

The Panda Banker is sold as a kit on underground forums, the variant used in the last attacks against Japan if the version 2.6.6 that implements the same features as the previous releases.

“A threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has started targeting financial institutions in Japan.” reads the analysis published by Arbor Networks.

“Based on our data and analysis this is the first time that we have seen Panda Banker injects targeting Japanese organizations.”

An interesting aspect of this campaign targeting Japan is that none of the indicators of compromise (IOC) was associated with previous attacks.

The threat actor delivered the banking trojan through malvertising, victims were redirected to the domains hosting the RIG-v exploit kit.

Crooks leveraged on multiple domains and C&C servers, but at the time of the analysis, only one of them was active. The unique active domain hillaryzell[.]xyz was registered to a Petrov Vadim and the associated email address was yalapinziw@mail.ru.

The campaign that hit Japan also targeted websites based in the United States, search engines, and social media sites, an email site, a video search engine, an online shopping site, and an adult content hub.

“The threat actor named this campaign “ank”.” continues the analysis. “At the time of research, the C2 server returned 27 webinjects that can be broken down into the following categories:

17 Japanese banking web sites mostly focusing on credit cards
1 US based web email site
1 US based video search engine
4 US based search engines
1 US based online shopping site
2 US based social media sites
1 US based adult content hub”
The webinjects employed in this campaign leverage the Full Info Grabber automated transfer system (ATS) to capture user credentials and account information.

Panda Banker

Panda Banker Trojan Goes to Japan
30.3.2018 securityweek

The banking Trojan known as Panda Banker is now targeting financial institutions in Japan for what appears to be first time.

Also known as Panda Zeus, the malware was first observed in 2016, based on the leaked source code of the infamous Zeus banking Trojan. The threat has been involved in multiple infection campaigns targeting users worldwide, including an attack that leveraged poisoned Google searches for malware delivery.

Designed to steal user credentials via man-in-the-browser and webinjects that specify what websites to target and how, Panda Banker has received consistent, incremental updates ever since its first appearance on the threat landscape.

The Trojan is being sold as a kit on underground forums, meaning that it has a large number of users. Cybercriminals using it target various countries, likely based on their ability to convert the stolen credentials into real money.

Since the beginning of 2016, Panda Banker has been observed in campaigns targeting financial institutions in Italy, Canada, Australia, Germany, the United States, and the United Kingdom, and now in attacks focusing on Japan as well.

The Panda Banker iteration observed in the new attacks is version 2.6.6, which features the same capabilities as the previous releases, without significant changes.

However, not only does the malware feature webinjects targeting Japan now, but Arbor Networks security researchers discovered that none of the indicators of compromise (IOC) in this campaign overlaps with IOCs from previous attacks.

For the distribution of the malware, the threat actors behind these attacks used malicious advertisements (malvertising) to redirect victims to the RIG-v exploit kit. The toolkit then attempts to exploit vulnerabilities on the victims’ systems to download and execute the Trojan.

The campaign operators used multiple domains as their command and control (C&C) servers, but only one of them was found to be operational. The domain was registered to a Petrov Vadim using the email address yalapinziw@mail.ru.

As part of the campaign, which the threat actor named ank, 27 webinjects were included in Panda Banker, 17 of which target Japanese banking websites. The remaining 10 target websites based in the United States: four search engines, 2 social media sites, an email site, a video search engine, an online shopping site, and an adult content hub.

The webinjects used in this campaign employ the Full Info Grabber automated transfer system (ATS) to capture user credentials and account information.

According to Arbor Networks, while this was the first time they encountered a Panda Banker variant targeting Japan, the country is no stranger to banking Trojans. Previously, it was hit by attacks that employed the Ursnif and Urlzone financial malware.

Kaspersky Open Sources Internal Distributed YARA Scanner
30.3.2018 securityweek

Kaspersky Lab has released the source code of an internally-developed distributed YARA scanner as a way of giving back to the infosec community.

Originally developed by VirusTotal software engineer Victor Alvarez, YARA is a tool that allows researchers to analyze and detect malware by creating rules that describe threats based on textual or binary patterns.

Kaspersky Lab has developed its own version of the YARA tool. Named KLara, the Python-based application relies on a distributed architecture to allow researchers to quickly scan large collections of malware samples.

Looking for potential threats in the wild requires a significant amount of resources, which can be provided by cloud systems. Using a distributed architecture, KLara allows researchers to efficiently scan one or more YARA rules over large data collections – Kaspersky says it can scan 10Tb of files in roughly 30 minutes.

“The project uses the dispatcher/worker model, with the usual architecture of one dispatcher and multiple workers. Worker and dispatcher agents are written in Python. Because the worker agents are written in Python, they can be deployed in any compatible ecosystem (Windows or UNIX). The same logic applies to the YARA scanner (used by KLara): it can be compiled on both platforms,” Kaspersky explained.

KLara provides a web-based interface where users can submit jobs, check their status, and view results. Results can also be sent to a specified email address.

The tool also provides an API that can be used to submit new jobs, get job results and details, and retrieve the matched MD5 hashes.

Kaspersky Lab has relied on YARA in many of its investigations, but one of the most notable cases involved the 2015 Hacking Team breach. The security firm wrote a YARA rule based on information from the leaked Hacking Team files, and several months later it led to the discovery of a Silverlight zero-day vulnerability.

The KLara source code is available on GitHub under a GNU General Public License v3.0. Kaspersky says it welcomes contributions to the project.

This is not the first time Kaspersky has made available the source code of one of its internal tools. Last year, it released the source code of Bitscout, a compact and customizable tool designed for remote digital forensics operations.

GoScanSSH Malware Targets Linux Servers
30.3.2018 securityweek

A recently discovered malware family written using the Golang (Go) programming language is targeting Linux servers and using a different binary for each attack, Talos warns.

Dubbed GoScanSSH because it compromises SSH servers exposed to the Internet, the malware’s command and control (C&C) infrastructure leverages the Tor2Web proxy service to prevent tracking and takedowns.

The malware operators, Talos believes, had a list of more than 7,000 username/password combinations they would use to authenticate to the servers, after which they would create a unique GoScanSSH binary to upload and execute on the server.

The actors behind this threat would target weak or default credentials used across a variety of Linux-based devices. Usernames used in the attack include admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

The credential combinations used in these attacks targeted Open Embedded Linux Entertainment Center (OpenELEC); Raspberry Pi; Open Source Media Center (OSMC); jailbroken iPhones; Ubiquiti device, PolyCom SIP phone, Huawei device, and Asterisk default credentials; and various keyboard patterns and well-known commonly used passwords.

Talos discovered over 70 unique GoScanSSH samples compiled to target multiple system architectures (x86, x86_64, ARM, and MIPS64).

Following infection, the malware attempts to determine how powerful the infected system is by determining how many hash computations it can perform within a fixed time interval. The malware sends the information to the C&C, along with basic information about the machine and a unique identifier.

The malware was designed to access Tor-hosted C&C domains using the Tor2Web proxy service, without the need of installing the Tor client on the compromised system. The communication between the bot and the server is authenticated to ensure it cannot be hijacked.

GoScanSSH can scan and identify vulnerable SSH servers exposed to the Internet. For that, it randomly generates IP addresses, but avoids special-use addresses, such as those assigned to the U.S. Department of Defense or to an organization in South Korea.

The malware attempts to establish a TCP connection to the selected IP address and, if that succeeds, it checks if the IP address resolves to a domain name. If that is true, it checks if the domain is related to a government or military entity and terminates the connection if that happens.

Before starting the SSH scanning activity, the malware waits for a response from the C&C server and activates a sleep function if that doesn’t happen.

Due to an increase in the number of attempts to resolve one of the C&C domains, Talos believes the number of compromised hosts is increasing. They also discovered some resolution attempts dating back to June 19, 2017, suggesting that the campaign has been ongoing for at least nine months.

The C&C with the largest number of requests had been seen 8,579 times. The security researchers discovered a total of 250 domains associated with the malware’s activity.

“These attacks demonstrate how servers exposed to the internet are at constant risk of attack by cybercriminals. Organizations should employ best practices to ensure that servers they may have exposed remain protected from these and other attacks that are constantly being launched by attackers around the world. Organizations should ensure that systems are hardened, that default credentials are changed prior to deploying new systems to production environments, and that these systems are continuously monitored for attempts to compromise them,” Talos concludes.

Fileless Crypto-Mining Malware Discovered
30.3.2018 securityweek

Malicious crypto-miners have invaded the threat landscape over the past year, fueled by a massive increase in the value of crypto-currency.

A recent attack discovered by security researchers from Minerva Lab used malware dubbed GhostMiner, which has adopted the most effective techniques used by other malware families, including fileless infection attacks.

Focused on mining Monero crypto-currency, the new threat used PowerShell evasion frameworks – Out-CompressedDll and Invoke-ReflectivePEInjection – that employed fileless techniques to hide the malicious code.

Each of the malware’s components was designed for a different purpose: one PowerShell script to ensure propagation to new machines, and another to perform the actual mining operations.

“This evasive approach was highly effective at bypassing many security tools: some of the payloads analyzed were fully undetected by all the security vendors,” Minerva Labs’ Asaf Aprozper and Gal Bitensky reveal.

The security researchers compared the detection of the malicious executable with and without the fileless method and discovered that, once the fileless module is removed, most of the VirusTotal vendors would detect the payload.

The PowerShell script in charge with infecting new victims targets servers running Oracle’s WebLogic (leveraging the CVE-2017-10271 vulnerability), MSSQL, and phpMyAdmin.

Despite that, however, the attack only attempts to exploit WebLogic servers, the security researchers say. For that, the malicious code randomly probes IP addresses, creating numerous new TCP connections per second, in an attempt to discover vulnerable targets.

Communication with the command and control (C&C) server is performed via HTTP through Base64-encoded requests and replies. The protocol the malware uses to exchange messages involves a simple hand shake followed by a request to perform various tasks. Once the task is completed, a new request is sent to the server.

Launched directly from memory, the mining component is a slightly customized version of the open source XMRig miner.

The mining operation, Minerva Labs researchers say, had been running for about three weeks by the time they discovered it, but the attackers have made only 1.03 Monero (around $200) to date, based on the employed wallet. However, the attackers might also be using addresses that the researchers haven’t detected yet.

“Another potential explanation for the low ‘revenues’ of the GhostMiner campaign is the aggressive rivalry between mining gangs. There are plenty of potential victims, but the exploits and techniques they use are public. The attackers are aware that their competitors share the same toolset and try to infect the same vulnerable machines,” the security researchers note.

The analysed sample itself contained a variety of techniques meant to kill the process of any other miner running on the targeted machine. These include PowerShell’s “Stop-Process -force” command, stopping blacklisted services and blacklisted scheduled tasks by name using exe, and stopping and removing miners by their commandline arguments or by looking at established TCP connections.

Minerva Labs security researchers also suggest that defenders use similar methods as these “competitor killers” to prevent malicious miners from running on endpoints. They even provide a killer script that can be modified for such purposes.

New ThreadKit exploit builder used to spread banking Trojan and RATs
29.3.2018 securityaffairs

A recently discovered Microsoft Office document exploit builder kit dubbed ThreadKit has been used to spread a variety of malware, including RATs and banking Trojans.
Security experts at Proofpoint recently discovered a Microsoft Office document exploit builder kit dubbed ThreadKit that has been used to spread a variety of malware, including banking Trojans and RATs (i.e. Trickbot, Chthonic, FormBook and Loki Bot).

The exploit kit was first discovered in October 2017, but according to the experts, crooks are using it at least since June 2017.

The ThreadKit builder kit shows similarities to Microsoft Word Intruder (MWI), it was initially being advertised in a forum post as a builder for weaponized decoy documents.

“In October 2017, Proofpoint researchers discovered a new Microsoft Office document exploit builder kit that featured a variety of recent exploits as well as a mechanism to report infection statistics.” reads the analysis published by ProofPoint. “While the documents produced by this kit exhibited some minor similarities to Microsoft Word Intruder (MWI), we determined that they were likely produced by a new exploit builder kit, which we started tracking as ThreadKit.”

Just after its appearance, documents created with the ThreadKit builder kit have been observed in several campaigns.

The decoy documents used in past campaigns performed an initial check-in to the command and control (C&C) server, a tactic also used by MWI.

The documents were triggering the CVE-2017-0199 vulnerability in Office to download and execute an HTA file that would then download the decoy and a malicious VB script to extract and run the embedded executable.


The last step of the infection sees the execution of the Smoke Loader, a small application used to download other malicious codes, in these specific attacks a banking malware.

Starting from October 2017, researchers observed the ThreadKit triggering the CVE 2017-8759 vulnerability.

“In October 2017, we started observing corresponding campaigns utilizing CVE-2017-8759. This version of ThreadKit employed a similar infection statistic initial C&C check-in and HTA to execute the embedded executable. Other changes were made to the way the exploit documents operate, in addition to integrating the new vulnerabilities.” continues the analysis.

Since November, ThreadKit integrated the code for the exploitation of the CVE 2017-11882, a 17-Year-Old flaw in MS Officeexploited by remote attackers to install a malware without user interaction.

In the last weeks, the exploit kit included new exploits targeting vulnerabilities such as the CVE-2018-4878 Adobe Flash zero-day and several Microsoft office vulnerabilities (i.e. CVE-2018-0802 and CVE-2017-8570).

Proofpoint researchers observed numerous campaigns featuring ThreadKit-generated Office attachments packing exploits that were likely copied from PoC code available on a researcher’s GitHub repo.

“ThreadKit is a relatively new and popular document exploit builder kit that has been used in the wild since at least June, 2017, by a variety of actors carrying out both targeted and broad-based crimeware campaigns. This new document exploit builder kit makes the use of the latest Microsoft Office exploits accessible to even low-skilled malicious actors.” concluded Proofpoint.

jRAT Leverages Crypter Service to Stay Undetected
28.3.2018 securityweek

In recently observed attacks, the jRAT backdoor was using crypter services hosted on the dark web to evade detection, Trustwave security researchers have discovered.

Also known as Adwind, AlienSpy, Frutas, Unrecom, and Sockrat, the jRAT malware is a Windows-based Remote Access Trojan (RAT) discovered several years ago that has already infected nearly half a million users between 2013 and 2016. The threat has been hitting organizations all around the world and was recently spotted as part of an ongoing campaign.

jRAT allows its operators to control it remotely to achieve complete control of the infected system. With the help of this backdoor, attackers can capture keystrokes, exfiltrate credentials, take screenshots, and access the computer’s webcam, in addition to executing binaries on the victim’s system.

“It is highly configurable to whatever the attacker's motive may be. jRAT has been commercially available to the public as a RAT-as-a-service business model for as little as $20 for a one-month use,” Trustwave notes.

Starting early this year, Trustwave security researchers observed a spike in spam messages delivering the malware and also noticed that security reports tend to misclassify the Java-based RAT due to the use of said crypter service.

The malware was being distributed through malicious emails carrying either an attachment or a link. The emails would pose as invoices, quotation requests, remittance notices, shipment notifications, and payment notices.

The recently analyzed samples, the researchers say, revealed that the same tool or service was used to obfuscate all of them. Furthermore, all of them attempted to download a JAR file from a Tor domain that turned out to be a service hosted by QUAverse.

QUAverse (QUA) is linked to QRAT, a RAT-as-a-service platform developed in 2015 which is seen as one of jRAT's competitors. The presence of these artifacts were able to set investigators on the wrong path, but the de-obfuscated and decrypted samples were found to be indeed jRAT samples.

What Trustwave discovered was that jRAT uses a service from QUAverse called Qrypter. This is a Crypter-as-a-Service platform that makes Java JAR applications fully undetectable by morphing variants of the same file. For a certain fee, the service morphs a client's JAR file periodically to avoid being detected by antivirus products.

“We believe that the service monitors multiple AV products pro-actively and once it determines that the malware variant is being detected, it then re-encrypts the file thus producing a new mutant variant that is undetectable for a certain time period,” Trustwave notes.

When executed, jRAT downloads a new, undetectable copy of itself from the service and drops it on the infected machine's %temp% directory. The malware then executes and installs the newly crypted jar file.

By using the Qrypter service, the backdoor leverages a third-party crypter feature that should allow it to become fully undetectable, the security researchers point out.

“While jRAT actors have been actively spamming malicious JAR files for several months, one of the hurdles in infecting their target is how easily they are being detected. Perhaps using the Qrypter service makes it easier for them to evade email gateways and antivirus engines,” Trustwave notes.

Law enforcement arrested the head of the Carbanak gang that stole 1 billion from banks
26.3.2018 securityaffairs

The head of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide has been arrested in Spain.
The mastermind suspected of stealing about £870m (€1bn) in a bank cyber heist has been arrested in Spain.

The man is suspected to be the kingpin of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide with the homonym malware and the Cobalt malicious code.

“The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante, Spain, after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.” reads the official announcement from the Europol. “Since 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over EUR 1 billion for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.”

The operation that allowed to arrest the head of the gang was conducted by the Europol, the FBI, along with cyber-security firms and law enforcement agencies in Spain, Romania, Belorussia and Taiwan.
In early 2016, the Carbanak gang target banks and financial institutions, mainly in the US and the Middle East.The Carbanak gang was first discovered by Kaspersky Lab in 2015. the group has stolen arounbd 1 billionn from 100 financial institutions.

In November 2016, experts at Trustwave uncovered a new campaign launched by the group targeting organizations in the hospitality sector.

In January 2017, the Carbanak gang started using Google services for command and control (C&C) communication.

The arrest was the result of one of the most important investigations conducted by the European authorities.

“This global operation is a significant success for international police cooperation against a top level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity.” said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3). “This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”

Which is the Carbanak modus operandi?

The infection started with a classic spear phishing attack that allowed Carbanak cybergang to compromise banks’ computer systems. The malicious emails included a link that once clicked triggered the download of the malware.

The malicious code was used by the hackers of the Carbanak cybergang to gather information on the targeted bank, for example, to find employees who were in charge of cash transfer systems or ATMs. In a second phase of the attacks, the hackers installed a remote access tool (RAT) to control the machines of those employees. With this tactic the Carbanak cybergang collected imagines of victims’ screens and study what their daily activity in the bank. At this point, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.

Carbanak cybergang NYT

“The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.

Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.” reported the New York Times

Online Sandbox Services Used to Exfiltrate Data: Researcher
21.3.2018 securityweek

Attackers can use online sandbox services to exfiltrate data from an isolated network, a SafeBreach security researcher has discovered.

The new research is based on the discovery that cloud anti-virus programs can be exploited for data pilfering. Last year, SafeBreach Labs’ Itzik Kotler and Amit Klein demonstrated proof-of-concept (PoC) malware abusing this exfiltration method, and said it would work even on endpoints that have no direct Internet connection.

The technique, the researchers revealed, relied on packing data inside an executable created by the main malware process on the compromised endpoint. Thus, if the anti-virus program on the endpoint uploads the executable to the cloud for further inspection, data is exfiltrated even if the file is executed in an Internet connected sandbox.

Now, SafeBreach security researcher Dor Azouri says that online sandbox services can be used for the same purposes and in similar circumstances. However, the researcher notes in a report (PDF) that an attacker using this method would need technical knowledge about their target network.

Unlike the previous technique, the new one doesn’t rely on code that can actively communicate out of the sandbox, but uses the sandbox service database itself as an intermediary for transferring data. The attack method does require incorporating the desired data into an executable and retrieving it by querying the sandbox service’s databases.

The attack starts with malware infecting the endpoint, gathering sensitive information from the machine, and packing it inside a file that is written to disk and executed to trigger the anti-virus agent. Next, a sandbox site is used to inspect the file by executing it, and the analysis results are saved in the site’s database. Finally, the attackers use the site’s API to grab the file.

Unlike last year’s method, the new one does not require the created executable to emit outbound network traffic for data exfiltration. Moreover, it makes the attacker less visible and more difficult to track, given that they gather the data passively from the sandbox service database.

However, the new technique can only be used in networks where suspicious samples are sent to an online sandbox engine, and also requires the attacker to know which kind of sandbox service the organization is using. Furthermore, although hidden, the exfiltraded data remains public in the service’s online databases.

The attack can be used for data exfiltration when the target organization sends suspicious files to VirusTotal for analysis, the security researcher says. The service requires a subscription to access information about the analysed files, but an attacker could find the exact executable they are looking for in the database.

The researcher presents a couple of manners in which the attack can be performed, namely Magic String using spacebin (where the attackers could both encode and encrypt the data to be exfiltrated) and the embedding of data inside well-known malware.

“Public sandbox services that allow both upload and search capabilities may be used as a means for data exfiltration. The database for these services is an intermediary for transferring hidden data from a source machine to an attacker who is looking for the expected data. Many permutations of this exfiltration model may be created - each features a different stealth level, ease of implementation, accuracy, capacity etc. We only demonstrated a couple of them,” Azouri concludes.

18.5 Million Websites Infected With Malware at Any Time
21.3.2018 securityweek

There are more than 1.86 billion websites on the internet. Around 1% of these -- something like 18,500,000 -- are infected with malware at a given time each week; while the average website is attacked 44 times every day.

Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock's malware scanners, while a smaller subset also use the firm's cloud-based web application firewall (WAF). The WAF provides insight into DDoS attacks against websites, while the sca≈nners provide insight to the state of malware in websites.

The analysis shows an increase of around 20% in the number of infected websites over Q3 2017. "We went from about 0.8% of our user base in Q3 to a little over 1% in Q4," Sitelock research analyst Jessica Ortega told SecurityWeek. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time.

Despite the increase in infected sites, continued Ortega, "The total number of attacks or attempted attacks actually decreased by about 20% -- so what we're seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through."

The majority of Sitelock's customers are typically small businesses and blogs. "Many website owners remain unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they've been compromised," said Ortega. This doesn't work -- less than 1 in 5 infected websites are blacklisted by the search engines.

Other owners rely on their CMS software provider to keep them secure with security updates. But according to Sitelock, 46% of WordPress sites infected with malware were up to date with the latest core updates. Those also using plug-ins were twice as likely to be compromised.

It is the sheer volume of both threats and compromises that is most surprising. During Q4 2017, Sitelock cleaned an average of 672,655 malicious files every week. It found an average of 309 infected files per site. Sixteen percent of malware results in site defacements, while more than 12% are backdoors facilitating the upload of thousands of other malicious files including exploit kits and phishing pages.

Jessica Ortega, research analyst at Sitelock, comments that the malicious files are often stored on websites in zip files. Even if active files are removed, the site can be compromised again, and the zip file extracted for the attacker to continue precisely as before.

One of the problems is that the average website is very easy to compromise. Sitelock's analysis in Q4 found an average of 414 pages per site containing cross-site scripting (XSS) vulnerabilities; 959 pages per site containing SQL injection (SQLi) vulnerabilities; and 414 pages per site containing cross-site request forgery (CSRF) vulnerabilities.

Even CSM security updates can be used against the website if they are not immediately installed. "Attackers can see what vulnerabilities have been patched in the latest update, and develop an exploit for those vulnerabilities. They then scan the internet for, for example, WordPress sites that haven't yet been updated, and compromise them."

Understanding the attackers' motives is key to understanding the threat to small business websites. "A lot of attackers go for the low-hanging fruit, and small business websites are among the softest and easiest targets because so many owners don't even realize they need security," explains Ortega. One of the primary motivations is to improve the search engine rankings of the attackers' own customers, by inserting backlinks to the customer website.

"Or they use it to attack the website's visitors -- for example, by phishing credentials," she continued; "and obviously the longer that a phishing site stays up, the greater the number of credentials it can potentially steal. Or they're just trying to further spread their malware to visitors via exploit kits."

Compromising small business websites is a numbers game for the criminals. Each site has a relatively small reach in the volume of visitors that can be exploited; but the sheer number of sites combined with the ease of compromise makes it worthwhile. And it is complicated by being perhaps the last refuge of the skiddie. As large companies improve their own security, small companies increasingly attract low-skilled skiddies who hack for personal aggrandizement -- those who do it because they can, and then boast about it.

Sixteen percent of infected sites were subsequently defaced, often with a political or religious message, often by such skiddies.

Trojanized BitTorrent Software Update Hijacked 400,000 PCs Last Week
17.3.2018 thehackernews

A massive malware outbreak that last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored version of popular BitTorrent client called MediaGet.
Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mine Electroneum digital coins for attackers using victims' CPU cycles.
Dofoil campaign that hit PCs in Russia, Turkey, and Ukraine on 6th March was discovered by Microsoft Windows Defender research department and blocked the attack before it could have done any severe damages.

At the time when Windows Defender researchers detected this attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours.
However, after investigation Microsoft today revealed that the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (mediaget.exe) to users' computers.
"A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability," the researchers explain in a blog post published today.
Researchers believe MediaGet that signed update.exe is likely to be a victim of the supply chain attack, similar to CCleaner hack that infected over 2.3 million users with the backdoored version of the software in September 2017.

Also, in this case, the attackers signed the poisoned update.exe with a different certificate and successfully passed the validation required by the legitimate MediaGet.
"The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe."
Once updated, the malicious BitTorrent software with additional backdoor functionality randomly connects to one (out of four) of its command-and-control (C&C) servers hosted on decentralized Namecoin network infrastructure and listens for new commands.

It then immediately downloads CoinMiner component from its C&C server, and start using victims' computers mine cryptocurrencies for the attackers.
Using C&C servers, attackers can also command infected systems to download and install additional malware from a remote URL.
The researchers found that the trojanized BitTorrent client, detected by Windows Defender AV as Trojan:Win32/Modimer.A, has 98% similarity to the original MediaGet binary.
Microsoft says behavior monitoring and AI-based machine learning techniques used by its Windows Defender Antivirus software have played an important role to detect and block this massive malware campaign.

PinkKite POS Malware Is Small but Powerful
16.3.2018 securityweek

A newly discovered piece of malware targeting point-of-sale (POS) systems has a very small size but can do a lot on the infected systems, security researchers reveal.

Called PinkKite, the POS malware was observed last year as part of a large campaign that ended in December, but was only detailed last week at Kaspersky Lab’s Security Analyst Summit (SAS). Discovered by researchers at Kroll Cyber Security, the malware is believed to have appeared last year for the first time.

Similar to previously observed POS malware families such as TinyPOS and AbaddonPOS, the new PinkKite has a very small size (it is less than 6kb) and uses its tiny footprint to evade detection. Despite this, however, the malware includes memory-scraping and data validation capabilities.

Furthermore, Courtney Dayter and Matt Bromiley, who detailed the threat at last week’s SAS 2018, reveal that PinkKite uses a hardcoded double-XOR cipher to encrypt credit card numbers. It also features built-in persistence mechanisms, and a backend infrastructure that leverages a clearinghouse to exfiltrate data to (POS malware typically sends data to the command and control (C&C) server).

In fact, the PinkKite operators used three clearinghouses (or depots) that the malware sent data to in the observed campaign. These were located in South Korea, Canada and the Netherlands, the researchers revealed.

The use of clearinghouses likely made the data collection easier and allowed operators to distance themselves from the terminals, but it also made the operation very noisy.

For distribution purposes, the attackers likely infected a system and then moved laterally across the targeted company’s network environment using PsExec. Next, the hackers used Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS), and then connected to the compromised systems to steal credit card data via a Remote Desktop Protocol (RDP) session.

The PinkKite executable, the researchers discovered, attempts to pass as a legitimate Windows program and uses names such as Svchost.exe, Ctfmon.exe and AG.exe for that. Different versions of the malware exist, including a whitelist variant that specifically targets processes in a list, and a blacklist iteration that instead ignores certain processes.

After scrapping credit card data from the system memory, PinkKite validates card numbers using a Luhn algorithm. It also employs a double-XOR operation to encode the 16 digits of the credit card number with a predefined key, and stores the data in compressed files that can hold as many as 7,000 credit card numbers each.

Using a separate RDP session, the files are sent to one of the employed clearinghouses. These remote systems collected hundreds or thousands of malware output files, the researchers discovered.

The attackers were stealthy enough to stay under the radar until the targeted organization was alerted on its customers’ credit card data being sold on the black market.

Travis Smith, principal security researcher at Tripwire, told SecurityWeek in an email that, even if this powerful malware family has a little footprint, its size has nothing to do with how it can be detected.

“A change on a static endpoint like a point-of-sale machine will stick out clearly with the proper controls. Application white listing is a quick and very effective way to prevent malware such as PinkKite from being allowed to run on a point-of-sale machine. However, if the adversaries were able to use Mimikatz to steal admin credentials, they could bypass controls such as the built in AppLocker available from Windows. Having layered controls which are designed for both mitigation and detection are key in a successful security architecture,” Smith said.

He also pointed out that the malware’s small size forced it to rely heavily on network communication, which can be prevented and detected.

“Since point-of-sale networks are also fairly static, any communication outside of an established baseline can be considered malicious until proven benign. Utilizing a whitelist set of firewall rules on the point-of-sale network will limit the malware from sending stolen credit cards to adversaries around the world,” Smith concluded.

Qrypter RAT hits 243 organizations worldwide in February
15.3.2018 securityaffairs

Qrypter RAT hits 243 organizations worldwide in February 2018, its popularity in the cybercrime ecosystem continues to increase.
A new strain of remote access Trojan dubbed Qrypter RAT (aka Qarallax, Quaverse, QRAT, and Qontroller) hit hundreds of organizations worldwide.

The malware was spotted by security firm Forcepoint, it has been around for a couple of years, it was first analyzed in June 2016, after being used in an attack targeting individuals applying for a U.S. Visa in Switzerland.

The author of Qrypter RAT is an underground group called ‘QUA R&D’ that operates a Malware-as-a-Service (MaaS) platform.

Qrypter RAT is a Java-based RAT that leverages TOR-based command and control (C&C) servers (vvrhhhnaijyj6s2m[.]onion[.]top.). The malware is delivered via small malspam campaigns, in February the researchers observed three campaigns that hit 243 organizations.

Qrypter RAT

“In June 2016 the malware was used to target individuals applying for a US Visa in Switzerland, resulting in the family’s first coverage in the security industry.

Today, Qrypter continues to rise in prominence, typically being delivered via malicious email campaigns such as the one shown below.” reads the analysis published by Forcepoint.”

“While Qrypter is usually used in smaller attacks that deliver only a few hundred emails per campaign, it affects many organizations worldwide. In February 2018 we tracked three Qrypter-related campaigns that affected 243 organizations in total.”

Upon execution on the victim’s device, the Qrypter RAT drops and runs two VBS files in the %Temp% folder, both having a random filename. The scripts are used by the RAT to gather information on the firewall and anti-virus products installed on the victim’s machine.

The malware gain persistence by using Windows registry, in this way it is executed every time the machine restarts.

Qrypter is a modular malware, its main features are:

Remote desktop connection
Webcam access
File system manipulation
Installation of additional files
Task manager control
The Qrypter RAT is available for rent for a price of $80, users can pay it in PerfectMoney, Bitcoin-Cash, or Bitcoin. The authors offer a discount for three months or one-year subscriptions and provide support to their customers via a forum called ‘Black&White Guys’, which has over 2,300 registered members.

“An older Bitcoin address that receives payment for Qrypter subscriptions was observed to have received a total of 1.69 BTC. This is roughly 16,500 USD at the time of writing (although given the volatility of Bitcoin, this is subject to rapid change).” continues the analysis.

The authors are very active and continuously update their malware to make it undetectable to security software, for this reason, even “after nearly two years Qrypter remains largely undetected by anti-virus vendors.”

The business model of malware author is very effective, they use the forum also to offer discount codes and older RAT versions for free to customers, a strategy that allows them to increase their popularity in the criminal underground.

“This post highlights the determination of QUA R&D to replace the infamous Adwind in the cross-platform MaaS business. With two years of operation and over 2K registered users in their forum, it appears that they are getting increasing traction in underground circles.”

“While the Qrypter MaaS is relatively cheap, QUA R&D’s occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by understanding how cybercriminal enterprises such as QUA R&D operate, we are better positioned to develop defense strategies and predict future developments.”

Further info, including IoCs are available in the report.

Qrypter RAT Hits Hundreds of Organizations Worldwide
15.3.2018 securityweek

Hundreds of organizations all around the world have been targeted in a series of attacks that leverage the Qrypter remote access Trojan (RAT), security firm Forcepoint says.

The malware, often mistaken for the Adwind cross-platform backdoor, has been around for a couple of years, and was developed by an underground group called ‘QUA R&D’, which offers a Malware-as-a-Service (MaaS) platform.

Also known as Qarallax, Quaverse, QRAT, and Qontroller, Forcepoint explains that Qrypter is a Java-based RAT that leverages TOR-based command and control (C&C) servers. It was first detailed in June 2016, after being used in an attack targeting individuals applying for a U.S. Visa in Switzerland.

The malware is typically delivered via malicious email campaigns that usually consist of only a few hundred messages each. However, Qrypter continues to rise in prominence, and three Qrypter-related campaigns observed in February 2018 affected 243 organizations in total, Forcepoint's security researchers say.

When executed on a victim’s system, Qrypter drops and runs two VBS files in the %Temp% folder, each featuring a random filename. The two scripts are meant to gather information on the firewall and anti-virus products installed on the computers.

Qrypter is a plugin based backdoor that provides attackers with a broad range of capabilities: remote desktop connection, webcam access, file system manipulation, installation of additional files, and task manager control.

The RAT is available for rent for a price of $80, payable in PerfectMoney, Bitcoin-Cash, or Bitcoin. Interested parties can purchase three months or one-year subscriptions for a discounted price, the security researchers discovered.

An older Bitcoin address associated with payments for Qrypter subscriptions was appears to have received a total of 1.69 BTC (around $13,500 at the time of publishing). This, however, is only one of the addresses that the malware authors use, meaning that their earnings could be much higher.

The malware developers provide support to their customers via a forum called ‘Black&White Guys’, which currently has over 2,300 registered members.

Based on the content of the forum, the researchers were able to discover how QUA R&D operates. The group appears focused on keeping customers happy, and is regularly creating threads to inform and reassure users that their crypting service (available for $5) is fully undetected by anti-virus vendors.

“Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Forcepoint notes.

In addition to interacting with customers, the forum is also used to attract potential resellers, which receive discount codes to help increase Qrypter's popularity in underground circles. Furthermore, older RAT versions are offered for free to customers, and QUA R&D’s strategy also involves the cracking of competitor products, to create FUD (fear, uncertainty, and doubt) about competition.

“While the Qrypter MaaS is relatively cheap, QUA R&D's occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free,” Forcepoint concludes.

Experts discovered a new tiny Pos Malware dubbed Pinkkite
15.3.2018 securityaffairs

Researchers presented findings on a new strain of point-of-sale malware, dubbed PinkKite, that was spotted by security experts at Kroll Cyber Security.
A new strain of point-of-sale malware, dubbed PinkKite, was spotted by security experts at Kroll Cyber Security.

PinkKite was first discovered in 2017 while the experts were instigating into a large POS malware campaign.

PinkKite is a tiny malware, it is less than 6k in size with a small footprint to make hard its detection. The malware also employs another layer of obfuscation via a double-XOR operation that encodes the 16 digits of the credit card number with a predefined key to make hard the detection. The PoS malware implements classic memory-scraping feature and procedures for data validation.

“Where PinkKite differs is its built-in persistence mechanisms, hard-coded double-XOR encryption (used on credit card numbers) and backend infrastructure that uses a clearinghouse to exfiltrate data to,” explained Courtney Dayter who presented the threat at Kaspersky Lab’s Security Analyst Summit along with Matt Bromiley.

Crooks behind the PinkKite PoS malware campaign used three clearinghouses located in South Korea, Canada. and the Netherlands to receive the stolen data, this choice made the operation very noisy and easy to detect.

The PinkKite executable poses itself as a legitimate Windows program using file names like Svchost.exe, Ctfmon.exe, and AG.exe.

The PinkKite first scrapes a credit card data from the PoS memory, then it uses a Luhn algorithm to validate credit and debit card numbers.

The credit card data is stored in compressed files with names such as .f64, .n9 or .sha64. Each record can contain up to 7,000 credit card numbers, a lot of records are periodically sent manually using a separate Remote Desktop Protocol (RDP) session to one of the three PinkKite clearinghouses.

“Once the data was scraped by PinkKite, it was written to a file on a remote system. These remote ‘collection’ systems served as central collection points (clearinghouses) for hundreds or thousands of malware output files,” Dayter said.

According to Kroll, attackers behind the PoS malware likely compromised one main system and then from there used PsExec for lateral movements inside the target network.

Attackers also used the popular Mimikatz post-exploitation tool to extract credentials from the Local Security Authority Subsystem Service (LSASS), then once systems were compromised, attackers would access it to remove the credit card data via the RDP session.

"OceanLotus" Spies Use New Backdoor in Recent Attacks
13.3.2018 securityweek 

OceanLotus, a cyber-espionage group believed to be operating out of Vietnam, has been using a new backdoor in recently observed attacks, but also using previously established tactics, ESET reveals.

Also known as APT32 and APT-C-00, the advanced persistent threat (APT) has been targeting high-profile corporate and government organizations in Southeast Asia, particularly in Vietnam, the Philippines, Laos, and Cambodia. The group is well-resourced and determined and is known to be using custom-built malware in combination with techniques long known to be successful.

One of the latest malware families used by the group is a fully-fledged backdoor that provides operators with remote access to compromised machines, along with the ability to manipulate files, registries, and processes, as well as the option to load additional components if needed.

For distribution purposes, OceanLotus uses a two-stage attack that employs a dropper to gain initial foothold on the targeted system and prepare the stage for the backdoor, ESET explains in a new report (PDF).

Spear-phishing emails are used to lure victims into opening an attachment that uses a fake icon to load password-protected decoy document while the malicious dropper is executed in the background.

Fake installers posing as updates for popular applications are also used, as part of watering hole attacks, where websites that the victims are likely to visit are compromised.

The dropper package includes components executed in a number of stages involving heavy code obfuscation to prevent detection. The malware authors also included garbage code in the dropper, for similar purposes.

To achieve persistence, the dropper creates a Windows service if administrator privileges are available, or modifies the operating system’s registry if executed with normal privileges. Code designed to delete the lure document is also dropped onto the system.

A digitally-signed Symantec executable (rastlsc.exe) is also dropped, along with a malicious Dynamic Link Library (DLL) named rastls.dll (detected as Win32/Salgorea.BD). The signed executable loads the malicious DLL, which makes the malicious behavior look legitimate, a technique (called DLL side-loading) that has been abused before.

The backdoor supports over 23 commands to: fingerprint the system; read a file or registry key; create a process; create a file, a registry entry or a stream in memory; write to or query the registry; search for files on the system; move files to directories or delete them from disk; list the drives mapped to the system; create or delete directories; call the PE Loader; drop and execute a program; run shellcode in a new thread, and more.

“Once again, OceanLotus shows that the team is active and continues to update its toolset. This also demonstrates its intention to remain hidden by picking its targets, limiting the distribution of their malware and using several different servers to avoid attracting attention to a single domain or IP address. The encryption of the payload, together with the side-loading technique – despite its age – is a good way to stay under the radar, since the malicious activities look like they come from the legitimate application,” ESET concludes.

Usual Threats, But More Sophisticated and Faster: Report
13.3.2018 securityweek 

Almost Every Type of Cyber Attack is Increasing in Both Volume and Sophistication

Eight new malware samples were recorded every second during the final three months of 2017. The use of fileless attacks, primarily via PowerShell, grew; and there was a surge in cryptocurrency hijacking malware.

These were the primary threats outlined in the latest McAfee Lab's Threat Report (PDF) covering Q4 2017.

The growth of cryptomining malware coincided with the surge in Bitcoin value, which peaked at just under $20,000 on Dec. 22. With the cost of dedicated mining hardware at upwards of $5,000 per machine, criminals chose to steal users' CPU time via malware. It demonstrates how criminals always follow the money, and choose the least expensive method of acquiring it with the greatest chance of avoiding detection.

Since December, Bitcoin's value has fallen to $9,000 (at the time of publishing). Criminals' focus on Bitcoin is likewise being modified, with Ethereum and Monero becoming popular. Last week, Microsoft discovered a major campaign focused on stealing Electroneum. "We currently see discussions in underground forums that suggest moving from Bitcoin to Litecoin because the latter is a safer model with less chance of exposure," comments Raj Samani, chief scientist and McAfee fellow with the Advanced Threat Research Team.

The speed with which criminals adapt to their latest market conditions is also seen in the way they maximize their asymmetric advantage. "Adversaries," writes Samani, "have the luxury of access to research done by the technical community, and can download and use opensource tools to support their campaigns, while the defenders’ level of insight into cybercriminal activities is considerably more limited, and identifying evolving tactics often must take place after malicious campaigns have begun."

Examples of attackers making use of legitimate research include Fancy Bear (APT28) leveraging a Microsoft Office Dynamic Data Exchange technique in November 2017 that had been made public just a few weeks earlier. The hackers used it in a phishing campaign that cited the New York City terror attacks. A second example comes from the December Gold Dragon attacks on organizations involved with the Winter Olympics. In this case the attackers employed steganography, "and a new tool released days before the attack."

The speed of changing tactics and adopting new techniques is in sharp contrast to the delays inherent in defending against new vulnerabilities -- with the two-months plus failure of Equifax to patch all of its systems with the Apache Struts patch being a prime example.

Healthcare organizations remained a significant target throughout 2017, with a 210% increase in publicly disclosed incidents, year on year -- although figures declined 78% in Q4. McAfee's research conclusion is that many of the incidents were caused by failures to comply with security best practices or to address vulnerabilities in medical software.

Botnets are a continuing problem. However, in Q4 2017, just two botnets, Necurs and Gamut, accounted for 97% of all spam botnet traffic. Gamut was responsible for delivering job offer-themed phishing (and possible money mule recruitment), in English, German, and Italian; while Necurs delivered 'lonely girl' spam, pump and dump stock spam, and Locky ransomware downloaders.

New ransomware detections grew consistently throughout 2017, culminating in more than 2,000,000 detections in Q4 (compared to less than 500,000 in Q4, 2016). "A big contributor to ransomware growth was Ransom:Win32/Genasom (also known as Stampado, with variants such as 'Philadelphia'). This family provides an inexpensive entree for cyber criminals, being offered for sale as low as $39 for a lifetime license.

Ransomware didn't merely increase in volume (59% year on year, and 35% in Q4 alone), it also diversified beyond just extorting money. "Actors devised strategies to create 'smoke and mirrors' by distracting defenders from actual attacks," writes Samani, "such as the emergence of pseudoransomware, seen in NotPetya and a Taiwan bank heist."

The big takeaway from the latest McAfee Lab's Threat Report is that the cybersecurity threat landscape is continuing to worsen. Just about every type of attack is increasing in both volume and sophistication. The increasing use of PowerShell and JavaScript to avoid malicious file detection is just one example. In Q1 2016 there were around 2000 detections. By Q4 2017, this had grown to just under 48,000 -- boosted "by a rash of downloaders in Q4".

Patchwork Cyberspies Update the Badnews Backdoor
13.3.2018 securityweek  CyberSpy 

Recent infection campaigns conducted by the Patchwork cyberespionage group have revealed the use of an EPS exploit and an updated backdoor, Palo Alto Networks reports.

Believed to have been active since 2014, Patchwork, also known as Dropping Elephant or Chinastrats, is said to be operating out of the Indian subcontinent. The group was initially observed targeting government-associated organizations connected to Southeast Asia and the South China Sea, but it recently expanded the target list to include multiple industries.

In an extensive December 2017 report, Trend Micro revealed that the actor had adopted new exploit techniques and that it also added businesses to its list of targets.

Patchwork campaigns Palo Alto Networks has observed over the past few months have been targeting entities in the Indian subcontinent and revealed the use of legitimate but malicious documents to deliver an updated BADNEWS payload.

The malware, which has been updated since the last public report in December 2017, provides attackers with full control over the victim machine and is known to abuse legitimate third-party websites for command and control (C&C). The new version shows changes in the manner the C&C server information is fetched, as well as modifications to its communication routine.

The campaigns featured malicious documents with embedded EPS files targeting two vulnerabilities in Microsoft Office, namely CVE-2015-2545 and CVE-2017-0261. As lures, the attackers used documents of interest to Pakistani nuclear organizations and the Pakistani military.

When executed, shellcode embedded within the malicious EPS drops three files: VMwareCplLauncher.exe (a legitimate, signed VMware executable to deliver the payload), vmtools.dll (a modified DLL to ensure persistence and load the malware), and MSBuild.exe (which is the BADNEWS backdoor itself).

VMwareCplLauncher.exe is executed first, to load the vmtools.dll DLL, which in turn creates a scheduled task to attempt to run the malicious, spoofed MSBuild.exe every subsequent minute.

Once up and running on the infected machine, the backdoor communicates with the C&C over HTTP and allows attackers to download and execute files, upload documents of interest, and take screenshots of the desktop.

The recently observed variation of the backdoor sets a new mutex to ensure only one instance of the backdoor is running, and also uses different filenames from the previous versions. The manner in which the C&C information stored via dead drop resolvers is obfuscated has been changed as well, the security researchers say.

Although it performs many of the functions associated with previous versions, the new variant no longer searches USB drives for files that might be of interest. When preparing C&C communication, the malware aggregates victim information and appends it to two strings.

The C&C communication has been updated as well, now offering support for commands such as kill (the backdoor); upload a file containing the list of interesting files and spawn a new instance of Badnews; upload a specified file; upload a file containing the list of collected keystrokes; copy a file to a .tmp and send it to the C&C; take a screenshot and send it to the C&C; and download a file and execute it.

“The Patchwork group continues to plague victims located within the Indian subcontinent. Through the use of relatively new exploits, as well as a constantly evolving malware toolset, they aim to compromise prominent organizations and individuals to further their goals. Recent activity has shown a number of lures related to the Pakistan Army, the Pakistan Atomic Energy Commission, as well as the Ministry of the Interior,” Palo Alto concludes.

The South America connection and the leadership on ATM Malware development
12.3.2018 securityaffairs

Besides being known about corruption scandals, South America is a reference to the development of ATM malware spreading globally with Brazil, Colombia, and Mexico leading the way.
A research conducted by KASPERSKY has revealed a convergence on attacks against financial institutions, where traditional crimes and cybercrime join forces together to target and attack ATM (Automated Teller Machine) machines.

Around the globe, the region where criminals had achieved expertise and have become highly professionals is Latin America. As a resulting of this criminal union to steal money directly from ATM, criminals and cybercriminals from Latin America have been developing brand new zero-day techniques and tools that are not found in any other place in the world.

These tools and techniques that were developed are imported from Eastern Europe and customized, to pave the way to other criminals and create a network of malware on a global scale.

The research points to a combination of factors behind the development of ATM malware like obsolete operating systems and a availability of development platforms to create the malicious codes such as .NET framework.

The report points out the motivation being a key factor to criminals, but we can consider also as a key factor the corruption that is widespread in every level of Latin America society. The prevalence of corruption can be considered as a fuel to criminal motivation once piracy and corporate data are sold in every corner of Latin America countries. Also, it is important to notice the role of insider informants in organizations, where employees give precise details and reveal the security measures in place to be bypassed by criminals.

Among the myriad of techniques employed to rob banks, the criminals still use explosives on a regular basis, due to its effectiveness and cost benefit. Security measures like cameras and CCTV, for example, are easily bypassed in a raid that takes just a few minutes. The collateral damage caused by the use of explosives goes beyond the ATM machines of the bank agencies in which they are located also reaching out public squares, shopping malls and buildings nearby the banks.

Brazilian banks in an attempt to stop ATM attacks have adopted ink cartridges to stain the ballot and make them useless when the ATM is blown up. However, the organized crime developed a special solvent to remove the ink. Other attack vectors exploited by criminals in Latin America is the use of obsolete unpatched software, like Windows XP or Windows 2000 in production environments. ATM machines were also found with cables and network devices exposed to no implementation of physical security measures in place.

Brazilian criminals do not restrict themselves to this approach developing other ways to compromise banking security. Fake replicas to cover the front of ATM machines and steal card data and PIN numbers are also used. In many cases, these fake machines are installed in daylight in retail business and supermarkets. The components to assembly such replicas are sold in the black markets and on online stores easily.

Another common type of ATM machine fraud in Brazil is the “Chupa Cabra”, where criminals install skimmer devices that get all data from the credit card once they are inserted on ATM machines.

Once these methods involve exposure, and criminals can be recognized by cameras and CCTV devices alike they have also started to use malware to attack banking systems.

The report describes four stages used by criminals to steal money from ATM machines, that are: Local/remote access to the machine, installation of malicious code in ATM system, reboot of the target device and withdraw of the money. Aiming to evade security from ATM machines criminals from Latin America have developed different malware to steals money, both intercepting data from keypads running Windows machines (Chupa Cabra malware) and by remote access. To withdraw money with malware criminals can program a specific key combination of PIN pad, insert a “special card” or send a remote command to a machine infected in the bank network.

The report has found out that there is a cooperation between Eastern European and Latin American criminals. In 2017, a coordinated Police operation took place where 31 criminals were arrested for credit card cloning in Cuba, Ecuador, Venezuela, Romania, Bulgaria, and Mexico. This major operation highlights the criminal network working together globally. This union backs to 2008 when the first malicious program to infect ATM machines was developed (Backdoor.Win32.Skimer) aiming to target Russia and Ukraine. In 2014, the researchers discovered the Tyupkin malware affecting ATM machines in several Eastern Europe institutions.


There was collected enough evidence that a collaboration between criminals has taken place with the involvement of Latin American criminals involved in the development of ZeuS, SpyEye and other banking malware created in Eastern Europe. This criminal cooperation has resulted in coding quality and sophistication of Latin American malware and sharing of infrastructure for deployment. Also, it was found out that Latin American criminals access Russian underground forums on a constant basis looking for samples, to buy new malware or even exchange data about ATM/PoS malware. It is believed that this criminal exchange started back in 2008.

As we dive into the development of ATM malware in Latin America we can highlight specific examples in Mexico, Colombia, and Brazil. In Mexico, on October 2013, was spotted the Ploutus malware. According to Greek mythology, Ploutus represents the abundance and wealth. At a first moment, the malware was difficult to identify being detected as Backdoor.Ploutus by Symantec or by Trojan-Banker by Kaspersky. The damage caused by this malware surpassed $64 million only in Mexico and has compromised 73.258 ATMs. In a nationwide operation deflagrated during 2014 and 2015, related to robberies using malware, it was uncovered a criminal network acting on 450 ATMs from 4 major Mexican banks.

The machines were located in places that had no surveillance or limited physical security, and the malware was deployed both using CD-ROM drive or by USB port. The attack caught the attention of banks security departments because the transportation company started to receive phone calls and alerts regarding uncommon high amounts of money being withdrawn hours later being filled. Other attacks took place on dates where the ATMs was stocked with more money to supply customer demands, like the Mexican Black Friday and on Valentine’s day. In this scenario, the cybercriminals obtain licenses that are valid for one day to withdraw money from any number of machines. It takes, according to the report, from two and a half to three hours to entirely empty an ATM machine. The cybercriminals gangs are composed of at least 3 individuals, while the campaigns can have up to 300 people involved. Each group compromise a chosen ATM obtaining its data to further request an activation code and have full access to the ATM service.

As discovered by the researchers there are at least four different versions of the malware, and the last one dating back to 2017 has bugs fixes and code improvements. On its first version, there was no reporting on the activities on the ATM and the command and control server. Also, an SMS module used to obtain a unique identifier for the machine was found, that enabled the activation of malicious code remotely for criminals on the machine to withdraw money. The procedure with 5 stages is the following: Compromise of the ATM via physical access, installation of the malware as a Microsoft Windows Service, acquisition of ATM ID, activation of ATM remotely or physically and withdraw while the malware is active for 24 hours.

The latest versions of the malware, named Backdoor.MSIL.Ploutus, Trojan-Spy.Win32.Plotus and HEUR: Trojan.Win32.Generic by researchers, have the capability of full remote administration of infected ATMs and diagnostic tools. The cybercriminals switched their methods and instead of using physical keyboards they now use WiFi access with a modified TeamViewer Remote management module to reduce risks.

As we advance analyzing the developments in Latin America of ATM malware, we have to notice a sum of factors involving corruption, insider threats and legit software in Colombia. According to the report, in October 2014, 14 ATMs were compromised in different cities of Colombia leading to a loss of 1 million Pesos without any trackable transaction. An employee of one bank was arrested being suspected of installing remotely malware in ATMs using privileged information before quitting his job. The suspected had worked for the Colombian police for 8 years as an electronic engineer and police investigator. In his duty, he was in charge of large-scale investigations.

But on October 25th he was arrested under the charge of a multi-million fraud scheme at a Columbian bank. He had in his possession remote access to 1.159 ATMs across Colombia and a modified version of legitimate ATM software that paved the way for other members of the criminal organization to commit fraud in six different cities in less than 48 hours. To launch the attack the former police officer used a modified version of the ATM management software distributed by the manufacturer and their technical staff. He used his clearance to access the software, that after installation interacted with the XFS standard to send commands to the ATM. In this case, the target was the Diebold ATM machine. After the attack, a special access was granted that permitted the installation of any ATM malware including Ploutus. The name of the malware as described by the researchers is Trojan.MSIL.Agent and Backdoor.MSIL.Ploutus.

Last but not least, we have to consider the country of nationwide corruption scandals: Brazil. Brazil is known for the development and spread of locally build malware to target both ATM and PoS devices. Researchers found out in 2017 a new malware named Prilex being spread that was developed from scratch by Brazilian criminals, that doesn’t have similarities with another malware family. The difference in Brazilian malware is that instead of using the common XFS library to interact with the ATM sockets it uses a specific library of vendors. There is a suspicion of insider threats sharing information with criminals due to the cybercriminals deep knowledge about the network diagram as well as the internal structure of the ATM used by the banks. A specific user account of an employee of the bank was found that also raised the doubt of a targeted attack taking place to exfiltrate information.

The malware was named by researchers as Trojan.Win32.Prilex and once running it is capable of dispersing money from the sockets using special windows that are activated through a specific key combination. It also contains a component that reads and collects data from the magnetic stripe of the cards used at the ATMs infected with the malware. Measures were taken globally to reduce credit card fraud, but researcher discovered another development of Brazilian criminals to steal card data and clone chip and pin cards.

A modified version of the malware with additional features was discovered by researchers aimed to infect point of service (PoS) terminals to collect card data. This new variant is capable of modifying PoS software to allow a third party to capture the data transmitted to a bank. The Prilex group also developed new ways to clone cards and bypass security mechanisms. The card works based on a standard called EMV. The chip on the card is a microcomputer that can run applications and once inserted in a PoS terminal it begins a sequence of four steps.

The first step is called initialization and the terminal receives basic information like cardholder name, expiration date, and the applications installed. The second step is data authentication where the terminal checks if the card is authentic using cryptographic algorithms. On the third step called cardholder verification, the user is requested to provide the PIN code to prove he is the owner of the card. The fourth step is where the transaction happens. As noted by the researchers only step one and forth are mandatory. For this reason, Brazilian criminals can easily bypass authentication and verification steps.

The number and the complexity of steps needed for transactions depend on the available applications on the card, which the PoS asks the card during its first handshake. As the researchers notice, the criminals created a Java application for cards to run that has two functions. The first tells the PoS terminal that data authentication is not necessary bypassing in this way the cryptographic operation. The second function is based on the EMV standard to check if the PIN is correct on the application running in the card. The cybercriminals application can validate any PIN as correct no matter what PIN is informed. Even random numbers are accepted as a valid input.

The researchers discovered a complex infrastructure where Prilex operates. Besides the Java applet, a client application called “Daphne” is used to write information on smart cards and a database with card numbers and other data. The daphne application is used to check the amount of money that can be withdrawn with the card and to clone both credit and debit cards. The cybercriminals sell the application as a package to other criminals in Brazil to clone cards.

On its recommendations, the report lists two scenarios, one with direct bank losses and other with losses to the customers. The attackers will have to bypass the customer authentication mechanisms or bypass ATM security. Criminals are shifting from physical attacks to logical attacks that helps them to go unnoticed for longer periods of time. The researchers suggest that manufacturers and vendors should improve security measures and work with antimalware companies to better address logical attacks. The researchers also suggest the use o Threat Intelligence to further collect information on new developments of malware families.

To address the card cloning issue, the researchers recommend a constant verification of the card transaction history and the communication to the bank in case of suspicious activity. None the less, the researchers recommend that users only use AndroidPay or Applepay to avoid the disclosure of card data and to separate a card to internet payments. Finally, it is recommended to users to avoid keep large sums of money on the card.



Russian hackers stole 860,000 euros from 32 ATMs belonging to the Raiffeisen Romania in just one night
10.3.2018 securityaffairs

In just one night a Russian crime gang stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank.
Cybercriminals stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank using an infected RTF document. The criminal organization led by Dmitriy Kvasov operated in Romania, the gang stole the money in just one night in 2016.

“One night Raiffeisen Bank lost control of all ATMs in Romania • Although it seems impossible, the control of ATMs across the country was taken over by a group of Russian hackers • It is one of the biggest thefts of cash money in the history of Romania, and the authorities did not blow a word” reported the website bzi.ro.

The Organized Crime and Counterterrorism Office (DIICOT) who investigated the culprits managed to arrest the leader of the criminal organization.

The Russian hackers launched a spear-phishing attack against Raiffeisen Romania between August 9, 2016, and September 4, 2016, they sent email messaging using a weaponized RTF document.
The bait document that appeared as sent on behalf of the European Central Bank
contained the code to trigger a vulnerability in the target systems.
In this way the attackers took control over the whole network of the bank, then they were able to control the ATMs.

“The extremely well-coordinated criminal organization, wearing sunglasses and hooded anoraks waiting for the command, waited for bags and bags in their hands before the Raiffeisen Iasi, Bucharest, Suceava, Timeshare, Constanta, Plitvice, Saxon and Crevedia automats.” states the Maszol.ru. “At the hands of their leaders, at least a few buttons, 32 cars released them all the money. If more men had been involved with the criminal organization, they could have virtually eliminated all the automatons of the bank.”

Raiffeisen cyber heist

According to the report, the attackers were able to instruct the 32 ATMs to dispense the cash, the investigators highlighted that the attackers only targeted systems in Romania, but once compromised the network of the bank they were also able to control any ATM worldwide belonging to the financial institution.

The bank confirmed that hackers did not access the customers’ account after the security breach.

Mobile Malware Attacks Surged in 2017: Kaspersky
9.3.2018 securityweek Mobil 

The number of mobile malware attacks detected in 2017 has increased to 42.7 million, according to a new report from Kaspersky Lab.

The surge in attacks was in contradiction to evolution of detected mobile malicious installation packages, which amounted to 5,730,916 in 2017, almost 1.5 times lower than 2016.

The number of attacked users, however, increased 1.2 times compared to the previous year. According to Kaspersky, they protected 4,909,900 unique users of Android devices from the beginning of January until the end of December 2017.

The Moscow-based security firm also says that it detected 94,368 mobile banking Trojans in 2017, 1.3 times less than in the previous year. This type of malware attacked 259,828 users in 164 countries, with Russia, Australia, and Turkey being hit the most.

544,107 mobile ransomware Trojans were detected last year, twice as much as in 2016 and 17 times more than in 2015. Ransomware hit 110,184 Android users in 161 countries, with the United States, Kazakhstan and Belgium being hit the most.

The number of users attacked by rooting malware decreased last year, yet this type of malware continued to be popular, accounting for nearly half of the Trojans in the company’s Top 20 list. Such malware usually attempts to gain super-user rights by exploiting system vulnerabilities.

Their decline in popularity among cybercriminals can be explained mainly by the decline in the number of devices still running older Android versions. Android 5.0 or older was found on 57% of the devices in 2017, while Android 6.0 or newer doubled in 2017 compared to 2016.

“Newer versions of Android don’t yet have common vulnerabilities that allow super-user rights to be gained, which is disrupting the activity of rooting malware,” Kaspersky notes.

Despite that, rooting malware continues to be a major threat to Android users, as they are difficult to detect and pack a variety of capabilities. Rooting malware installs modules in system folders to ensure persistency and can sometimes even resist a reset to factory settings.

Notable mentions in the rooting malware category include Ztorg, which infected 100 apps in Google Play and was downloaded tens of thousands of times, and Dvmap, which was downloaded over 50,000 times from the official application store.

In 2017, Kaspersky also discovered new WAP Trojans, malware families that usually follow links received from the command and control (C&C) server and then ‘click’ on page elements using a specially created JS file. Such malware can visit regular advertising sites or pages with WAP subscriptions.

Mobile banking malware also evolved in 2017, “offering new ways to steal money,” Kaspersky says. A modification of FakeToken, for example, was observed targeting apps for booking taxis, hotels, tickets, and the like, in addition to the usually attacked financial apps. The malware overlays the legitimate applications with its phishing windows.

While the latest Android releases attempt to prevent malware from performing malicious actions, banking Trojans last year found new ways to bypass these protections. A Svpeng variant observed last year was abusing accessibility services to grant itself some permissions such as the ability to send and receive SMSs, make calls, and read contacts, in addition to adding itself to the list of device admins to prevent removal.

Last year, both Svpeng and Faketoken “acquired modifications capable of encrypting user files,” Kaspersky reports. However, the encryptor functionality wasn’t that popular among mobile Trojans.

Mobile ransomware Trojans were highly active last year and even registered massive growth during the first half of the year, when detections were up 1.6 times than the entire 2016. Starting June, however, the activity of these malware families returned to normal.

The segment, Kaspersky says, was dominated by the Congur ransomware, with over 83% of all installation packages in 2017 belonging to this family. This simple malware changes device’s PIN code and instructs the owner to contact the attackers via the QQ messenger.

Last year, Trojan-Ransom malware experienced the highest overall growth, followed by RiskTool threats. Trojan-SMS installation packages and Trojan-Dropper malware decreased.

Overall, users in over 230 countries and territories were targeted by malware in 2017, with Iran, Bangladesh, and Indonesia emerging as the top attacked countries.

Russian hackers stole 860,000 euros from 32 ATMs belonging to the Raiffeisen Romania in just one night
9.3.2018 securityweek

In just one night a Russian crime gang stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank.
Cybercriminals stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank using an infected RTF document. The criminal organization led by Dmitriy Kvasov operated in Romania, the gang stole the money in just one night in 2016.

“One night Raiffeisen Bank lost control of all ATMs in Romania • Although it seems impossible, the control of ATMs across the country was taken over by a group of Russian hackers • It is one of the biggest thefts of cash money in the history of Romania, and the authorities did not blow a word” reported the website bzi.ro.

The Organized Crime and Counterterrorism Office (DIICOT) who investigated the culprits managed to arrest the leader of the criminal organization.

The Russian hackers launched a spear-phishing attack against Raiffeisen Romania between August 9, 2016, and September 4, 2016, they sent email messaging using a weaponized RTF document.
The bait document that appeared as sent on behalf of the European Central Bank
contained the code to trigger a vulnerability in the target systems.
In this way the attackers took control over the whole network of the bank, then they were able to control the ATMs.

“The extremely well-coordinated criminal organization, wearing sunglasses and hooded anoraks waiting for the command, waited for bags and bags in their hands before the Raiffeisen Iasi, Bucharest, Suceava, Timeshare, Constanta, Plitvice, Saxon and Crevedia automats.” states the Maszol.ru. “At the hands of their leaders, at least a few buttons, 32 cars released them all the money. If more men had been involved with the criminal organization, they could have virtually eliminated all the automatons of the bank.”

Raiffeisen cyber heist

According to the report, the attackers were able to instruct the 32 ATMs to dispense the cash, the investigators highlighted that the attackers only targeted systems in Romania, but once compromised the network of the bank they were also able to control any ATM worldwide belonging to the financial institution.

The bank confirmed that hackers did not access the customers’ account after the security breach.

Sophisticated False Flags Planted in Olympic Destroyer Malware
8.3.2018 securityweek
Virus  APT

Hackers Behind Olympic Destroyer Malware Used Sophisticated False Flag to Trick Researchers

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - The hackers behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malware in an effort to trick researchers, Kaspersky Lab revealed on Thursday.

The Olympic Winter Games in Pyeongchang, South Korea, was hit by a cyberattack that caused temporary disruption to IT systems, including the official Olympics website, display monitors, and Wi-Fi connections. The attack involved Olympic Destroyer, a piece of malware designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. Compromised credentials are used to spread to other machines on the network.

Kaspersky has also spotted infections at several ski resorts in South Korea. The malware, which leverages a leaked NSA exploit known as EternalRomance to spread via the SMB protocol, temporarily disrupted ski gates and lifts at the affected resorts.

Several cybersecurity firms launched investigations into the Olympic Destroyer attack shortly after the news broke, and while they mostly agreed on the malware’s functionality, they could not agree on who was behind the operation. Some pointed the finger at North Korea, while others blamed China or Russia, leading some industry professionals to warn against this type of knee-jerk attribution.

Kaspersky researchers also analyzed the Olympic Destroyer worm in an effort to determine who was behind the attack. While they have’t been able to identify the culprit, experts have found some interesting clues.

The security firm has found a unique “fingerprint” associated with the notorious Lazarus Group, which has been linked to North Korea and blamed for high profile attacks such as the one on Sony, the WannaCry campaign, and various operations targeting financial organizations.

This fingerprint was a 100% match to known Lazarus malware components and it did not appear in any other files from Kaspersky’s database. While this piece of evidence and the type of attack suggested that Olympic Destroyer could be the work of North Korea, other data gathered by researchers as a result of an on-site investigation at a South Korean target revealed inconsistencies.

Experts determined that the unique fingerprint was likely a sophisticated false flag planted by the attackers to throw investigators off track.

“To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it. They counted on the fact that forgery of this artifact is very hard to prove,” explained Vitaly Kamluk, head of the APAC research team at Kaspersky. “It’s as if a criminal had stolen someone else’s DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. All this demonstrates how much effort attackers are willing to spend in order to stay unidentified for as long as possible. We’ve always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this.”

In addition to this apparent link to North Korea, Kaspersky has found evidence that would suggest the involvement of the notorious group known as Sofacy, Fancy Bear, APT28 and Pawn Storm, which is widely believed to be sponsored by the Russian government.

One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its campaigns on Russian actors. It’s also possible that the false flag used in the Olympics attack is part of the hackers’ efforts to improve their deception techniques.

Links to China have been found by Intezer, which specializes in recognizing code reuse. Its analysis led to the discovery of numerous code fragments uniquely linked to threat groups tracked as APT3, APT10 and APT12.

Smoke Loader Backdoor Gets Anti-Analysis Improvements
8.3.2018 securityweek

The infamous Smoke Loader backdoor now has more complex anti-analysis techniques that allow it to remain a potent malware delivery mechanism, PhishLabs security researchers warn.

Also known as Dofoil, Smoke Loader has been advertised on dark web forums since at least mid-2011. Packing a modular design, the malware can receive secondary execution instructions and/or download additional functional modules. Lately, the loader has been used in the distribution of malware such as the TrickBot banking Trojan and GlobeImposter ransomware.

The Smoke Loader installer, the security researchers explain, spawns an EnumTools thread to detect and evade analysis tools, and uses an API to enumerate running analysis utilities. The malware checks for twelve analysis processes via a hash-based method, and terminates itself if one is found running. As part of an anti-VM check, it also queries the name and the volume information of the infected machine, along with a registry key.

“There are two main paths of execution in Smoke Loader, the installer and the loader. The installer path runs prior to spawning and injects into a new instance of a Windows Explorer process. Post injection, the loader runs and executes the core functionality of the module. Before injection occurs, Smoke Loader performs several checks to determine information about the system on which it is running,” PhishLabs says.

Smoke Loader was observed leveraging the VirtualProtect API call to change the protection of the allocated memory region, the security researchers reveal. Toward the end of the loader execution path, the malware also checks whether injection should occur, and execution continues if injection has not yet been performed.

The malware was observed performing networking checks to ensure the loader has Internet access (it can generate fake traffic for that). The security researchers also noticed that, unlike previous versions, the latest Smoke Loader variant uses a custom XOR-based algorithm to decode strings within the sample. Previously, the strings weren’t encoded.

“While Smoke Loader’s distribution is not as wide spread as other malware families, it is under continued development and very effective at what it does. The loader’s longevity indicates that the developers are committed to persistence and protection of their loader from the latest analysis techniques. Even though it dates back to 2011, the loader has undergone several transformations that allow it to continue to be a potent malware delivery mechanism in 2017,” PhishLabs concludes.

Gozi Banking Trojan Uses "Dark Cloud" Botnet for Distribution
7.3.2018 securityweek  BotNet 

The well-known Gozi ISFB banking Trojan recently started using the elusive "Dark Cloud" botnet for distribution, Talos warns.

Gozi has been around for several years and had its source code leaked online on two occasions over the past years, which led to the development of a new Trojan in 2016, GozNym. The malware has continued to remain active and even adopted new techniques in recent campaigns, such as the use of the Dark Cloud infrastructure.

The campaigns Talos has observed over the past few months are relatively low-volume, target specific organizations, and reveal significqant effort into the creation of convincing emails. Not only are the distribution and the command and control (C&C) infrastructure active for short periods of time only, but the actors behind them also move to new domains and IP addresses fast, even for individual emails sent as part of the same campaign.

The spam emails carry Microsoft Word documents as attachments. When opened, the files display a decoy image claiming that the document was created using Office 365 and that the user should "Enable Editing" and then "Enable Content" to view it. If the victim follows through, embedded macros are executed to download and run the malware.

The VBA macro is usually executed when the document is closed, in an attempt to bypass sandbox detection. The macro downloads an HTA file from a remote server, which is executed without alerting the user. The infection process continues with the execution of an obfuscated JavaScript script to run a PowerShell script to download and execute the final payload on the victim's machine.

The vast majority of the malicious documents used in campaigns in the fourth quarter of 2017 are individualized. Although they appear similar, differences exist in embedded macro, code, and even color of the decoy image.

Talos also discovered that the campaigns have been ongoing for a couple of years, and that the image in the documents has been changed from time to time, the same as the VBA code in the malicious macros. The researchers even observed localized documents in some cases, suggesting that “the separate attacks are highly customized and targeted.”

The final payload is usually a banking Trojan based on the Gozi ISFB code base, but other malware families (CryptoShuffler, Sennoma and SpyEye) were also observed.

The malware loader used in these attacks uses anti-virtualization and carries two versions of the same DLL, each targeting a different architecture. Depending on the victim machine, the loader injects either the 32-bit or the 64-bit DLL into the explorer.exe process.

The distribution infrastructure used in these campaigns overlaps with that of Dark Cloud, a botnet initially analyzed in 2016. The botnet, Talos notes, is used in the distribution and administration of various malware families, including Gozi ISFB and Nymaim.

In July 2016, a SentinelOne report on the Furtim-related SFG malware also revealed a connection between the Qbot (Qakbot or Quakbot) malware and Dark Cloud.

The botnet uses fast flux techniques to make the tracking of its backend infrastructure more difficult. “By frequently changing the DNS records associated with the malicious domains, attackers can make use of an extensive network of proxies, continuously changing the address of the IP being used to handle communications to the web servers the attacker controls,” Talos explains.

By looking at the domains and IP addresses associated with the infrastructure, the researchers discovered that it was serving a variety of cybercriminal activities, including carding forums, malware delivery and control, and spam.

Talos also discovered that the attackers aren’t using proxies and hosts in Western Europe, Central Europe, and North America, but mainly those located in Eastern Europe, Asia, and the Middle East.

“Gozi ISFB is a banking Trojan that has been used extensively by attackers who are targeting organizations around the world. It has been around for the past several years, and ongoing campaigns indicate that it will not be going away any time soon. Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult,” Talos concludes.

Payment Card Breach Hits Some Applebee's Restaurants
5.3.2018 securityweek

RMH Franchise Holdings revealed on Friday that malware had been found on point-of-sale (PoS) systems at the Applebee’s restaurants it operates as a franchise.

RMH disclosed the incident on Friday afternoon, which often indicates an attempt to avoid the news cycle and fly under the radar. The company posted a link to the data breach notice on the homepage of its website, but it did not announce anything on social media.

According to the data breach notice, the incident affects more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas and Wyoming. This represents nearly all the restaurants operated by RMH.

In a vast majority of cases, the malware was present on PoS systems between December 6, 2017 and January 2, 2018, but in a small number of restaurants the malware had been active since November 23 or December 5, 2017. The company said the breach does not impact payments made online or using self-pay tabletop devices.

The breach was discovered on February 13 and RMH launched an investigation in cooperation with cybersecurity experts and law enforcement.

The company said the malware was designed to collect names, credit or debit card numbers, expiration dates, and card verification codes.

RMH pointed out that its payment systems are isolated from the broader Applebee’s network, which is not affected by this incident.

“Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again,” RMH said. “RMH is pleased to report that the incident has been contained and guests may use their cards with confidence at the RMH Applebee’s locations that were affected by this incident.”

Several major restaurant chains disclosed payment card breaches last year, including Arby’s, Chipotle, Sonic Drive-In, and Shoney’s. Amazon's Whole Foods Market also informed customers that taprooms and full table-service restaurants at nearly 100 locations were hit by a breach.

Applebee restaurants suffered payment card breach
5.3.2018 securityaffairs

RMH Franchise Holdings revealed on Friday afternoon that PoS systems at the Applebee ’s restaurants were infected with a PoS malware.
Another week another data breach, RMH Franchise Holdings revealed last week that PoS systems at the Applebee’s restaurants were infected with malware.

The PoS malware was used to collect names, payment card numbers, expiration dates, and card verification codes.

On Friday afternoon, RMH Franchise Holdings published a link to the data breach notice on its website.

“RMH Franchise Holdings (“RMH”) recently learned about a data incident affecting certain payment cards used at RMH-owned Applebee’s restaurants that we operate as a franchisee.” states the notice of the data breach.

“We are providing this notice to our guests as a precaution to inform them of the incident and to call their attention to some steps they can take to help protect themselves. RMH operates its point-of-sale systems isolated from the broader Applebee’s network, and this notice applies only to RMH-owned Applebee’s restaurants.”

The security breach was discovered on February 13, the RMH promptly started an investigation with the help of and law enforcement.

The infection lasted between December 6, 2017, and January 2, 2018, is some cases the malware was present on the PoS systems of restaurants since November 23 or December 5, 2017.

Almost any restaurant operated by RMH was impacted, the incident affects more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas, and Wyoming.

Applebees restaurants

The security breach does not affect online payments systems, clients using self-pay tabletop devices were not affected too.

RMH clarified that its payment systems are not affected by the incident because they are isolated from the payment network used Applebee.

“After discovering the incident on February 13, 2018, RMH promptly took steps to ensure that it had been contained. In addition to engaging third-party cyber security experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation.”RMH added.

“Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again.”

Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft
5.3.2018 securityweek

Microsoft Dissects FinFisher’s Complex Infection Process

Windows Defender Advanced Threat Protection (Windows Defender ATP) is capable of detecting behavior associated with the sophisticated FinFisher spyware, Microsoft says, after performing an in-depth analysis of the malware’s infection process.

FinFisher is a lawful interception solution built by Germany-based FinFisher GmbH, which sells it exclusively to governments. Also referred to as FinSpy, the malware has been around for over half a decade and has been associated with various surveillance campaigns.

In September last year, after the malware was observed exploiting a .NET Framework zero-day (CVE-2017-8759) for infection, ESET warned that Internet service providers (ISPs) might be involved in FinFisher’s distribution process.

According to Microsoft, FinFisher is complex enough to require “special methods to crack it” but, despite its sophistication, the malware cannot go unnoticed by its security tools. These include Office 365 Advanced Threat Protection (Office 365 ATP) and Windows Defender ATP, which is set to arrive on Windows 7 and Windows 8.1 devices this summer.

Packed with various detection, evasion and anti-analysis capabilities, including junk instructions and “spaghetti code,” multi-layered virtual machine detection, and several anti-debug and defensive measures, FinFisher wasn’t easy to tear apart and analyze, Microsoft says.

Through the addition of continuous code jumps (spaghetti code), FinFisher’s authors ensured that the program flow is difficult to read and can confuse disassembly programs. While reversing plugins that may help in such situations exist, none was found to work with this malware, and Microsoft had to come up with their own.

The first thing the company discovered was an array of opcode instructions that a custom virtual machine program can interpret. 32 different routines were discovered, each implementing a different opcode and functionality that the malware program may execute.

Not only does the use of virtualized instruction blocks ensure that analysis using regular tools is not possible, but anti-debug and anti-analysis tricks in the virtualized code attempt to evade dynamic analysis tools as well.

“Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM. […] The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization (ASLR). It is also able to move code execution into different locations if needed,” the software giant explains.

The first stage of FinFisher is a loader meant to detect sandbox environments. If it passes the initial set of checks, the loader reads four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remaps them in memory, rendering debuggers and software breakpoints useless.

Next, the malware performs additional anti-sandbox checks, likely in an attempt to avoid specific sandbox or security products, and also checks for virtualized environments (VMWare or Hyper-V) and if it is running under a debugger.

Only if all these checks are passed, the loader moves to the next step, which represents a second multi-platform virtual machine.

“The 32-bit stage 2 malware uses a customized loading mechanism (i.e., the PE file has a scrambled IAT and relocation table) and exports only one function. For the 64-bit stage 2 malware, the code execution is transferred from the loader using a well-known technique called Heaven’s Gate,” Microsoft explains.

The 64-bit stage 2 implements another loader and virtual machine, featuring an architecture similar to those in the previous stage, but using slightly different opcodes (which Microsoft lists on their site). The virtual machine extracts and decrypts the stage 3 malware. After decryption, the payload is remapped and executed in memory.

Stage 3, which represents the installation and persistence stage of the malware, is the setup program for FinFisher and no longer employs a VM or obfuscation. The code can install the malware in a UAC-enforced environment with limited privileges, or with full-administrative privileges enabled. However, no privilege escalation code was found in the malware.

During this installation step, stage 4, stage 5, and stage 6 payloads, along with additional files, are potentially dropped under a folder located in C:\ProgramData or in the user application data folder. Stage 4 is a loader for UAC bypass or installation with admin rights, stage 5 is a payload injected into explorer.exe or winlogon.exe, while stage 6 is the main malware executable.

The stage 5 malware only provides one more layer of obfuscation for the final payload (through the VM) and sets up a special Structured Exception Hander routine to ensure stealthy operations. After checking the environment once again, it proceeds to extract and execute the final payload into the injected process (it uses RunDll to implement the spyware).

New Malware Used in Attacks Aimed at Inter-Korean Affairs

3.3.2018 securityweek Virus

A threat actor apparently interested in inter-Korean affairs continues to launch highly targeted attacks using new pieces of malware and decoy documents referencing North Korean political topics.

The cyber espionage group, which experts believe is sponsored by a nation state, has been active for several years, but it managed to stay under the radar until last year, when researchers analyzed two of its main tools, namely SYSCON and KONNI. These pieces of malware had been leveraged in attacks aimed at organizations linked to North Korea.

McAfee’s Advanced Threat Research team recently spotted a new campaign that appears to focus on North Korea, particularly humanitarian aid efforts. The security firm named this operation Honeybee based on the name of the user who created the malicious documents.

Previous research into this group’s activities and a new McAfee report claim the threat actor is likely a Korean speaker. In the past, some even suggested that the attacks may have been launched from South Korea.

However, McAfee told SecurityWeek that South Korea is most likely not behind the attacks. The security firm believes this is the work of an actor interested in inter-Korean affairs, specifically in English-language information.

The attack starts with a spear-phishing email carrying or linking to a malicious document. The document contains a macro designed to drop and execute a new version of the SYSCON backdoor. The malware allows attackers to upload files to a server, and download files to the compromised system and execute them.

The campaign appears to be mainly focused on North Korea, particularly humanitarian aid efforts, with primary targets located in Southeast Asia and the Americas. While many of the targeted entities are located in South Korea, some attacks are also aimed at users in Vietnam, Singapore, Japan, Indonesia, Canada and Argentina.

Some of the malicious documents used to deliver the malware reference North Korea – for example, one is named “International Federation of Red Cross and Red Crescent Societies – DPRK Country Office.”

Other documents, however, rely on a different approach. They display fake Google Docs or Microsoft Office messages that instruct recipients to enable editing and content in order to access the information. If users comply, malicious code is executed and malware is downloaded to their device.

Decoy document used in North Korea attacks

Some of the droppers used in the Honeybee campaign are only disguised as documents. One dropper, tracked by McAfee as MaoCheng, has a document icon, but it’s actually an executable file signed with a stolen Adobe certificate. Once executed, MaoCheng opens a decoy document that instructs users to enable content in order to access the information.

McAfee said the MaoCheng dropper was likely created specifically for the Honeybee campaign and it has only been spotted two times. A new variant of the SYSCON backdoor was first seen by researchers on January 17, but the operation has relied on new implants since at least November 2017. Experts say many components are loosely based on previous versions of SYSCON, but they are unique from a code perspective.

“The attacks used simplistic malware, but the speed to put the campaign into production indicates that this is a well-organized group, hence it has the traits of a nation state level group,” Ryan Sherstobitoff, McAfee Senior Analyst of Major Campaigns

Python-Written CannibalRAT Used in Targeted Attacks
2.3.2018 securityweek 

A newly identified remote access Trojan (RAT) that has been written entirely in Python is being used in highly targeted attacks, Cisco Talos researchers say.

Dubbed CannibalRAT, the malware lacks sophistication but exhibits signs of code cannibalization. At least two variants (versions 3.0 and 4.0) have been already used in attacks, both with the usual RAT capabilities, but the latter lacking features to fit a campaign targeting users of a Brazilian public sector management school.

The malicious activity associated with the RAT has increased after the second variant (4.0) emerged on February 5, 2018 (the first variant was spotted on Jan. 8). The newer iteration also uses obfuscation to avoid detection: it was packed with UPX and has a function to generate random strings in memory.

Both variants use base16 encoding scheme to obfuscate command and control (C&C) hostnames and data exchanged with the server. Also, both use the "CurrentVersion\Run" registry key for persistence, along with the service name "Java_Update", Cisco reveals.

Once executed on the infected machine, version 4.0 creates a PDF file with HTML code embedded, designed to load an image hosted at imgur.com, and launches Chrome to open the PDF.

Both versions connect to the same C&C infrastructure, but the older one uses standard web requests, while the newer version uses a REST-based API. The latter method would send username, hostname, and capability related information to the server as part of the initial request.

The credential-stealer modules are copied from the Radium-Keylogger’s source code (available on Github), while the VM detection function was copied from a different Github repository.

This, the researchers say, shows the large amount of code that adversaries share among them, which makes attribution even more difficult.

The malware’s modules have self-explanatory names: runcmd, persistence, download, upload, screenshot, miner, DDoS, driverfind, unzip, ehidden, credentials, file, zip, python, update, and vm. All are present in version 3.0, while version 4.0 lacks the distributed denial of service, miner, Python and update modules, as well as the ability to steal credentials from Firefox (it only works with Chrome).

The latest version also drops the module approach and includes all code in the main script. Furthermore, it includes four possible C&C hostnames (version 3.0 only had two), and randomly chooses one upon execution.

The attackers use the fast flux technique to hide the infrastructure and change name servers with high frequency (120 seconds), but the end points tend to be the same, belonging to a telecom provider in Brazil, the researchers say.

One of the domains associated with the campaign (the malware was hosted on it) is inesapconcurso.webredirect.org, apparently specifically created for these attacks. The actor used social engineering for the name as well: inesapconcurso is the aggregation of inesap and concurso, representing the school name and the Portuguese word for “competition”.

“While the objective of this campaign is unclear, the adversaries went through some work in order to keep their RAT as unnoticed as possible. Both the campaign target and the command-and-control visibility show this campaign is active in Brazil, which our DNS data confirms, reflecting the highly targeted approach of this campaign,” Cisco concludes.

CannibalRAT, a RAT entirely written in Python observed in targeted attacks
2.3.2018 securityaffairs

Security researchers from Cisco Talos discovered a new remote access Trojan (RAT) dubbed CannibalRAT that has been written entirely in Python.
The CannibalRAT RAT is being used in highly targeted attacks. the experts explained that even if it isn’t very sophisticated it exhibits signs of code cannibalisation from other open-source projects.

“The RAT itself is not very sophisticated, and exhibits signs of code cannibalisation from other open-source projects, which contrasts with the command-and-control, using fast flux to keep hidden, even if the endpoints are not very diversified.” reads the analysis published by Talos.

The researchers observed the involvement of at least two variants (versions 3.0 and 4.0) in targeted attacks.

cannibalrat activity

The two samples were written using Python and packed into an executable using the popular tool py2exe.

According to the researchers, the version 4.0 is a stripped-down version, this means that vxers removed from the main code some features, anyway authors have attempted to add obfuscation techniques in order to avoid detection.

The version 4.0 includes a function that will generate random strings in memory in the attempt to make memory string analysis harder.
“The malware main script bytecode is stored in a portable executable (PE) section called PYTHONSCRIPT, while the Python DLL is stored in a section called PYTHON27.DLL. All the remaining modules’ bytecode is compressed and stored in the executable overlay.” continues the analysis.

The first variant of the malware was spotted on Jan. 8, anyway, Cisco Talos observed a significant increase in the activities of the CannibalRAT after the variant 4.0 appeared in the wild on February 5, 2018

Both variants use base16 encoding scheme to obfuscate command and control (C&C) hostnames and data exchanged with the server, they gain persistence by using “CurrentVersion\Run” registry key with the service name “Java_Update“,

Once executed, the CannibalRAT version 4.0 creates a PDF file with HTML code embedded that loads an image hosted at imgur.com and launches Chrome to open the PDF.

The two versions share the same C&C servers, but while the variant 3.0 uses standard web requests, the newer version uses a REST-based API.

“The command-and-control infrastructure attempts to use the fast flux technique to hide, although the name servers are changing with high frequency, and the end points tend to be the same, all belonging to a telecom provider in Brazil with the autonomous system number AS 7738 and shared among all four command-and-control hostnames.” states Cisco Talos.

CannibalRAT borrows the credential-stealer modules form the Radium-Keylogger, which has the source code published on Github, the experts also noticed that the VM detection feature was copied from a different Github repository.

“The malware’s modules have self-explanatory names: runcmd, persistence, download, upload, screenshot, miner, DDoS, driverfind, unzip, ehidden, credentials, file, zip, python, update, and vm.” continues the analysis.”All are present in version 3.0, while version 4.0 lacks the distributed denial of service, miner, Python and update modules, as well as the ability to steal credentials from Firefox (it only works with Chrome).”

Experts noticed that the version 4.0 doesn’t use modules, instead, all the code is included in the main script. Furthermore.

Talos team provided details of a campaign involving the CannibalRAT Version targeting the INESAP, a Brazilian school for public administration

The campaign is highly targeted at this specific geographic region, attackers targeted only Chrome users.

“the RAT was hosted at inesapconcurso.webredirect.org and filebin.net, while the second domain is a popular file-sharing platform, the first domain was clearly created as part of the campaign.” continues the analysis.

“The subdomain inesapconcurso is the aggregation of two words; inesap and concurso. The first word is the school name, the second can be translated into competition, this is part of the social engineering of this campaign, as this Institute helps the management the application of workers to public sector vacancies.”
Further info about the malware including IoCs are reported in the analysis.

Hundreds of sites based on WordPress, Joomla and CodeIgniter infected by ionCube Malware
1.3.2018 securityaffairs

Security researchers at the firm SiteLock have discovered that hundreds of websites have been infected with the ionCube malware.
Security researchers at SiteLock have discovered that hundreds of websites have been infected with malware that masquerades as legitimate ionCube-encoded files.

ionCube is an encoding technology used to protect PHP software from being viewed, changed, and run on unlicensed computers.

The experts were analyzing an infected WordPress website when discovered a number of suspicious obfuscated files – such as “diff98.php” and “wrgcduzk.php” – appearing almost identical to legitimate ionCube-encoded files. Further analysis conducted revealed that hundreds of websites were infected by the same ionCube Malware.

“While reviewing an infected site, the SiteLock Research team found a number of suspiciously named, obfuscated files that appear almost identical to legitimate ionCube-encoded files. We determined the suspicious ionCube files were malicious, and found that hundreds of sites and thousands of files were affected.” reads the analysis published by SiteLock.

“Overall, our investigation found over 700 infected sites, totalling over 7,000 infected files.”

Further analysis revealed that attackers also compromised Joomla and CodeIgniter websites. Threat actors packed their malware in a manner that appears ionCube-encoded files.

The malicious code could theoretically infect any website based on a web server running PHP, once decoded, the fake ionCube files compose the ionCube malware.

“While there’s still some degree of obfuscation, the presence of the $_POST and $_COOKIE superglobals and the eval request at the end of the file reveal its true purpose: to accept and execute remotely supplied code.” continues the analysis. “It looks like the remote code supplied to this file is further obfuscated and there may be some sort of access control implemented, judging by the GUID-formatted string present.”

ionCube malware

The researchers also provided recommendations to mitigate the ionCube Malware, they suggest administrators check the presence of ionCube-encoded files as an indicator of compromise.

If an infection is detected, the scanning of the entire site is recommended, to completely eliminate the threat, the researchers also suggest the adoption of a web application firewall (WAF).

“If you find indicators of this infection, we strongly recommend having your site scanned for malware as soon as possible, as this malware seldom appears on its own.” concluded the analysis.

“This is especially important if you are using an ionCube-encoded application, as manually differentiating the malicious files from the legitimate ones is difficult, and it is common to see up to 100 slightly different variants of this malware on a single site. “

Fake ionCube Malware Hits Hundreds of Sites
28.2.2018 securityweek

Hundreds of websites have been infected with malware that masquerades as legitimate ionCube-encoded files, SiteLock warns.

The malicious files were initially discovered in core directories of a WordPress site, featuring naming patterns usually associated with malware, namely “diff98.php” and “wrgcduzk.php.” Because the obfuscated files appear as if they had been encoded with ionCube, the researchers named the threat ionCube malware.

ionCube is an old and powerful PHP obfuscation technology that can be used to scramble text-based PHP files to hide the intellectual property. Due to licensing costs, ionCube isn’t usually used for malicious purposes.

Malicious attackers, however, found a way to pack their malware in a manner that resembles that of ionCube-encoded files, and started targeting various websites. Although the infection was initially spotted on a WordPress site, SiteLock's researchers discovered that Joomla and CodeIgniter sites have been infected as well.

According to SiteLock, the malware is likely to run on any web server running PHP, and could hide in plain sight by using filenames such as “inc.php” and “menu.php.” Overall, the researchers discovered over 7,000 infected files and say that over 700 sites were compromised.

Once decoded, the fake ionCube files turn into the malware itself, which still contains some obfuscation, along with some sort of access control, researchers discovered.

“While there’s still some degree of obfuscation, the presence of the $_POST and $_COOKIE superglobals and the eval request at the end of the file reveal its true purpose: to accept and execute remotely supplied code. It looks like the remote code supplied to this file is further obfuscated and there may be some sort of access control implemented, judging by the GUID-formatted string present,” SiteLock says.

Site administrators who haven’t specifically and intentionally installed ionCube-encoded files but do find such files on their servers were likely infected. If an infection is detected, the scanning of the entire site is recommended, to completely eliminate the threat.

According to SiteLock, differentiating between the fake and legitimate files can be very difficult as well, given the large number of malware variations out there. The researchers say it is common to see up to 100 slightly different variants of the malware on a single site.

Evrial: The Latest Malware That Steals Bitcoins Using the Clipboard
27.2.2018 securityaffairs

Evrial is a cryptocoin malware stealer discovered by the researchers at ElevenPaths which takes control of the clipboard to get “easy money”.
Evrial is a cryptocoin malware stealer which takes control of the clipboard to get “easy money”.

ElevenPaths has taken a deep technical dive into the malware itself, to show how it technically works, with a quite self-explanatory video. Aside, we have followed the steps of its Russian creator and found that his scam has been targeting other scammers themselves.


By the end of 2017, CryptoShuffle was a malware sample capable of reading the clipboard and modifying cryptocurrency addresses found there. Later, someone realized that there could be some business on providing these features as a service and started to sell the platform itself calling it “Evrial”. The product was formed by a .NET malware sample capable of stealing passwords from browsers, FTP clients, Pidgin and it could also modify the clipboard on the fly so as to change any copied cryptocurrency address to whatever address he wanted to.

Evrial allows the attacker to control it all from a comfortable panel where the stolen data can be easily explored. When the attacker buys the application, he can set his “name” for logging into the panel which will be hardcoded in the code, so that the shipped Evrial version is unique for him.

When you want to make a Bitcoin transfer, you usually copy and paste the destination address. In this sense, the attacker waits until the user, trusting in the clipboard action, sends a new transaction to the copied cryptocurrency address, without knowing that the recipient’s address has been silently modified to one that belongs to the attacker. The malware performs this task in the background for different types of address including Bitcoin, Litecoin, Ethereum and Monero addresses as well as for Steam identifiers and Webmoney WMR and WMZ units.

The author exposes his username in Telegram: @Qutrachka. The account is in the source code in order to be able to contact him. Using this information and some other analysed samples, it has been possible to identify users in different deep web forums under the name Qutra whose main objective: sell this malicious software. There are also evidences that CryptoSuffer malware was linked to the same threat actor after identifying a publication in Pastebin explaining the functionalities of this family and published under the same user.

We are able to guess how much it is in every wallet. He has received a total of 21 transactions into the Bitcoin wallet, supposedly from his victims, collecting approximately 0.122 BTC. If ransomware wallets usually receive the same amount from its victims, here the range is wider because the legitimate payments that the victim wants to do are, of course, of different amounts.

The attacker has moved all the money to several addresses to try to blur the trail of his payments. The attacker has received 0.0131 Litecoins as well, but this amount is still available in his wallet. On the other hand, it has not been possible to track any payments related to his Monero account because of how this technology works so as to hide the information of which parties have been involved in each operation. At the same time, we could not find out any additional information linked to his various Webmoney accounts (WMR and WMZ). Anyway, what is clear is that this type of malicious behavior is technically viable while it is being used in the wild.

NanoCore RAT Creator Sentenced to Prison
26.2.2018 securityweek

A Hot Springs, Arkansas man who last year admitted in court to creating the NanoCore RAT (Remote Access Trojan) was sentenced to 33 months in prison.

Taylor Huddleston, 27, was sentenced on Friday for helping and assisting with computer intrusions through the development and marketing of malicious software, the Department of Justice announced. The programs he created were used to steal sensitive data from victims, spy on them, and conduct other illegal intrusions.

In addition to the 33 months in prison, Huddleston was ordered to serve two years of supervised release following his prison sentence.

Accused of developing, marketing, and distributing two malware families, Huddleston pleaded guilty in court in July 2017.

The first malicious program Huddleston developed is the NanoCore RAT, a backdoor that allows attackers to steal information from victim computers, including passwords, emails, instant messages, and other sensitive data. Used to infect and attempt to infect tens of thousands of systems, the RAT allows attackers to activate infected machines’ webcams to spy on victims.

NanoCore RAT was used in attacks targeting the finance departments of small and medium-sized businesses in the U.K., the U.S. and India, as well as in other global infection campaigns. Distribution methods included, among others, fileless tricks to the abuse of free Voice-over-IP (VoIP) service Discord.

Huddleston also admitted to creating Net Seal, licensing software that allowed him to distribute malware for co-conspirators for a fee. Huddleston is said to have used Net Seal to assist Zachary Shames in his attempt to infect 3,000 systems with malware that was in turn used to infect 16,000 computers.

Huddleston built Net Seal in 2012 and created NanoCore in 2014 (he marketed the RAT as a remote desktop management utility.

In his guilty plea last year, Huddleston admitted that he intended the programs to be used maliciously.

Use of Fake Code Signing Certificates in Malware Surges
23.2.2018 securityweek

There has been surge in the use of counterfeit code signing certificates to evade security detection solutions, despite the high cost such certificates come with, a new Recorded Future report shows.

Fake code signing certificates are used as a layered obfuscation technique in malware distribution campaigns, but these aren’t always stolen from legitimate owners, but rather issued upon request. The certificates are created for the specific buyer and registered using stolen corporate credentials, thus rendering traditional network defenses less effective, Recorded Future says.

Counterfeit certificates have been around for over half a decade, but the first offerings for such certificates were observed on the Dark Web only several years ago.

In March 2015, a user known as C@T offered on a prolific hacking messaging board a Microsoft Authenticode that could sign 32-bit/64-bit executable files, along with Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and Silverlight 4 applications. Furthermore, Apple code signing certificates were also available, Recorded Future's researchers say.

The advertiser claimed the certificates were issued by Comodo, Thawte, and Symantec and registered under legitimate corporations. The seller also said each certificate was unique and would only be assigned to a single buyer. The seller suggested the certificates would increase the success rate of malware installations 30% to 50% and claimed to have sold over 60 certificates in less than six months.

What prevented C@T’s offer to appeal to a large client base was the prohibitive cost of certificates, which can surpass $1,000 per certificate in some instances.

Several years later, three new actors started offering such services, primarily in the Eastern European underground, and two remain active, providing counterfeit certificates to Russian-speaking individuals.

One of the actors specializes in Class 3 certificates (they do not include Extended Validation (EV) assurance) and offers them at $600. The other seller has a broad range of products in the offering, the researchers discovered.

Standard Comodo code signing certificates (without SmartScreen reputation rating) cost $295, while the most trusted EV certificates from Symantec cost $1,599 (a 230% premium over the authentic certificate). Buyers looking to make bulk purchases would pay $1,799 for fully authenticated domains with EV SSL encryption and code signing capabilities.

“According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations. With a high degree of confidence, we believe that the legitimate business owners are unaware that their data was used in the illicit activities,” Recorded Future notes.

All certificates are created per the buyer’s request, individually, and have an average delivery time of two to four days.

A trial one of the vendors conducted revealed that detection rate of the payload executable of a previously unreported Remote Access Trojan (RAT) decreased upon signing with a recently issued Comodo certificate. Testing a non-resident version of the payload revealed that only one security product recognized the file as malicious.

“Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates,” the security researchers note.

The counterfeit certificates might have experienced a surge, but they are not expected to become mainstream because of their prohibitive cost when compared to crypting services that are readily available at $10-$30 per each encryption. Nonetheless, more sophisticated attackers and nation-state actors will continue employing code signing and SSL certificates in their operations.

Chaos backdoor, a malicious code that returns from the past targets Linux servers
23.2.2018 securityaffairs

Security experts from GoSecure, hackers are launching SSH brute-force attacks on poorly secured Linux servers to deploy a backdoor dubbed Chaos backdoor.
“This post describes a backdoor that spawns a fully encrypted and integrity checked reverse shell that was found in our SSH honeypot,” states the report published by GoSecure.

“We named the backdoor ‘Chaos’, following the name the attacker gave it on the system. After more research, we found out this backdoor was originally part of the ‘sebd’ rootkit that was active around 2013.”

The Chaos backdoor was one of the components of the “sebd” Linux rootkit that appeared in the threat landscape back in 2013, researchers discovered a post on hackforums.net, where a user claims to know how the backdoor was made publicly available.

It seems that the source code of the backdoor was caught by a “researcher” that released it on the forum by changing the name of the backdoor in Chaos to trick members into believing that is was a new threat.

The malicious code is now being used by attackers in the wild to target Linux servers worldwide.

Researchers performed an Internet-wide scan using the handshake extracted from the client in order to determine the number of infected Linux servers and they discovered that this number is quite low, below the 150 marks.

chaos infection worldmap

The installation of the Chaos backdoor starts with the attacker downloading a file that pretended to be a jpg from http://xxx.xxx.xxx.29/cs/default2.jpg.

The file was currently a .tar archive containing the Chaos (ELF executable), the client (ELF executable), initrunlevels Shell script, the install Shell script.

“Chaos”, in the tar archive, is the actual backdoor that is installed on the victim’s system and the “Client” file is the client to connect to the installed backdoor.

The backdoor is not sophisticated is doesn’t rely on any exploits, it opens a raw socket on port 8338 on which it listens to commands.

“Any decent firewall would block incoming packets to any ports that have not explicitly been opened for operational purposes,” GoSecure experts say. “However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service.”

To check if your system is infected experts suggest to run the following command as root:

1 netstat –lwp
and analyze the list the processes to determine which are legitimate ones that have listening raw sockets open.

“Because chaos doesn’t come alone but with at least one IRC Bot that has remote code execution capabilities, we advise infected hosts to be fully reinstalled from a trusted backup with a fresh set of credentials.” suggest experts to the owner of infected systems.

Malicious RTF Persistently Asks Users to Enable Macros
21.2.2018 securityweek
Virus  Vulnerebility

A malicious RTF (Rich Text Format) document has been persistently displaying an alert to ask users to enable macros, Zscaler security researchers have discovered.

As part of this unique infection chain, the malicious document forces the victims to execute an embedded VBA macro designed to download the QuasarRAT and NetWiredRC payloads.

While analyzing the attack, the security researchers discovered that the actor included macro-enabled Excel sheets inside the malicious RTF documents, to trick users into allowing the execution of payloads.

The RTF document features the .doc extension and is opened with Microsoft Word. When that happens, a macro warning popup is displayed, prompting the user to either enable or disable the macro.

However, the malicious RTF document repeatedly displays the warning popups even if the targeted user clicks on the “Disable Macros” button. By persistently displaying the alert, the malicious actor increases the chances for the user giving in and allowing the macro to run.

The analyzed malicious RTF contains 10 embedded Excel spreadsheets, meaning that the warning is displayed 10 times. Users can’t stop these popups unless they click through all of them or force-quit Word, Zscaler notes.

The attack relies on the use of “\objupdate” control for the embedded Excel sheet objects (OLE object). This function would trigger the macro code inside the embedded Excel sheet when the RTF document is being loaded in Microsoft Word, thus causing the multiple macro warning popups to appear.

The same “\objupdate” control was observed being abused in attacks leveraging the CVE-2017-0199 vulnerability that Microsoft patched in April last year. The new attack, however, does not exploit this vulnerability or another Office security flaw.

The actor behind this campaign used two variations of the malicious macro. The code executes a PowerShell command to download intermediate payloads using Schtasks and cmd.exe. By performing registry modifications, the malware would also permanently enable macros for Word, PowerPoint, and Excel.

The macro downloads a malicious VBS file which terminates all running Word and Excel instances, downloads a final payload using the HTTPS protocol and executes the payload.

Next, it enables macros for Office and disables protected view settings in the suite, creates a scheduled task to run the downloaded payload after 200 minutes, deletes the scheduled task, and downloads an additional payload to the same location.

Zscaler observed the attack dropping two Remote Access Trojans (RATs), namely NetwiredRC and QuasarRAT. NetwiredRC can find files, launch remote shell, log keystrokes, capture screen, steal passwords, and more. QuasarRAT is free and open source, and is believed to be an evolution of xRAT. It has features such as remote webcam, remote shell, and keylogging.

Top Experts Warn Against 'Malicious Use' of AI
21.2.2018 securityweek

Artificial Intelligence Risks

Artificial intelligence could be deployed by dictators, criminals and terrorists to manipulate elections and use drones in terrorist attacks, more than two dozen experts said Wednesday as they sounded the alarm over misuse of the technology.

In a 100-page analysis, they outlined a rapid growth in cybercrime and the use of "bots" to interfere with news gathering and penetrate social media among a host of plausible scenarios in the next five to 10 years.

"Our report focuses on ways in which people could do deliberate harm with AI," said Seán Ó hÉigeartaigh, Executive Director of the Cambridge Centre for the Study of Existential Risk.

"AI may pose new threats, or change the nature of existing threats, across cyber-, physical, and political security," he told AFP.

The common practice, for example, of "phishing" -- sending emails seeded with malware or designed to finagle valuable personal data -- could become far more dangerous, the report detailed.

Currently, attempts at phishing are either generic but transparent -- such as scammers asking for bank details to deposit an unexpected windfall -- or personalised but labour intensive -- gleaning personal data to gain someone's confidence, known as "spear phishing".

"Using AI, it might become possible to do spear phishing at scale by automating a lot of the process" and making it harder to spot, O hEigeartaigh noted.

In the political sphere, unscrupulous or autocratic leaders can already use advanced technology to sift through mountains of data collected from omnipresent surveillance networks to spy on their own people.

"Dictators could more quickly identify people who might be planning to subvert a regime, locate them, and put them in prison before they act," the report said.

Likewise, targeted propaganda along with cheap, highly believable fake videos have become powerful tools for manipulating public opinion "on previously unimaginable scales".

An indictment handed down by US special prosecutor Robert Mueller last week detailed a vast operation to sow social division in the United States and influence the 2016 presidential election in which so-called "troll farms" manipulated thousands of social network bots, especially on Facebook and Twitter.

Another danger zone on the horizon is the proliferation of drones and robots that could be repurposed to crash autonomous vehicles, deliver missiles, or threaten critical infrastructure to gain ransom.

- Autonomous weapons -

"Personally, I am particularly worried about autonomous drones being used for terror and automated cyberattacks by both criminals and state groups," said co-author Miles Brundage, a researcher at Oxford University's Future of Humanity Institute.

The report details a plausible scenario in which an office-cleaning SweepBot fitted with a bomb infiltrates the German finance ministry by blending in with other machines of the same make.

The intruding robot behaves normally -- sweeping, cleaning, clearing litter -- until its hidden facial recognition software spots the minister and closes in.

"A hidden explosive device was triggered by proximity, killing the minister and wounding nearby staff," according to the sci-fi storyline.

"This report has imagined what the world could look like in the next five to 10 years," Ó hÉigeartaigh said.

"We live in a world fraught with day-to-day hazards from the misuse of AI, and we need to take ownership of the problems."

The authors called on policy makers and companies to make robot-operating software unhackable, to impose security restrictions on some research, and to consider expanding laws and regulations governing AI development.

Giant high-tech companies -- leaders in AI -- "have lots of incentives to make sure that AI is safe and beneficial," the report said.

Another area of concern is the expanded use of automated lethal weapons.

Last year, more than 100 robotics and AI entrepreneurs -- including Tesla and SpaceX CEO Elon Musk, and British astrophysicist Stephen Hawking -- petitioned the United Nations to ban autonomous killer robots, warning that the digital-age weapons could be used by terrorists against civilians.

"Lethal autonomous weapons threaten to become the third revolution in warfare," after the invention of machine guns and the atomic bomb, they warned in a joint statement, also signed by Google DeepMind co-founder Mustafa Suleyman.

"We do not have long to act. Once this Pandora's box is opened, it will be hard to close."

Contributors to the new report -- entitled "The Malicious Use of AI: Forecasting, Prevention, and Mitigation" -- also include experts from the Electronic Frontier Foundation, the Center for a New American Security, and OpenAI, a leading non-profit research company.

"Whether AI is, all things considered, helpful or harmful in the long run is largely a product of what humans choose to do, not the technology itself," said Brundage.

Bingo, Amigo! Jackpotting: ATM malware from Latin America to the World
14.2.2018 Kaspersky 
Of all the forms of attack against financial institutions around the world, the one that brings traditional crime and cybercrime together the most is the malicious ecosystem that exists around ATM malware. Criminals from different backgrounds work together with a single goal in mind: jackpotting. If there is one region in the world where these attacks have achieved highly professional levels it’s Latin America.

From “Ploutus”, “Greendispenser”, “Prilex”, traditional criminals and Latin American cybercriminals have been working closely and effectively to steal large sums of money directly from ATMs with quite an elevated rate of success. In order to do it, they have developed a number of tools and techniques that are unique to this region, eventually importing malware from Eastern European cybercriminals and then improving the code to create their own domestic solutions, which they later deploy on a larger scale.

The combination of factors such as the use of obsolete and unsupported operating systems and the availability of easy to use development platforms have allowed the creation of malicious code with technologies such as the .NET framework, without the need for too high technical skills.

We are facing a rising wave of threats against ATMs that have been technically and operationally improved, becoming an immense challenge for financial institutions and security professionals alike. Currently, the attacks on such devices have already generated considerable losses for financial institutions, begging the question: What and when will the next big hit be? “Motivation” is the key word. Why focus on stealing information to monetize it later when it is easier to steal funds directly from the bank?

In this article, we will show an overview on operational details about how these regional attacks against financial institutions have created a unique situation in Latin America. We’ll also highlight how banks and security companies are falling victims to them and how attacks are spreading in the region, aiming to surpass jackpot attacks coming from mariachis and chupacabras.

Dynamite, fake fronts, ATM (in)security
The easiest way to steal money from an ATM machine used to be to blow it up. Most Latin American cybercriminals used to do it on a regular basis. In fact, this type of attack still happens in several parts of the region. Security cameras, CCTV and any other physical security measures proved ineffective in deterring this rudimentary yet extremely effective attack. In many cases, the explosive devices used by the thieves caused damage, not only to the ATMs, but also to bank branches, public squares and the shopping malls in which they were located. A small number of incidents have even caused damage to buildings close to banks.

Explosive attacks on ATMs are a rising problem in Europe as well. In a report covering the first six months of 2016, EAST (European Association for Secure Transactions) reported a total of 492 explosive attacks in Europe; a rise of 80 percent compared to the same period in 2015. Such attacks do not just present a financial risk due to stolen cash, but are also the cause of significant collateral damage to equipment and buildings. Of most concern is the fact that lives can also be placed in danger, particularly by the use of solid explosives.

Actually, it is effortless to find videos on YouTube showing the explosions of ATM machines, mainly in Brazil.

Old school way of robbing an ATM: blowing it up. Some examples here and here.

In an attempt to stop these attacks, Brazilian banks have adopted ink cartridges to stain the bills when the ATM is blown up. Criminals responded quickly, finding a way to remove the ink from the bills using a special solvent. It’s the eternal cat-and-mouse (or should we say a mouse and cat) game among fraudsters and financial institutions.

Another bold maneuver used commonly by criminals in Latin America is to cover the front of an ATM with a whole fake piece that looks like the original. Such an approach seems to surprise visitors when traveling to our region. This technique was presented to the media by Brian Krebs as the “biggest skimmer of all“. Actually, criminals are able to install it without any complications in a day light in supermarkets and other retail businesses (see video).

ATM fake fascia: what you see is not what you get.

For criminals, it’s not difficult to build a fake replica of an ATM machine, especially since they can buy the parts needed on the black-market and even on-line stores easily. Here’s an example of an ATM keyboard sold at a regional on-line store (the Latin American eBay). This device helps cybercriminals build whatever they want. Sometimes, criminals find and recruit insiders right from the ATM industry.

You can build your own fake home assemblied ATM, buying it in pieces…

Another worldwide problem affecting ATMs in Latin America is the reliance on obsolete software with several unpatched vulnerabilities, that’s installed and in-use every day in production environments. Most ATMs are still running on Windows XP or Windows 2000, systems that have already reached their end-of-life, and Microsoft has officially ceased to support for them. In addition to the obsolete software, one may frequently find ATMs with completely exposed cables and network devices that are easy to access and manipulate. Such situations are due to insufficient physical security policies, opening a variety of possibilities to the region’s criminals.

Cables and routers exposed in ATMs running Windows XP: a gold mine for scammers.

However, such attacks represent a risk for those criminal daredevils as they can be recorded by surveillance cameras while trying to tamper with the machines, inserting a dynamite stick, or installing a fake ATM cover right in front of big brother’s eyes. As banks have enhanced the physical security of ATMs, it is no longer so profitable for criminals to rely on the physical assaults of these, thus giving way to the gradual rise of ATM malware in the region.

The process of stealing money from ATMs using malware typically consists of four stages:

The attacker gains local/remote access to the machine.
Malicious code is installed in the ATM system.
In some cases, to complete the infection process, a reboot of the ATM is needed. Sometimes cybercriminals use umbrella or blackbox schemes to reboot and for their operations support.
The final stage (and the ultimate goal of the entire process) is withdrawing the money – jackpotting!
Getting access to the inside of an ATM is not a particularly difficult task. The process of infecting is also fairly clear – arbitrary code can be executed on an obsolete (or insufficiently secured) system. There seems to be no problem with withdrawing money either – the malware interface is usually opened by using a specific key combination on the PIN pad or by inserting a “special card”. Sometimes all that is needed is a remote command sent from an already compromised machine in the bank’s network, leaving the “mule” ready for the final step of the game and cashing out without raising any eyebrows.

From Eastern Europe to Latin America
A report from the European ATM Security Team (EAST), shows that global ATM fraud losses increased 18 percent to €156 million (US $177.5 million) in the first half of 2015, compared to the same period in 2014. EAST attributes much of that increase to an 18 percent rise in global card-skimming losses, which includes €131 million (U.S. $149 million) of that total. Unfortunately, it seems there are no official statistics of such attacks and loses in Latin America. ATEFI (the Latin American Association of Service, Operators and Electronic Funds Transfer) does not publish public reports on such attacks.

There is a strong “B2B” cooperation between Eastern European and Latin American cybercriminals. On December 7, 2015, a 26 years old Romanian citizen was arrested in Morelia, Mexico, as he was suspected to be involved in the credit card cloning business. He was caught with $180,000.00 mxn in cash (around $ 9,700.00 USD) after someone from the community reported his suspicious behavior. He had a criminal record in Romania for being a part of an illegal organization connected to counterfeiting and using stolen credit cards. At the beginning of 2017, 31 people were arrested in a coordinated police operation and were charged with belonging to a gang dedicated to the credit card cloning business, among them a Cuban citizen, an Ecuadorian citizen, nine Venezuelans, three Romanians, two Bulgarians and 15 Mexicans. This served as further evidence that carders from Europe and Latin America are connected and occasionally work together.

Backdoor.Win32.Skimer was the first malicious program infecting ATM machines that came up back in 2008. Once the ATM was infected using a special access card, criminals were able to perform a number of illegal operations: withdrawing cash from the ATM, or obtaining data from cards used in the ATM. The coder behind it clearly new how ATM hardware and software work. Our analysis of this Trojan concluded that it was designed to target ATM machines in Russia and Ukraine. It works with US dollar, Russian ruble, and Ukrainian hryvnia transactions. More recently, in 2014, we published a detailed post about Tyupkin, an ATM malware found active on more than 50 ATMs in financial institutions in Eastern Europe. We have enough evidence that Latin American cybercriminals are cooperating with the Eastern European gangs involved with ZeuS, SpyEye and other banking Trojans created in that part of the world. This collaboration directly results in the code quality and sophistication of local Latin American malware. Regional cyber criminals also lease the infrastructure of their Eastern European counterparts. The same applies for ATM malware, which is evolving together with other Latin American malware families.

It’s also common to find Latin American criminals on Russian underground forums looking for samples, buying new crimeware packages and exchanging data about ATM/PoS malware, or negotiating and offering their “professional” services. Since most of them are not proficient in Russian, their writing often includes misspelled Russian words as they rely on automated translation services. Sometimes, they just write in Spanish, so Eastern European cybercriminals have to use automated translation. In any case, despite the language barrier, they negotiate use the acquired knowledge to boost the spread of their malware operations in Latin America.

Latin American criminals in the Russian underground: looking for ATM software

We believe that the first contacts between both cybercriminal worlds happened back in 2008 or even a little earlier. This is only the tip of the iceberg, as this kind of exchange tends to increase over the years as crime develops and looks for new techniques to attack businesses and end users in general.

Mexico: Ploutus – “god of wealth”
According to Greek mythology, Ploutus represented abundance and wealth; a divine child capable of dispensing his gifts without prejudice. However, in the real world, the economic impact of this rampant malware has been estimated at $ 1,200.000.000 MXN ($ 64,864,864.00 USD), considering that only in Mexico, approximately 73,258 ATMs have been found to be compromised.

The first variant of Ploutus became public in October 24, 2013, uploaded to VirusTotal by someone in Mexico, with the filename ‘ploutus.exe’. At that time, the sample had a low detection rate and some AV companies detected it as a Backdoor.Ploutus – Symantec or Trojan-Banker.MSIL.Atmer – Kaspersky.

During 2014 and 2015, a nation state level investigation in relation to ATM robberies using malware resulted in an increased number of uncovered incidents all over Mexico. In August 2013, investigators finally busted a operation connected to about 450 ATMs from 4 major Mexican banks.

Compromised machines were mostly located in places lacking or with very limited physical surveillance. Malware was deployed either via the CD-ROM drive (in the first versions) or a USB port in latter versions. These attacks caught the attention of the banks’ security departments in an odd manner. The armored transportation company began to receive a rare number of phone calls and alerts in respect to unusually high amounts of money being withdrawn from ATMs. The machines were reporting low cash flow levels just hours after being filled by the company in charge of this service.

The second attack was perpetrated during the Mexican Black Friday, locally known as “El Buen Fin”. During these dates, ATMs are stocked with more money in order to fulfill customer demand (approximately 20% more funds than usual are added). Lastly, the third attack was carried out during Valentine’s Day, which is celebrated on February 14th in Mexico. Dates in which ATMs are heavily used and have more funds than usual certainly attracted the attention of this group, which seemed to plan its attacks in advance while hiding in plain sight.

Ploutus developers are not trying to hide the origins of their code.

To install this malware, physical access to the ATM is needed. Usually, this is achieved via USB or CD drive, facilitating directly from the infected ATM machine and not merely cloning credit or debit cards. So, the damage is for financial Institutions and not their customers, at least not directly.

Strings in Spanish language display the goal of Ploutus

In this case, the business model is to sell licenses which are valid only for a day, allowing the “customer” (cybercriminal) to withdraw money from any number of machines during that particular day. It may take between two and half to three hours to empty the cash dispensing cassettes of an ATM.

According to a private investigation, a default arrangement for cybercriminals gangs is an average of 3 individuals per cell, with up to 300 people involved in the campaigns. Each group is responsible for compromising a chosen ATM with malware, obtaining an ID that is used afterwards to request an activation code via SMS, allowing full access to all of the ATM’s services.

Graphical user interface of an early version of Ploutus; shown when the correct activation sequence matches.

So far, we have seen four different versions or generations of the Ploutus malware family, the last one, which pertains to 2017, includes bug fixes and code improvements. For the first versions found in-the-wild there was no way of “calling home” or reporting the activities done on the ATM back to a C2 server. However, there is a SMS module used to obtain a unique identifier for the machine that allows the activation of the malicious code remotely. Once activated, money mules (operators standing at the ATM) can start withdrawing money until the licensed time expires. The procedure is as follows:

Compromise the ATM, via physical access through the CD-ROM drive or USB ports of the machine.
The install malware will run in the system as a regular Microsoft Windows service.
Acquire an ATM ID used for the identification and activation of the machine.
Some versions send a SMS to activate the “customer” (infected ATM), while others require physical access and connecting a keyboard in order to interact with the malware.
Cash out while the malware is active for 24 hours.
The newest version, found in-the-wild later in 2017, granted criminals full remote administration of infected ATMs and the capability to run diagnostic tools along with other crafted commands. In that latest version we found that cybercriminals switched from a physical keyboard to access ATMs to WiFi access with a special modified TeamViewer Remote management tool module. This made it possible to conduct malicious operations more scalable and less risky for the cybercriminals.

Kaspersky Lab detects the samples described above as Backdoor.MSIL.Ploutus, Trojan-Spy.Win32.Plotus and HEUR:Trojan.Win32.Generic

Colombia: corruption, insiders and legit software
In October 2014, 14 ATMs were compromised in different cities of Colombia. The economic impact was around $ 1,024.00 million (Colombian Pesos) without any trackable transaction. Later, an employee at one of the banks was arrested as he was suspected of installing the malware remotely in all of the ATMs using his personal security code and passwords, just one day before resigning his job.

The suspect had previously worked for the Colombian police for 8 years as an electronic engineer specializing in computer security and also as a police investigator. At the time, he was in charge of large-scale investigations, but over the years he ended up leading a judicial file that surprised the investigators. On October 25th, he was arrested and charged by the authorities as the author of a multi-million fraud scheme aimed at a Colombian bank. At the time of his arrest, the criminal had remote access to 1,159 ATMs throughout Colombia. In the development of the illegal operation, the criminal used a modified legitimate ATM software, which left everything set for other members of the illegal organization to commit fraud in less than 48 hours in six different cities. This was the way Colombian media talked about the multi-million fraud against a local bank.

Insider with admin and remote access: 14 ATMs controlled and jackpotted in Colombia

To perform this attack the corrupted ex-police officer used a modified version of the ATM management software distributed by the manufacturer and their technical support staff. As an officer, he had access to this kind of software, which after installation, would interact with the XFS standard, sending commands to the ATM:

Legitimate software, misused: privileged access to steal money.

The target in this attack was Diebold ATM machines:

Target: Diebold ATM

Once the cybercriminal infected the ATMs with the mentioned legitimate but modified management software, a special access was granted. From that moment on, any kind of ATM malware could be installed, including Ploutus, which we saw was aggressively used in Peru and other South American countries.

Kaspersky Lab detects samples of the attack as: Trojan.MSIL.Agent and Backdoor.MSIL.Ploutus

Brazil: Prilex on top of the hill
Brazil is also notorious for developing and spreading locally built malware. The same can be said for their ATM and PoS malware. In 2017, we found an interesting new ATM malware family spread in-the-wild in Brazil. It’s developed from scratch in the country so the code doesn’t have similarities with any other known ATM malware family.

Prilex is an interesting ATM malware fully developed by Brazilian cybercriminals is Prilex. The criminals behind Prilex are also responsible for the development of several PoS malware, allowing them to target both ATM and PoS markets. The key difference of this attack is that instead of using the common XFS library to interact with the ATM sockets, it used some specified vendor’s libraries. Someone generously shared that information with the criminals.

Prilex’s piece of code with a lot of strings in Portuguese.

According to the code we analyzed, the cybercriminals behind it knew all about victim’s network diagram as well as the internal structure of the ATMs used by the bank. In one of the samples, we found a specific user account of someone working in the Bank. That may mean two things: an insider in the bank was leaking information to cybercriminals or the bank had suffered a targeted attack, which allowed the criminals to exfiltrate key information.

Command used to execute the process under specific credential.

Once the malware is running it has the capability of dispensing money from the sockets by using a special window which is activated by using a specific key combination, provided to the money mules by the criminals. There is also a component which reads and collects data from the magnetic stripe of the cards used it ATMs infected with Prilex. All information is stored in a locally saved file.

We believe that the group behind this malware family is not new. We had seen them running another campaign since at least 2015, not only for ATM but also PoS attacks.

Kaspersky Lab detects these malware families as Trojan.Win32.Ice5 and Trojan.Win32.Prilex, respectively.

ATMs have been under constant attack since at least 2008-2009, when the first malicious program targeting ATMs, known as Backdoor.Win32.Skimer, was discovered. This is probably the fastest way for cybercriminals to get money – just right from the ATM. When it happens, we see two losses categories for the banks:

Direct bank losses, when an attacker obtains money from an ATM cash dispenser.
Indirect banks losses but losses to its customers. In this second scenario, cybercriminals steal from the customers’ bank accounts cloning unique cardholder data from the users’ ATM (including Track2 – the magnetic stripe data, the PIN – personal identification number used as a password, or new authentication methods, such biometric data).
To achieve their goals, attackers must solve one of these key challenges – they must either bypass customer authentication mechanisms or bypass the ATM’s security mechanisms. Criminals already use various methods to profit from ATMs, such as ram-raiding and dynamite explosive attacks, or traditional skimmers and shimmers to obtain customers’ information. It’s obvious criminal methods are shifting from physical attacks to so-called logical attacks. These can be described as non-destructive attacks. This helps cybercriminals stay undetected for longer periods of time, stealing not just once but several times from the same infected ATM.

ATM security is a complex problem that should be addressed on different levels. Many problems can only be fixed by the ATM manufacturers or vendors, especially with direct cooperation of security vendors.

The vast majority of ATM malware attention is placed on Eastern Europe, as the most developed cybercrime scene is in that part of the world. However, Latin America is one of the most dynamic and challenging markets in the world due to its particular characteristics. Regional cybercriminals are constantly seeking help and trading knowledge with their “colleagues” from Eastern European countries.

The constant monitoring of malicious activities by Latin American cybercriminals provides IT security companies with an advantageous opportunity to discover new attacks related to the financial sector. To have a complete understanding of the Latin American cybercrime scene, antimalware companies need to pay close attention to the reality of the country, collect files locally, build local relationships, and keep local analysts to monitor these attacks, mostly because it’s common for criminals to be extremely vigilant about their creations and how far these propagate. As it happens in Russia and China, Latin American criminals have created their own unique reality that’s sometimes quite difficult to grasp from the outside.

It’s very important for Financial Institutions, being such big and important targets for cybercriminals all over the world, to work on Threat Intelligence, including, not just global feeds, but also IOCs and Yara rules from hard to spot local attacks from regional experts. Our complete IOCs list, as well as Yara rules and full reports are available for Financial Intelligence Reports service customers. Need more information about the service? financialintel@kaspersky.com

Reference hashes

New AndroRAT Variant Emerges
14.2.2018 securityweek
Vulnerebility  Virus
A newly discovered variant of the AndroRAT off-the-shelf mobile malware can inject root exploits to perform malicious tasks, Trend Micro reports.

The updated malware version targets CVE-2015-1805, a publicly disclosed vulnerability that can be abused to achieve privilege escalation on older Android devices. By injecting root exploits, the threat can perform silent installation, shell command execution, WiFi password collection, and screen capture, security researchers have discovered.

First observed in 2012, AndroRAT was initially a university project, designed as an open-source client/server application to offer remote control of a device. It didn’t take long for cybercriminals to find the tool appealing and start using it in attacks.

The same as other Remote Access Tools (RATs), the malware gains root access in order to take control over the target system.

The newly observed version of the tool masquerades as a utility app called TrashCleaner, which the researchers believe is delivered from a malicious URL. When first executed, TrashCleaner prompts the user to install a Chinese-labeled calculator app, hides its icon from the device’s UI, and activates the RAT in the background.

“The configurable RAT service is controlled by a remote server, which could mean that commands may be issued to trigger different actions. The variant activates the embedded root exploit when executing privileged actions,” Trend Micro notes.

The malware can perform a broad range of actions previously observed in the original AndroRAT, including audio recording, photo taking, and system information theft (phone model, number, IMEI, etc.). It also steals WiFi names, call logs, mobile network cell location, GPS location, contacts, files on the device, list of running apps, and SMS messages, while keeping an eye on all incoming and outgoing SMS.

The threat is also capable of obtaining mobile network information, storage capacity, root status, list of installed applications, web browsing history from pre-installed browsers, and calendar events. Additionally, it can record calls, upload files to the device, capture photos using the front camera, delete and send forged SMS messages, take screenshots, execute shell commands, steal WiFi passwords, and silently enable accessibility services for a keylogger.

While the targeted vulnerability (CVE-2015-1805) was patched in early 2016, devices that are no longer updated regularly continue to be exposed to this new AndroRAT variant.

To avoid being targeted by the threat, users should avoid downloading and installing applications from third-party app stores. Installing the latest security updates and keeping all applications on the device updated at all times should also reduce the risk of being affected, the security researchers point out.

Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware
14.2.2018 securityaffairs
Exploit  Virus

Security researcher Alexey Firsh at Kaspersky Lab last discovered a Telegram zero-day in the desktop Windows version that was exploited in attacks in the wild.
Security researcher Alexey Firsh at Kaspersky Lab last discovered a zero-day vulnerability in the desktop Windows version of the popular Telegram instant messaging app.

The bad news is that the Telegram zero-day flaw was being exploited by threat actors in the wild to deliver cryptocurrency miners for Monero and ZCash.

According to the expert, hackers have actively exploited the vulnerability since at least March 2017. Attackers tricked victims into downloading cryptocurrency miners or to establish a backdoor.

“In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.” reads the analysis of the expert.

The flaw is related to the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for any language that uses a right to left writing mode, like Arabic or Hebrew.

The attackers used a hidden RLO Unicode character in the file name that reversed the order of the characters, in this way the file name could be renamed. In a real attack scenario, then the attackers sent the file to the target recipient.

The crooks craft a malicious code to be sent in a message, let assume it is a JS file that is renamed as follows:

evil.js -> photo_high_re*U+202E*gnp.js (— *U+202E* is the RLO character)

The RLO character included in the file name is used by an attacker to display the string gnp.js in reverse masquerading the fact that the file is a js and tricking the victims into believing that it is a harmless .png image.

Telegram zero-day

When the user clicks on the file, Windows displays a security notification if it hasn’t been disabled in the system’s settings.

telegram zero-day

If the user ignores the notification and clicks on ‘Run’, the malicious code executed.
The expert reported the Telegram zero-day to the company that promptly patched the flaw.

“Kaspersky Lab reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger’s products.” states the analysis published by Kaspersky.

“During their analysis, Kaspersky Lab experts identified several scenarios of zero-day exploitation in the wild by threat actors.”

The analysis of the servers used by the attackers revealed the presence of archives containing a Telegram’s local cache, this means that threat actors exploited the flaw to steal data from the victims.

In another attack scenario, crooks triggered the flaw to install a malware that leverages the Telegram API as a command and control mechanism.

“Secondly, upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in the hackers gaining remote access to the victim’s computer. After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools.” continues the analysis.

According to the researcher, the flaw was known only in the Russia crime community, it was not triggered by other crooks.

To mitigate the attack, download and open files only from trusted senders.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

New Point-of-Sale Malware Steals Credit Card Data via DNS Queries
9.2.2018 thehackernews

Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.
A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems.
Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS.
Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind.
Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn—a legitimate remote desktop control service used to manage computers and other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls and other security controls.
"We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of 'unusual' DNS requests," Forcepoint researchers said in a blogpost published Thursday.
"Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware."
The malware sample analyzed by the researchers links to a command and control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.
It should be noted that the UDPoS malware can only target older POS systems that use LogMeIn.
Like most malware, UDPoS also actively searches for antivirus software and virtual machines and disable if find any. The researchers say it's unclear "at present whether this is a reflection of the malware still being in a relatively early stage of development/testing."
Although there is no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint's tests have shown that the malware is indeed capable of doing so successfully.
Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active and responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy this malware in the wild.
It should be noted that the attackers behind the malware have not been compromised the LogMeIn service itself—it's just impersonated. LogMeIn itself published a blogpost this week, warning its customers not to fall for the scam.
"According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name," LogMeIn noted.
"This link, file or executable isn't provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You'll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update."
According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as "nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications," but DNS is still often treated differently, providing a golden opportunity for hackers to leak data.
Last year, we came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect onto targeted systems.

New PoS Malware Family Discovered
9.2.2018 securityweek 
Researchers have discovered a new Point of Sale (POS) malware. They cannot tell yet whether it is new code still being developed, or already used -- complete with coding errors -- in an undetected campaign. They suspect the latter.

PoS malware has been responsible for a number of high profile data breaches over the last few years, including Hyatt Hotels, Chipotle Mexican Grill, Avanti Markets, and Sonic Drive-In. The growing use of EMV (chip & pin) payment cards in the U.S. makes card-present fraud more difficult. It was always expected that this would drive criminals towards card-not-present (that is, online) fraud; making the online theft of card details more attractive.

Forcepoint researchers Robert Neumann and Luke Somerville described the malware in a blog analysis posted today. "This appears to be a new family which we are currently calling 'UDPoS' owing to its heavy use of UDP-based DNS traffic." The researchers are not overly impressed by the quality of the coding, describing it as 'a flawed gem' -- where 'flawed' refers to the coding and 'gem' to the excitement of discovering a new needle in the haystack of old malware.

The malware uses a 'LogMeIn' theme as camouflage. The C2 server is service-logmeln.network (with an 'L' rather than an 'I') hosting the dropper file, update.exe. This is a self-extracting 7-Zip archive containing LogmeinServicePack_5.115.22.001.exe and logmeinumon.exe. The former, the service component of the malware, is run automatically by 7-Zip on extraction.

This service component is responsible for setting up its own folder, and establishing persistence. It then passes control to the second, or monitoring, component by launching logmeinumon.exe. The two components have a similar structure, and use the same string encoding technique to hide the name of the C" server, filenames and hard-coded process names.

The monitor component creates five different threads after attempting an anti-AV and virtual machine check and either creating or loading an existing ‘Machine ID'. The Machine ID is used in all the malware's DNS queries. The anti-AV/VM process is flawed, attempting to open only one of several modules.

When first run, the malware generates a batch file (infobat.bat) to fingerprint the infected device, with details written to a local file before being sent to the C2 server via DNS. The precise reason for this is unclear, but the researchers note, "The network map, list of running processes and list of installed security updates is highly valuable information."

Deeper analysis of the malware revealed a process designed to collect Track 1 and Track 2 payment card data by scraping the memory of running processes. "These processes," say the researchers, "are checked against an embedded and pre-defined blacklist of common system process and browser names with only ones not present on the list being scanned."

If any Track 1/2 data is found, it is sent to the C2 server. A log is also created and stored, "presumably," say the researchers, "for the purpose of keeping track of what has already been submitted to the C2 server."

When the researchers attempted to find additional samples of the same malware family, all they found was a different service component but without a corresponding monitor component. This one had an 'Intel' theme rather than a 'LogMeIn' theme. It was compiled at the end of September 2017, two weeks before the compilation stamp of October 11, 2017 for the LogMeIn components.

"Whether this is a sign that authors of the malware were not successful in deploying it at first or whether these are two different campaigns cannot be fully determined at this time due to the lack of additional executables," note the authors.

They warn that legacy PoS systems -- which can number thousands in large retailers -- are often based on variations of the Windows XP kernel. "While Windows POSReady is in extended support until January 2019, it is still fundamentally an operating system which is seventeen years old this year."

They urge sysadmins to monitor unusual activity patterns; in this case, DNS traffic. "By identifying and reacting to these patterns, businesses -- both PoS terminal owners and suppliers -- can close down this sort of attack sooner."

Austin, Texas based Forcepoint, originally known as Raytheon/Websense, was created in a $1.9 billion deal involving Raytheon, Websense and Vista Equity Partners in April 2015. It was renamed to Forcepoint in January 2016.

UDPOS PoS malware exfiltrates credit card data DNS queries
9.2.2018 securityaffairs

A new PoS malware dubbed UDPoS appeared in the threat landscape and implements a novel and hard to detect technique to steal credit card data from infected systems.
The UDPoS malware was spotted by researchers from ForcePoint Labs, it relies upon User Datagram Protocol (UDP) DNS traffic for data exfiltration instead of HTTP that is the protocol used by most POS malware.

The UDPoS malware is the first PoS malicious code that implements this technique disguises itself as an update from LogMeIn, which is a legitimate remote desktop control application.

“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” reads a blogpost published by LogMeIn noted.

“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”

The UDPoS malware only targets older POS systems that use LogMeIn.

“However, in amongst the digital haystack there exists the occasional needle: we recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests. Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.” reads the analysis published by ForcePoint.

The command and control (C&C) server are hosted by a Swiss-based VPS provider, another unusual choice for such kind of malware.

The server hosts a 7-Zip self-extracting archive, update.exe, containing LogmeinServicePack_5.115.22.001.exe and log that is the actual malware.


The malicious code implements a number of evasion techniques, it searches for antivirus software disables them, it also checks if it is running in a virtualized environment.

“For the anti-AV and anti-VM solution, there are four DLL and three Named Pipe identifiers stored in both service and monitor components:

However, only the monitor component makes use of these and, moreover, the code responsible for opening module handles is flawed: it will only try to open cmdvrt32.dll – a library related to Comodo security products – and nothing else.” continues the analysis.

“It is unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing or a straightforward error on the part of the developers.”

It must be highlighted that currently there is no evidence of the UDPoS malware currently being used in attacks in the wild, but the activity of the C&C servers suggests crooks were preparing the attacks.

In the past other malware adopted the DNS traffic to exfiltrate data, one of them is the DNSMessenger RAT spotted by Talos experts in 2017. The researchers from Cisco Talos team spotted the malware that leverages PowerShell scripts to fetch commands from DNS TXT records.

Further info about the UDPoS malware, including IoCs, are available in the blog post.

Malware is Pervasive Across Cloud Platforms: Report
8.2.2018 securityweek 
Leading Cloud Service Providers and Majority of AV Engines Failed to Detect New Ransomware Variant

Cloud Access Security Brokers (CASBs) provide visibility into the cloud. Some CASBs provide malware protection. Some clouds provide malware protection. Bitglass analyzed the efficacy of cloud-only protection by scanning the files of its customers that had not implemented its own Advanced Threat Protection (actually Cylance).

Bitglass scanned tens of millions of customer files and found (PDF) a remarkably high number of infections: 44% of organizations had at least one piece of malware in their cloud applications; and nearly one-in-three SaaS app instances contained at least one threat. Among the SaaS apps, 54.4% of OneDrive and 42.9% of Google Drive instances were infected. Dropbox and Box followed, both at 33%.

The research discovered that the average company had nearly 450,000 files held in the cloud, with more than 20 of the files containing malware. Forty-two percent of the infected file types were script and executable files, 21% were Office documents, 10% were Windows system files, and 8% were compressed formats. The other 19% were in various different file formats.

Among the infections it discovered a malware that Cylance confirmed as a zero-day ransomware -- which it calls ShurL0ckr. ShurL0ckr is ransomware-as-a-service , "meaning," says Bitglass, "the hacker generates a ransomware payload and distributes it via phishing or drive-by-download to encrypt files on disk in a background process until a Bitcoin ransom is paid." No analysis of the malware and its inner workings is provided.

It is, however, undetected by either Microsoft's or Google's cloud offerings.

"The sad truth," comments Meni Farjon, co-founder and CTO at SoleBIT Labs, "is that today, most cloud services providers still do not supply advanced malware detection capabilities, thus making this vector a perfect choice for attackers who aim to infect corporate users on a massive scale. I believe we will definitely see more ransomware variants targeting cloud application in the coming months, at least until the major cloud services providers offer malware detection capabilities to those services."

Bitglass checked whether mainstream anti-malware would detect the ShurL0ckr ransomware. "The team," writes Bitglass, "then leveraged VirusTotal to scrutinize a file containing the ransomware across dozens of antivirus engines. Only 7% of said engines (five in sixty-seven) detected the malware - one of these engines was Cylance, a Bitglass technology partner."

VirusTotal was acquired by Google in 2012.

The key takeaways from this research are that security teams' concerns about cloud security are valid, and there's a new ransomware that goes largely undetected. That last point is, however, not clear cut. The purpose of VirusTotal (VT) is to allow concerned users to gain insight into a suspect file -- could it be, or is it likely not, malicious? It is not an anti-malware comparative tool.

VirusTotal itself says, "Antivirus engines can be sophisticated tools that have additional detection features that may not function within the VirusTotal scanning environment. Because of this, VirusTotal scan results aren't intended to be used for the comparison of the effectiveness of antivirus products."

"In other words," comments ESET senior research fellow David Harley, "a VirusTotal report is not a reliable indicator as to whether a product detects or blocks a given sample out in the field, because VirusTotal doesnít necessarily make use of all the layers of protection made available by a specific product in the real world. To draw any conclusions about the efficacy of any product based on one sample isnít testing at all," he added; "itís just marketing."

Lenny Zeltser, VP of products at Minerva Labs, isn't surprised by the VT engines' low detection rate. "Attackers continually find ways of getting around AV tools, due to the inherent weaknesses of any approach to detecting malicious software on the basis of previously-seen patterns. This is a reality for all types of AV solutions," he told SecurityWeek, "regardless of whether they employ AI or not."

He believes that it is reasonable for Bitglass to quote a low VT detection rate because "this research focused on the way in which files stored on cloud services are identified as malware. I believe the providers of such services rely on static scans, which makes VirusTotal a reasonable approximation of AV efficacy in such scenarios. The findings show that organizations cannot rely solely on the scans performed by these providers, and should deploy anti-malware protection to their endpoints as well.î

What we now know is that there is another ransomware to worry about. We know that Cylance can detect it, but we don't know whether other anti-malware products deployed in the field will also catch it -- we do not know that only 7% will detect it. Bitglass hasn't provided any IOCs in its report, so it will be difficult for security teams to check for themselves.

However, since Bitglass uploaded an infected file to VirusTotal, VT will have shared details with its partner AV companies. They will now be making sure that they will detect it in the future -- so it might be useful for security teams to check directly with their own anti-malware provider to make sure they are already covered.

Silicon Valley-based Bitglass raised $45 million in a Series C funding round in January 2017, adding to the $25 million Series B round in 2014.

Stealthy Data Exfiltration Possible via Magnetic Fields
8.2.2018 securityweek 
Researchers have demonstrated that a piece of malware present on an isolated computer can use magnetic fields to exfiltrate sensitive data, even if the targeted device is inside a Faraday cage.

A team of researchers at the Ben-Gurion University of the Negev in Israel have created two types of proof-of-concept (PoC) malware that use magnetic fields generated by a device’s CPU to stealthily transmit data.

A magnetic field is a force field created by moving electric charges (e.g. electric current flowing through a wire) and magnetic dipoles, and it exerts a force on other nearby moving charges and magnetic dipoles. The properties of a magnetic field are direction and strength.

The CPUs present in modern computers generate low frequency magnetic signals which, according to researchers, can be manipulated to transmit data over an air gap.

The attacker first needs to somehow plant a piece of malware on the air-gapped device from which they want to steal data. The Stuxnet attack and other incidents have shown that this task can be accomplished by a motivated attacker.

Once the malware is in place, it can collect small pieces of information, such as keystrokes, passwords and encryption keys, and send it to a nearby receiver.

The malware can manipulate the magnetic fields generated by the CPU by regulating its workload – for example, overloading the processor with calculations increases power consumption and generates a stronger magnetic field.

The collected data can be modulated using one of two schemes proposed by the researchers. Using on-off keying (OOK) modulation, an attacker can transmit “0” or “1” bits through the signal generated by the magnetic field – the presence of a signal represents a “1” bit and its absence a “0” bit.

Since the frequency of the signal can also be manipulated, the malware can use a specific frequency to transmit “1” bits and a different frequency to transmit “0” bits. This is known as binary frequency-shift keying (FSK) modulation.

Ben Gurion University researchers have developed two pieces of malware that rely on magnetic fields to exfiltrate data from an air-gapped device. One of them is called ODINI and it uses this method to transmit the data to a nearby magnetic sensor. The second piece of malware is named MAGNETO and it sends data to a smartphone, which typically have magnetometers for determining the device’s orientation.

In the case of ODINI, experts managed to achieve a maximum transfer rate of 40 bits/sec over a distance of 100 to 150 cm (3-5 feet). MAGNETO is less efficient, with a rate of only 0.2 - 5 bits/sec over a distance of up to 12.5 cm (5 inches). Since transmitting one character requires 8 bits, these methods can be efficient for stealing small pieces of sensitive information, such as passwords.

Researchers demonstrated that ODINI and MAGNETO also work if the targeted air-gapped device is inside a Faraday cage, an enclosure used to block electromagnetic fields, including Wi-Fi, Bluetooth, cellular and other wireless communications.

In the case of MAGNETO, the malware was able to transmit data even if the smartphone was placed inside a Faraday bag or if the phone was set to airplane mode.

Ben-Gurion researchers have found several ways of exfiltrating data from air-gapped networks, including through infrared cameras, router LEDs, scanners, HDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.

Capable Luminosity RAT Apparently Killed in 2017
7.2.2018 securityweek
The prevalence of the Luminosity remote access Trojan (RAT) is fading away after the malware was supposedly killed half a year ago, Palo Alto Networks says.

First seen in April 2015, Luminosity, also known as LuminosityLink, has seen broad use among cybercriminals, mainly due to its low price and long list of capabilities. Last year, Nigerian hackers used the RAT in attacks aimed at industrial firms.

Luminosity’s author might have claimed that the RAT was a legitimate tool, but its features told a different story: surveillance (remote desktop, webcam, and microphone), smart keylogger (record keystrokes, target specific programs, keylogger viewer), crypto-currency miner, distributed denial of service (DDoS) module.

Earlier this week, Europol’s European Cybercrime Centre (EC3) and the UK’s National Crime Agency (NCA) announced a law enforcement operation targeting sellers and users of the Luminosity Trojan, but Palo Alto says the threat appears to have died about half a year ago, long before this announcement.

The luminosity[.]link and luminosityvpn[.]com, domains associated with the malware, have been taken down as well. In fact, the sales of the RAT through luminosity[.]link ceased in July 2017, and customers started complaining about their licenses no longer working.

With Luminosity’s author, who goes by the online handle of KFC Watermelon, keeping a low profile and closing down sales, and with Nanocore RAT author arrested earlier, speculation emerged on the developer being arrested as well. It was also suggested that he might have handed over his customer list.

To date, however, no report of an arrest in the case of the Luminosity author has emerged, and Europol’s announcement focuses on the RAT’s users, without mentioning the developer. According to Palo Alto, this author (who also built Plasma RAT) lives in Kentucky, which would also explain his online handle.

The security firm collected over 43,000 unique Luminosity samples during the two years when the threat was being sold, and says that thousands of customers submitted samples for analysis.

To verify the legitimate use of the RAT, the command and control servers had to contact a licensing server. In July 2017, researchers observed a sharp drop in sales, with the licensing server going down, despite some samples still being seen. Palo Alto believes the RAT’s prevalence was likely fueled by cracked versions, as development had already stopped.

“Based on our analysis and the recent Europol announcement, it does seem though that LuminosityLink is indeed dead, and we await news of what has indeed happened to the author of this malware. In support of this, we have seen LuminosityLink prevalence drop significantly and we believe any remaining observable instances are likely due to cracked versions,” Palo Alto notes.

The researchers also note that, although some of the Luminosity’s features might be put to legitimate use, the “preponderance of questionable or outright illegitimate features discredit any claims to legitimacy” that the RAT’s author might have.

Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation
6.2.2018 securityaffairs

The Europol’s European Cybercrime Centre along with the UK NSA disclosed the details of an international law enforcement operation that dismantled a crime ring linked to Luminosity RAT.
The Europol’s European Cybercrime Centre (EC3) along with the UK National Crime Agency (NCA) disclosed the details of an international law enforcement operation that targeted the criminal ecosystem around the Luminosity RAT (aka LuminosityLink).

According to the EC3, the joint operation was conducted in September 2017, it involved more than a dozen law enforcement agencies from Europe, the US, and Australia.

The Luminosity RAT was first spotted in 2015 but it became very popular in 2016.

The malware was offered for sale in the criminal underground for as little as $40, it allows attackers to take complete control over the infected system.

Luminosity RAT

In September 2016, the UK law enforcement arrested a man that was linked to the threat. The arrest triggered a new investigation that resulted in several arrests, search warrants, and cease and desist notifications across Europe, America, and Australia.

Law enforcement agencies target both sellers and users of Luminosity Trojan. According to the NCA, a small crime ring in the UK distributed Luminosity RAT to more than 8,600 buyers across 78 countries.

“The Luminosity Link RAT (a Remote Access Trojan) enabled hackers to connect to a victim’s machine undetected. They could then disable anti-virus and anti-malware software, carry out commands such as monitoring and recording keystrokes, steal data and passwords, and watch victims via their webcams.” states the press release published by NCA.

“The RAT cost as little as £30 and users needed little technical knowledge to deploy it.

A small network of UK individuals supported the distribution and use of the RAT across 78 countries and sold it to more than 8,600 buyers via a website dedicated to hacking and the use of criminal malware.”

The Luminosity RAT was one of the malicious code used in Business Email Compromise attacks and was also used Nigerian gangs in attacks aimed at industrial firms.

Law enforcement believes that thousands of individuals were infected with the RAT.

“Victims are believed to be in the thousands, with investigators having already identified evidence of stolen personal details, passwords, private photographs, video footage and data. Forensic analysis on the large number of computers and internet accounts seized continues.” reads the announcement published by the Europol.

“Through such strong, coordinated actions across national boundaries, criminals across the world are finding out that committing crimes remotely offers no protection from arrests. Nobody wants their personal details or photographs of loved ones to be stolen by criminals. We continue to urge everybody to ensure their operating systems and security software are up to date”. said Steven Wilson, Head of Europol’s European Cybercrime Centre.

AutoSploit: Automated Hacking Tool Set to Wreak Havoc or a Tempest in a Teapot?
2.2.2018 securityweek

AutoSploit Automatically Finds Vulnerable Targets via Shodan and Uses Metasploit Exploits to Compromise Hosts

AutoSploit is a tool designed to automate the use of Metasploit exploits. It was announced on Twitter on Wednesday.

"I just released AutoSploit on #Github. #Python based mass #exploit #tool. Gathers targets via #Shodan and automatically invokes selected #Metasploit modules to facilitate #RCE," announced Twitter user VectorSEC, Wednesday. Just to be clear, this tool automatically finds vulnerable targets and uses Metasploit exploits to provide remote code execution for the user.

No great skill is necessary: all that is required is AutoSploit (available from GitHub), Python Blessings, Shodan, and Metasploit. Shodan locates the targets, Metasploit provides the exploits, and AutoSploit actions them. Since new vulnerability exploits are added to Metasploit faster than many companies can apply vulnerability patches, the immediate concern is whether this new tool will further commoditize cybercrime by facilitating a new army of unskilled, wannabee, skiddie, hackers able to hack computers automatically.

Just how dangerous is this? Opinions are varied. "[AutoSploit] makes being a script kiddie infinitely easier," comments Chris Morales, head of security analytics at Vectra Networks. "It is combining a whole set of automated tools for identifying exposed hosts and then executing exploits. Where I think this will have the most dramatic effect, and what scares me most, is with IoT. I’m predicting a rash of new IoT DOS, cryptocurrency mining, and general debauchery."

But he notes that it will simply lead to a compromised host -- something security teams have to handle every day. There is still time for incident response. "We cannot rely on prevention and need to be vigilant in finding attackers once they infect systems and before they can cause real damage.”

Chris Roberts, chief security architect at Acalvio, agrees that it will attract the wannabees. “Good to know we’ve weaponized for the masses. Everyone can now be a script kiddie simply by plugging, playing and attacking." But he points out that attack tools with 'very nice interfaces' are not new, and only exist because the root problem is the bad products, code, systems and infrastructures used by everyone.

"The kids are not more dangerous," he says. "They already were dangerous. We’ve simply given them a newer, simpler, shinier way to exploit everything that’s broken. Maybe we should fix the ROOT problem.”

"The basic functionalities [of AutoSploit] were already accessible," says ESET senior research fellow, David Harley, "but AutoSploit lowers the level of knowledge and competence necessary to take advantage of them. So, I guess there could be more skiddies snapping at the heels of companies and individuals whose patching isn’t up to scratch."

He warns that companies cannot rely on prevention technologies to neutralize AutoSploit. "Security companies watch Metasploit with the intention of remediating where they can, so some (at least) of the modules used will be less effective on well-protected systems. Sadly, not every exploit can be 100% defended against by third-party security software. Not every system out there is well-protected. And it sounds as if AutoSploit will make it easier to find and probe systems that are less likely to be properly patched or defended with security software. Like the Internet-of-unnecessarily-interconnected-things…"

AutoSploit Hacking Tool

There are others who simply dismiss AutoSploit. Jerry Gamblin, lead security analyst at Carfax, tweeted, "While everyone is freaking out I hacked together antiautosploit to stop autosploit from sploiting you (This just blocks Shodan from scanning you)."

The general consensus from the security industry seems to be that AutoSploit will attract the kiddies but won't change the current threat landscape -- beyond perhaps making existing good practice (patching, incident response) more important and urgent.

"This doesn't really change anything from way things are already," says F-Secure principal researcher Jarno Niemela. "My 11-year-old son learned Metasploit when he was 10 years old, and there is a ton of tradecraft videos in YouTube for anyone who is interested... This tool simply makes something that was already very easy just a bit easier."

But he also has a word of warning for wannabees attracted by AutoSploit. "The fact that something is really easy, does not make unauthorized computer access any less a crime. And tools like this leave a forensic footprint that is miles wide. Yes, you can compromise poorly protected systems very easily with this tool, but you can also end up in a lot of trouble."

Legacy Malware and Legacy Systems Are Not a Legacy Problem
2.2.2018 securityweek
Companies must be wary of chasing shiny new threats with shiny new defenses, while leaving legacy systems vulnerable to legacy malware.

Trend Micro calls the legacy threat 'Throwhack'; after the more benign 'Throwback Thursday' social media trend; but, says principal security strategist Bharat Mistry in a blog published today, "there’s nothing entertaining about this list of legacy security challenges."

Mistry points to Conficker (dating back to 2008). "Throughout 2017 we saw monthly detections of around 20,000; meaning it’s still highly active." In conversation with SecurityWeek, he agreed that the majority of detections were in the Far East with few appearing in the U.S. or Europe; but warned that Far East breaches could get into the supply chain of Western organizations.

Heartbleed is another old threat that hasn't gone away. "Despite surfacing and being patched in 2014, nearly 200,000 servers and devices were reported as exposed last year."

The problem goes deeper than just old malware -- it is exacerbated by the continued use of old and unsupported systems. "Spiceworks has claimed that 68% of US, Canadian and US firms still run Office 2007, while it has also been reported that around 20% of US and UK healthcare organizations still run Windows XP. It doesn’t take much to understand the dangers of running unsupported systems," he writes.

One of the problems, he told SecurityWeek, is that new security products are not always old problem aware. "Machine learning systems," he said, "often 'learn' to detect malware based on current threats. They simply aren't taught to detect old behaviors; and can miss them."

To be fair, he isn't advocating abandoning new machine learning detection products or methods, only pointing out that on their own they aren't enough. "Wherever possible," he said, "organizations should employ traditional anti-malware products as well as new machine learning products." He added that the challenge of the smaller processing overhead from ML systems has spurred traditional anti-malware into designing and implementing new approaches that reduce their own overhead.

Nevertheless, he stresses that one of the best solutions to legacy malware is to update or upgrade legacy systems: newer versions of old operating systems are no longer susceptible to old vulnerabilities.

"If updating your OS is not possible, for whatever reason, use vulnerability shielding/virtual patching on the endpoint or intrusion prevention at the network level. It’s ideal for mitigating the impact of older malware like Conficker which exploits vulnerabilities. It protects legacy systems by providing convenient and automatic updates, allowing organizations to maintain protection while minimizing their patch management costs."

WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit
2.2.2018 securityaffairs

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.
This morning I wrote about the Smominru botnet that used NSA exploit to infect more than 526,000 systems, and I explained that other threat actors are using similar techniques to mine cryptocurrency.

This is the case of a strain of the Monero crypto-mining worm dubbed WannaMine that spreads leveraging the EternalBlue exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack, it targets the SMBv1 protocol and has become widely adopted in the community of malware developers.

In June, following the WannaCry attacks experts discovered that there were at least other 3 different groups have been leveraging the NSA EternalBlue exploit,

Back to the present, WannaMine was developed to mine the Monero cryptocurrency abusing victims’ resources. According to security researchers at CrowdStrike, the malicious code is very sophisticated, it implements a spreading mechanism and persistence model similar to those used by state-sponsored APT groups.

“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds.” reads the analysis published by CrowdStrike.

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent CrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur the lines between nation-state and eCrime tactics.”

WannaMine is a fileless that was first reported by researchers at Panda Security.


The malicious code implements so-called “living off the land” techniques to gain persistence on the infected system leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. WannaMine registers a permanent event subscription that would execute every 90 minutes a PowerShell command located in the Event Consumer.

Experts noticed that the malware uses credential harvester Mimikatz to collect users’ credentials that could be used for lateral movements. It also relies on the EternalBlue exploit in case it is not able to move laterally with the above technique.

WannaMine is able to infect systems running all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” CrowdStrike concluded.

WannaMine would degrade the performance of the infected machines, in case of laptops the malicious code could cause damages if it runs continuously for several hours.

Sophos experts published an interesting post containing Q&A on WannaMine.

WannaMine Malware Spreads via NSA-Linked Exploit
1.2.2018 securityweek
Virus  Exploit
A piece of crypto-mining malware is using sophisticated tools for its operations, including a Windows exploit linked to the National Security Agency, security researchers warn.

Dubbed WannaMine, the crypto-mining worm spreads using EternalBlue, the NSA-linked tool that became public in April 2017, just one month after Microsoft released a patch for it.

Leveraging a vulnerability in Windows’ Server Message Block (SMB) on port 445, the exploit became famous after the WannaCry ransomware was found exploiting it for distribution. Other malware families abused it as well, including botnets, backdoors, NotPetya, and banking Trojans.

Now, the same exploit is being used to spread WannaMine, a piece of malware focused on mining for the Monero crypto-currency, but which uses sophisticated capabilities, such as persistence and distribution mechanisms similar to those used by nation-state actors, CrowdStrike says.

WannaMine, the security researchers explain, employs “living off the land” techniques for persistence, such as Windows Management Instrumentation (WMI) permanent event subscriptions. The malware has a fileless nature, leveraging PowerShell for infection, which makes it difficult to block without the appropriate security tools.

The malware uses credential harvester Mimikatz to acquire legitimate credentials that would allow it to propagate and move laterally. If that fails, however, the worm attempts to exploit the remote system via EternalBlue.

To achieve persistence, WannaMine sets a permanent event subscription that would execute a PowerShell command located in the Event Consumer every 90 minutes.

The malware targets all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003. However, it uses different files and commands for Windows Vista and newer platform iterations.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” the security company notes.

As Sophos points out, organizations that find the WannaMine malware in their network are also at risk of other malware, including ransomware. It is not uncommon to find multiple malware families on machines that have been compromised once.

Designed to mine for Monero, not to steal user information or crypto-coins, WannaMine would still slow down the infected machines. Laptops could even be damaged, if the malware runs on them continuously for several hours, as the device gets hotter. Also, the battery is drained faster than usual, Sophos points out.

An antivirus application should keep users protected from this malware family. Keeping systems up to date at all times and using strong passwords should also help avoiding a WannaMine infection.

Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit
1.2.2018 thehackernews

2017 was the year of high profile data breaches and ransomware attacks, but from the beginning of this year, we are noticing a faster-paced shift in the cyber threat landscape, as cryptocurrency-related malware is becoming a popular and profitable choice of cyber criminals.
Several cybersecurity firms are reporting of new cryptocurrency mining viruses that are being spread using EternalBlue—the same NSA exploit that was leaked by the hacking group Shadow Brokers and responsible for the devastating widespread ransomware threat WannaCry.
Researchers from Proofpoint discovered a massive global botnet dubbed "Smominru," a.k.a Ismo, that is using EternalBlue SMB exploit (CVE-2017-0144) to infect Windows computers to secretly mine Monero cryptocurrency, worth millions of dollars, for its master.
Active since at least May 2017, Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows, according to the researchers.
"Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz," the researchers said.
The botnet operators have already mined approximately 8,900 Monero, valued at up to $3.6 million, at the rate of roughly 24 Monero per day ($8,500) by stealing computing resources of millions of systems.

The highest number of Smominru infection has been observed in Russia, India, and Taiwan, the researchers said.
The command and control infrastructure of Smominru botnet is hosted on DDoS protection service SharkTech, which was notified of the abuse but the firm reportedly ignored the abuse notifications.
According to the Proofpoint researchers, cybercriminals are using at least 25 machines to scan the internet to find vulnerable Windows computers and also using leaked NSA's RDP protocol exploit, EsteemAudit (CVE-2017-0176), for infection.
"As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators," the researchers concluded.
"The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes."
Another security firm CrowdStrike recently published a blog post, reporting another widespread cryptocurrency fileless malware, dubbed WannaMine, using EternalBlue exploit to infect computers to mine Monero cryptocurrency.
Since it does not download any application to an infected computer, WannaMine infections are harder to detect by antivirus programs. CrowdStrike researchers observed the malware has rendered "some companies unable to operate for days and weeks at a time."
Besides infecting systems, cybercriminals are also widely adopting cryptojacking attacks, wherein browser-based JavaScript miners utilise website visitors' CPUs power to mine cryptocurrencies for monetisation.
Since recently observed cryptocurrency mining malware attacks have been found leveraging EternalBlue, which had already been patched by Microsoft last year, users are advised to keep their systems and software updated to avoid being a victim of such threats.

Malware exploiting Spectre and Meltdown flaws are currently based on available PoC
1.2.2018 securityaffairs

Malware Exploiting Spectre, Meltdown Flaws Emerges
Researchers at the antivirus testing firm AV-TEST have discovered more than 130 samples of malware that were specifically developed to exploit the Spectre and Meltdown CPU vulnerabilities.

The good news is that these samples appear to be the result of testing activities, but experts fear that we could soon start observing attacks in the wild.

Most of the codes obtained by AV-TEST are just recompiled versions of the Proof of Concept code available online. Experts at AV-TEST also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.

“We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”Andreas Marx, CEO of AV-TEST, told SecurityWeek.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

On January 17, experts at AV-TEST reported that they had detected 77 malware samples apparently related to the Intel vulnerabilities.


#Spectre & #Meltdown: So far, the AV-TEST Institute discovered 77 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754

2:49 PM - Jan 17, 2018
7 7 Replies 24 24 Retweets 27 27 likes
Twitter Ads info and privacy
The number of malware samples related to Meltdown and Spectre reached pi119 by January 23.


[UPDATE: 2018-01-23] #Spectre & #Meltdown: So far, the AV-TEST Institute discovered 119 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754

SHA256 Hashes: https://plus.google.com/b/100383867141221115206/photos/photo/100383867141221115206/6514266175374877506 …

4:23 PM - Jan 23, 2018
2 2 Replies 14 14 Retweets 24 24 likes
Twitter Ads info and privacy
On January 31, AV-TEST confirmed to be in possession of 139 samples from various sources.


[UPDATE: 2018-01-23] #Spectre & #Meltdown: So far, the AV-TEST Institute discovered 119 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754

SHA256 Hashes: https://plus.google.com/b/100383867141221115206/photos/photo/100383867141221115206/6514266175374877506 …

4:23 PM - Jan 23, 2018
2 2 Replies 14 14 Retweets 24 24 likes
Twitter Ads info and privacy

According to the AV-TEST CEO, several groups of experts are working on a malware that could trigger Intel flaws, most of them are re-engineering the available PoC.

“We aren’t the only ones concerned. Others in the cybersecurity community have clearly taken notice, because between January 7 and January 22 the research team at AV-Test discovered 119 new samples associated with these vulnerabilities,” reads a blog post published by Fortinet. “FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected, and determined that they were all based on proof of concept code. The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us.”

Malware Exploiting Spectre, Meltdown Flaws Emerges
31.1.2018 securityweek
Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks.

The Meltdown and Spectre attack methods allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive data. Shortly after Spectre and Meltdown were disclosed on January 3, experts warned that we could soon see remote attacks, especially since a JavaScript-based proof-of-concept (PoC) exploit for Spectre had been made available.

On January 17, antivirus testing firm AV-TEST reported that it had seen 77 malware samples apparently related to the CPU vulnerabilities, and the number had increased to 119 by January 23.

On Wednesday, AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies.

Number of Spectre/Meltdown malware samples

“Most appear to be recompiled/extended versions of the PoCs - interestingly, for various platforms like Windows, Linux and MacOS,” Andreas Marx, CEO of AV-TEST, told SecurityWeek. “We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”

Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available PoC code.

Marx believes different groups are working on the PoC exploits to determine if they can be used for some purpose. “Most likely, malicious purposes at some point,” he said.

The expert believes the current malware samples are still in the “research phase” and attackers are most likely looking for ways to extract information from computers, particularly from web browsers. He would not be surprised if we started seeing targeted and even widespread attacks in the future.

Processor and operating system vendors have been working on microcode and software mitigations for the Meltdown and Spectre attacks, but the patches have often caused problems, leading to companies halting updates and disabling mitigations until instability issues are resolved.

In addition to installing operating system and BIOS updates, Marx has two other recommendations that should reduce the chances of a successful attack: switching off the PC when it’s not needed for more than an hour, and closing the web browser during work breaks. “This should decrease your attack surface a lot and also save quite some energy,” Marx said.

Is ICEMAN behind the malware-based attack on Crystal Finance Millennium?
31.1.2018 securityaffairs

Exclusive – The Iceman gang taking responsibility for infecting Crystal Finance Millennium, the journalist Marc Miller interviewd one of the members of the crew.
Iceman gang member confirms that they are behind the introduction and spreading of malware that infected the systems at Crystal Finance Millennium.

In Septemeber security experts at TrendMicro reported that the Ukraine based Account Firm, Crystal Finance Millennium (CFM), has been hacked and is found to be distributing malware.

The incident caused the firm to take down its website to stop spreading the threat.

Crystal Finance Millennium ICEMAN
Crystal Finance Millennium attack (Source Trend Micro)

Marc Miller had a chance to speak to one of the gang members on XMMP and he confirmed that the Iceman group is behind this attack. They started with a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company.

He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and “full automation of the doctor’s office” – contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

The group sent phishing emails to various targets based in Ukraine and former Soviet countries. The emails contained a ZIP file that, in turn, contained a JavaScript file. When users unzipped the archive and ran the JS file, the script would download a file named load.exe from the CFM’s web server.
The loader (load.exe file) will, later on, download a Purge ransomware that was modified for that operation by the Iceman group. According to the gang, each target was treated individually to maximize profit. Sometimes they would run a ransomware program and sometimes they would run a banking Trojan. “When you sophisticate your attack, you can drain the sharks” – he said.

An inclusive interview is in the making to unveil the course of this attack. It will be released in the upcoming weeks.

Marc Miller is a web journalist, focused on cybercrime.
He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.

Nearly 2000 WordPress Websites Infected with a Keylogger
30.1.2018 thehackernews

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke.
Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger.
Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.
Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.
Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name.
The malware was updated in November to include a keylogger. The keylogger behaves the same way as in previous campaigns and can steal both the site's administrator login page and the website's public facing frontend.

If the infected WordPress site is an e-commerce platform, hackers can steal much more valuable data, including payment card data. If hackers manage to steal the admin credentials, they can just log into the site without relying upon a flaw to break into the site.
The cloudflare[.]solutions domain was taken down last month, but criminals behind the campaign registered new domains to host their malicious scripts that are eventually loaded onto WordPress sites.
The new web domains registered by hackers include cdjs[.]online (registered on December 8th), cdns[.]ws (on December 9th), and msdns[.]online (on December 16th).
Just like in the previous cloudflare[.]solutions campaign, the cdjs[.]online script is injected into either a WordPress database or the theme's functions.php file. The cdns[.]ws and msdns[.]online scripts are also found injected into the theme's functions.php file.
The number of infected sites for cdns[.]ws domain include some 129 websites, and 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain.
Researchers said it's likely that the majority of the websites have not been indexed yet.
"While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn't even notice the original infection," Sucuri researchers concluded.
If your website has already been compromised with this infection, you will require to remove the malicious code from theme's functions.php and scan wp_posts table for any possible injection.
Users are advised to change all WordPress passwords and update all server software including third-party themes and plugins just to be on the safer side.

phpBB Website Served Malicious Packages
30.1.2018 securityweek 
The developers of the free and open source forum software phpBB informed users over the weekend that the official website had served malicious files for roughly three hours on Friday.

According to phpBB staff, the download URLs for two packages, namely version 3.2.2 of the full package and the automatic updater package for 3.2.1 to 3.2.2, pointed to a third-party server. Users who downloaded one of these packages between 12:02 PM and 15:03 PM UTC on January 26 likely obtained the malicious version.

phpBB hacked

It’s unclear how the links were replaced, but phpBB noted that the “point of entry was a third-party site” and the attack did not exploit any vulnerabilities in the phpBB software or website.

The modified packages contain malicious code designed to load JavaScript from a remote server. The domain hosting that JavaScript code is now controlled by phpBB, which neutralizes the attack.

“We can additionally say that due to the limited window during which the packages were live, we estimate the total number of affected downloads does not exceed 500,” the phpBB team said in a security alert.

Users who believe they have downloaded the malicious packages have been advised to check the validity of the file by comparing its SHA256 hash to the one listed on the downloads page.

Users who have already installed one of the compromised packages can file an incident report and the phpBB team will help them remove the malicious code.

This is not the first time malicious actors have targeted phpBB. Back in 2009, hackers managed to obtain 400,000 email addresses belonging to phpBB users after exploiting a vulnerability in the email marketing tool phpList.

In 2014, phpBB shut down its network and asked users to change their passwords after hackers breached several of its servers.

Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected
28.1.2018 securityaffairs

More than 2,000 WordPress sites have been infected with a malicious script that can deliver both a keylogger and the cryptocurrency miner CoinHive.
More than 2,000 sites running the WordPress CMS have been infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive.

This new hacking campaign was spotted by experts from the security firm Sucuri, the experts believe the attackers are the same that launched a campaign that infected 5,500 WordPress sites in December.

In both campaigns, the threat actors used a keylogger dubbed cloudflare[.]solutions, but be careful, there is no link to security firm Cloudflare.

After the discovery in December of campaign, the cloudflare[.]solutions domain was taken down, but this new discovery confirms that threat actors are still active and are using a new set of recently registers domains to host the malicious scripts that are injected into WordPress sites.

By querying the search engine PublicWWW, researchers discovered that the number of infected sites includes 129 from the domain cdns[.]ws and 103 websites for cdjs[.]online.

“A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down. This was not the end of the malware campaign, however; attackers immediately registered a number of new domains including cdjs[.]online on Dec 8th, cdns[.]ws on Dec 9th, and msdns[.]online on Dec 16th.” reads the analysis published by Sucuri.

“PublicWWW has already identified relatively few infected sites: 129 websites for cdns[.]ws and 103 websites for cdjs[.]online, but it’s likely that the majority of the websites have not been indexed yet. Since mid-December, msdns[.]online has infected over a thousand websites, though the majority are reinfections from sites that have already been compromised.”

Most of the infected domains are tied to msdns[.]online, with over a thousand reported infections. In many cases, threat actors re-infected WordPress sites compromised in the previous campaign.


The attackers target outdated and poorly configured WordPress sites, they inject the cdjs[.]online script either a WordPress database (wp_posts table) or into the theme’s functions.php file.

The Keylogger script is able to capture data entered on every website form, including the admin login form, information is sent back to the attackers via the WebSocket protocol.

Just like previous versions of the campaign leveraging a Fake GoogleAnalytics Script, researchers identified a fake googleanalytics.js that loads an obfuscated script used to load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.

Experts discovered many similarities also in the cryptominer component of this campaign.

“We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive cryptomining library from the previous version, loaded from hxxp:// 3117488091/lib/jquery-3.2.1.min.js?v=3.2.11 (or hxxp://185 .209 .23 .219/lib/jquery-3.2.1.min.js?v=3.2.11, a more familiar representation of the IP address). This is not surprising since cdjs[.]online also exists on the server 185 .209 .23 .219.” continues the analysis.

“It’s interesting to note that this script extends the CoinHive library and adds an alternative configuration using the 185 .209 .23 .219 server (and now specifically cdjs[.]online) for LIB_URL and WEBSOCKET_SHARDS.”

According to Sucuri experts, the threat actors behind this hacking campaign are active at least since April 2017. Sucuri has tracked at least other three different malicious scripts hosted on the same cloudflare.solutions domain across the months.

The first attack leveraging on these scripts was observed in April when hackers used a malicious JavaScript file to embed banner ads on hacked sites.

In November, experts from Sucuri reported the same attackers were loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, the experts observed 1,833 sites compromised by the attackers.

Experts noticed that this campaign is still not massive as the one spotted in December, anyway it could not be underestimated.

“While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” concluded Sucuri.

Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner
27.1.2018 securityaffairs

Trend Micro uncovered a spike in the number of Coinhie miners over the past few days, including Coinhive, apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.
The number of cyber-attacks against cryptocurrencies is increased due to a rapid increase in the value of currencies such as Bitcoin and Ethereum.

Hackers targeted almost any actor involved in the business of cryptocurrencies, single users, miners and of course exchanges.

Security firms have detected several malware applications specifically designed to steal cryptocurrencies, and many websites were compromised to install script used to mine virtual coins abusing computational resources of unaware visitors.

Researchers at Trend Micro uncovered a spike in the number of Coinhie miners over the past few days apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

“On January 24, 2018, we observed that the number of Coinhive web miner detections tripled due to a malvertising campaign. We discovered that advertisements found on high-traffic sites not only used Coinhive (detected by Trend Micro as JS_COINHIVE.GN), but also a separate web miner that connects to a private pool.” states the analysis published by Trend Micro.

“We detected an almost 285% increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.“


The researchers observed two separate web cryptocurrency miner scripts, both hosted on AWS, that were called from a web page that presents the DoubleClick ad.

The advertisement uses a JavaScript code that generates a random number between 1 and 101. If the number generated is greater than 10, the advertisement will call the coinhive.min.js script to mine 80% of the CPU power. For the remaining 10%, the advertisement launch a private web miner, the mqoj_1.js script.

“The two web miners were configured with throttle 0.2, which means the miners will use 80% of the CPU’s resources for mining.” continues the analysis.


Google promptly took action against the ads that abuse users’ resources violating its policies.

Blocking JavaScript-based applications from running on browsers can prevent the execution of Coinhive miners, the experts suggest to regularly patch and update web browsers to reduce the risks.

Stealth CrossRAT malware targets Windows, MacOS, and Linux systems
26.1.2018 securityaffairs

The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware used by Dark Caracal for surveillance.
Last week a joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation detailed the activity of a long-running hacking group linked to the Beirut Government and tracked as Dark Caracal. The hacking campaigns conducted by Dark Caracal leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.

The report detailed a new strain of cross-platform malware tracked as CrossRAT (version 0.1), it is remote access Trojan that can infect systems based on Windows, Solaris, Linux, and macOS.

The malware implements classic RAT features, such as taking screenshots and running arbitrary commands on the infected systems.

At the time of its discovery, the malware was not detected by almost all the anti-virus software (only two out of 58).


The Dark Caracal attack chain implemented relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

CrossRAT is written in Java programming language, for this reason, researchers can easily decompile it.
The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware.

Once executed on the victim’s system, CrossRAT will determine the operating system it’s running on to trigger the proper installation procedure.

On Linux systems, the RAT also attempts to query systemd files to determine the distribution (i.e. Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint).

Wardle explained that the author implemented specific persistence mechanisms for each operating system. Once installed the malware will attempt to contact the C&C server.
“Now the malware has persistently installed itself, it checks in with the C&C server for tasking. As noted the EFF/Lookout report the malware will connect to flexberry.com on port 2223. ” states the analysis published by Wardle.

The expert discovered that the CrossRAT includes reference ‘jnativehook Java library that provides global keyboard and mouse listeners for Java, but didn’t see any code within that implant that referenced the jnativehook package, likely because the analyzed version was still under development.

Wardle detailed the persistence mechanism implemented for each OS, this information is useful to detect the presence of CrossRAT on a system.

Check the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ registry key. If infected it will contain a command that includes, java, -jar and mediamgrs.jar.
Check for jar file, mediamgrs.jar, in ~/Library. Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.
Check for jar file, mediamgrs.jar, in /usr/var. Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
26.1.2018 thehackernews

Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this.
Wide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows, macOS, Solaris and Linux systems.
Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal, engaged in global mobile espionage campaigns.
Although the report revealed about the group's successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group.
CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.
According to researchers, Dark Caracal hackers do not rely on any "zero-day exploits" to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.
CrossRAT is written in Java programming language, making it easy for reverse engineers and researchers to decompile it.

Since at the time of writing only two out of 58 popular antivirus solutions (according to VirusTotal) can detect CrossRAT, ex-NSA hacker Patrick Wardle decided to analyse the malware and provide a comprehensive technical overview including its persistence mechanism, command and control communication as well as its capabilities.
CrossRAT 0.1 — Cross-Platform Persistent Surveillance Malware
Once executed on the targeted system, the implant (hmar6.jar) first checks the operating system it's running on and then installs itself accordingly.
Besides this, the CrossRAT implant also attempts to gather information about the infected system, including the installed OS version, kernel build and architecture.
Moreover, for Linux systems, the malware also attempts to query systemd files to determine its distribution, like Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint, among many more.
CrossRAT then implements OS specific persistence mechanisms to automatically (re)executes whenever the infected system is rebooted and register itself to the C&C server, allowing remote attackers to send command and exfiltrate data.
As reported by Lookout researchers, CrossRAT variant distributed by Dark Caracal hacking group connects to 'flexberry(dot)com' on port 2223, whose information is hardcoded in the 'crossrat/k.class' file.
CrossRAT Includes Inactive Keylogger Module

The malware has been designed with some basic surveillance capabilities, which get triggered only when received respective predefined commands from the C&C server.
Interestingly, Patrick noticed that the CrossRAT has also been programmed to use 'jnativehook,' an open-source Java library to listen to keyboard and mouse events, but the malware does not have any predefined command to activate this keylogger.
"However, I didn’t see any code within that implant that referenced the jnativehook package—so at this point it appears that this functionality is not leveraged? There may be a good explanation for this. As noted in the report, the malware identifies it’s version as 0.1, perhaps indicating it’s still a work in progress and thus not feature complete," Patrick said.
How to Check If You're Infected with CrossRAT?
Since CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system you are running.
For Windows:
Check the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\' registry key.
If infected it will contain a command that includes, java, -jar and mediamgrs.jar.
For macOS:
Check for jar file, mediamgrs.jar, in ~/Library.
Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.
For Linux:
Check for jar file, mediamgrs.jar, in /usr/var.
Also look for an 'autostart' file in the ~/.config/autostart likely named mediamgrs.desktop.
How to Protect Against CrossRAT Trojan?

Only 2 out of 58 antivirus products detect CrossRAT at the time of writing, which means that your AV would hardly protect you from this threat.
"As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do not ship with Java," Patrick said.
"Thus, most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra)."
Users are advised to install behaviour-based threat detection software. Mac users can use BlockBlock, a simple utility developed by Patrick that alerts users whenever anything is persistently installed.

30 Million Possibly Impacted in Crypto-Currency Mining Operation
25.1.2018 securityweek

A large-scale crypto-currency mining operation active for over 4 months is believed to have impacted around 30 million systems worldwide, Palo Alto Networks security researchers say.

The campaign, which attempts to mine the Monero cryptocurrency using the open-source XMRig utility, has affected mainly users in South-East Asia, Northern Africa, and South America. The campaign employed VBS files and URL shortening services to install the mining tool and also used XMRig proxy services on the hosts to mask the used wallets.

Telemetry data from the Bit.ly URL shortening service suggested that at least 15 million people were impacted. However, with less than half of the identified samples using Bit.ly, the researchers speculate that the actual number of affected users could be upwards of 30 million.

The campaign employed over 250 unique Microsoft Windows PE files, over half of which were downloaded from online cloud storage provider 4sync. What the researchers couldn’t establish, however, was how the file downloads were initiated.

The attackers attempted to make their files appear to have both generic names and to originate from popular looking file sharing services.

The Adf.ly URL shortening service that pays users when their links are clicked was also used in this campaign. When users clicked on these Adf.ly URLs, they were redirected and ended up downloading the crypto-currency mining malware instead.

The malware used in this campaign was meant to execute the XMRig mining software via VBS files and uses XMRig proxy services to hide the ultimate mining pool destination. It also uses Nicehash, a popular marketplace that allows users to trade hashing processing power (it supports various crypto-currencies and sellers are paid in Bitcoin).

Before October 20, 2017, the attackers behind this campaign were using the Windows built-in BITSAdmin tool to download the XMRig mining tool from a remote location. The final payload was mainly installed with the filename ‘msvc.exe’.

After October 20, 2017, the attackers started experimenting with HTTP redirection services, but continued using SFX files to download and deploy their malware. They also started supplementing mining queries with a username and making obfuscation attempts within the VBS files to avoid detection.

Starting on November 16, 2017, the attackers dropped the SFX files and adopted executables compiled in Microsoft .NET Framework. These would write a VBS file to disk and modify Run registry keys to achieve persistence.

In late December, the dropper was compiled with Borland Delphi and would place the VBS file in the victim’s startup folder to achieve persistence. The latest samples using this dropper also switched to a new IP address for XMRig communication, namely 5.23.48[.]207.

The campaign, researchers say, affected most countries around the world. Based on Bit.ly telemetry data, the attacks appear to have hit Thailand (3,545,437 victims), Vietnam (1,830,065), Egypt (1,132,863), Indonesia (988,163), Turkey (665,058), Peru (646,985), Algeria (614,870), Brazil (550,053), Philippines (406,294), and Venezuela (400,661) the most.

“Monero mining campaigns are certainly not a new development, as there have been various reported instances recently. However, it is less common to observe such a large-scale campaign go relatively unnoticed for such a long period of time. By targeting random end-users via malicious advertisements, using seemingly innocuous names for the malware files, and using both built-in Windows utilities and scripting files, the attackers are able to gain a foothold on victim systems at large scale,” Palo Alto concludes.

Malware in 2017 Was Full of Twists and Turns
25.1.2018 securityweek

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering, and ups and downs in ransomware.

These conclusions come from the 'Cybercrime tactics and techniques: 2017 state of malware' report (PDF) published today by Malwarebytes.

"We look at our own detection telemetry and what we find in our honeypots to see what the criminals are pushing out," Malwarebytes director of malware intelligence, Adam Kujawa, told SecurityWeek, "and we see what trends are apparent." The report covers the period of January to November 2017 and compares it to the same period for 2016.

In some cases, those trends are surprising. Ransomware figured heavily in 2017; but with nuances. Over the year, detections for consumers increased by 93% over 2016, and by 90% for businesses. But those figures disguise a decline in consumer ransomware and an increase in business ransomware over the last few months of 2017.

It's not clear why this happened, but Kujawa conjectures that improving awareness of ransomware and better defenses is making it harder for the criminals to get a good return from consumers. At the same time, while succeeding against business is even more difficult than infecting consumers, the potential return is much higher per victim. Earlier this month, Hancock Health paid $55,000 to recover from a SamSam ransomware attack.

At the same time as ransomware declined at the end of the year, "We saw," said Kujawa, "a significant increase in spyware, banking trojans, hijackers and even adware." He also pointed to a one-month dramatic spike in ransomware detections in September coinciding with an equally dramatic dip in spyware detections. "It indicates that the same type of campaign was being used to distribute both spyware and ransomware," he suggested.

For consumers, adware is now the most-detected threat -- representing around 40% of all consumer detections (it's the second most-detected threat for businesses). Anti-malware firms have been increasingly active against all forms of unwanted apps; and Malwarebytes has been in the vanguard of this. In November it won a court case brought by Enigma Software, supplier of SpyHunter, which Malwarebytes it detects and blocks as unwanted software.

Concurrent with the adware market becoming more difficult, there has been a reduction in the number of players. But, commented Kujawa, "despite there being less players in the game, the attacks themselves are more sophisticated -- we see adware, something we regularly classify as a PUP, using root kit functionality to block security software from running, or just blocking the ability to remove it at all."

The report specifies Smart Service, which is bundled with adware and PUPs to prevent their removal. It hooks into the Windows CreateProcess function, so it can inspect new processes before they run. It also "protects certain processes from being terminated, and stops the user from removing critical files and registry keys."

Apart from adware, the decline in ransomware for business was replaced by an upsurge in spyware and banking trojans. For all malware, the primary tactics of infection changed from 2016 to 2017. "In 2016 we saw lots and lots of exploit kits (also in 2015)," said Kujawa. "Now suddenly spreading malware through email is popular again. It's based on tricking the user into opening something. There's less attacking the computer (exploit kits delivering malware without the user being aware) and more attacking the person (social engineering emails)."

For the consumer, the big growth malware in 2017 has been crypto-miners. Exploit kits, drive-by attacks, phishing and malicious spam attacks have all pushed miners. "We blocked one of the primary pushers of this technology, CoinHive," explained Kujawa, "and that turned out to be our #1 detection over many months. We're talking about multi-million detections per day -- averaging about 8 million per day, but I've seen it go up to 12 million and even 20 million on occasion."

One area that did not show an expected increase during 2017 was botnet activity. "The last year showed a steady decline in detections for botnet malware, a huge shift from what we saw in 2016," notes the report. "This aligns for both business and consumer customer telemetry."

There's likely little comfort in this. "Declines," adds the author, "are likely due to a shift in focus away from the desktop, aiming at IoT devices such as routers or smart appliances instead." We learned the potential for large IoT-based botnets at the end of 2016, with the Mirai attacks. "While there was a lack of massive IoT attacks in 2017, attackers have been spending their time focused on developing new tools to take advantage of IoT with cryptocurrency mining, spam-spreading botnets, and likely more DDoS attacks."

Ransomware is currently showing a downward trend. Crypto-mining may not survive the volatility in market prices (Bitcoin is currently trading at around $11,000; down from nearly $20,000 just a few weeks ago) and the likelihood of greater international cryptocurrency regulation. But Malwarebytes warns they could be replaced by something new and potentially more worrying.

"It is not farfetched," says the report, "to think we may see DDoS attacks against large organizations, like airline companies and power utilities, demanding a ransom payment to call off an army of botnet-infected IoT devices." Ransomware might decline, merely to be replaced by larger DDoS ransoms.

Op EvilTraffic CSE CybSec ZLAB Malware Analysis Report – Exclusive, tens of thousands of compromised sites involved in a new massive malvertising campaign  Virus
22.1.2018 securityaffairs   Operation EvilTraff

Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.
In the last days of 2017, researchers at CSE Cybsec observed threat actors exploiting some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising. The huge malvertising campaign was dubbed EvilTraffic

The compromised websites involved in the EvilTraffic campaign run various versions of the popular WordPress CMS. Once a website has been compromised, attackers will upload a “zip” file containing all the malicious files. Despite the “zip” file has different name for each infection, when it is uncompressed, the files contained in it have always the same structure. We have found some of these archives not used yet, so we analyzed their content.

The malicious files are inserted under a path referring probably different versions of the same malware (“vomiu”, “blsnxw”, “yrpowe”, “hkfoeyw”, “aqkei”, “xbiret”, “slvkty”).

Under this folder there are:

a php file, called “lerbim.php”;
a php file, that has the same name of the parent dir; it has initially “.suspected” extension and only in a second time, using “lerbim.php” file, it would be changed in “.php” file;
two directories, called “wtuds” and “sotpie”, containing a series of files.
An example of this structure is shown in the following figure:


The main purpose of the “malware” used in the EvilTraffic campaign is to trigger a redirecting chain through at least two servers which generate advertising traffic.

The file “{malw_name}.php” becomes the core of all this context: if it is contacted by the user through the web browser, it redirects the flow first to “caforyn.pw” and then to “hitcpm.com”, which acts as a dispatcher to different sites registered to this revenue chain.


These sites could be used by attackers to offer commercial services that aim to increase traffic for their customers, but this traffic is generated in an illegal way by compromising websites. The sites could host also fraudulent pages which pretend to download suspicious stuff (i.e. Toolbars, browser extensions or fake antivirus) or steal sensitive data (i.e. credit card information).

In order to increase the visibility of the web, the compromised sites must have a good page-rank on search engines. So, the malware performs SEO Poisoning by leveraging on wordlist containing the trending searched words

The population of the compromised site with the wordlists and their relative query results is triggered contacting the main PHP using a specific User-Agent on a path “{malw_name}/{malw_name}.php?vm={keyword}”.

Researchers from CSE CybSec ZLab discovered roughly 18.100 compromised websites.

While researchers were analyzing the EvilTraffic malvertising campaign, they realized that most of the compromised websites used in the first weeks of the attacks have been cleaned up in the last days. just in one week, the number of compromised websites dropped from around 35k to 18k.

According to Alexa Traffic Rank, hitcpm.com is ranked number 132 in the world and 0.2367% of global Internet users visit it. Below are reported some traffic statistics related to hitcpm.com provided by hypestat.com

Daily Unique Visitors 1,183,500
Monthly Unique Visitors 35,505,000
Pages per visit 1.41
Daily Pageviews 1,668,735
The analysis of the traffic shows an exponential increase in the traffic during October 2017.

Experts discovered that crooks behind the Operation EvilTraffic used a malicious software to hijack traffic, it acts as brows a browser hijacker. The malware is distributed via various methods, such as:

Attachment of junk mail
Downloading freeware program via unreliable site
Open torrent files and click on malicious links
By playing online games
By visiting compromised websites
The main purpose of the malware is to hijack web browsers changing browser settings such as DNS, settings, homepage etc. in order to redirect as more traffic as possible to the dispatcher site.

Further technical details about this campaign, including IoCs, are available in the report titled:

“Tens of thousands of compromised web sites involved in new massive malvertising campaign”

Triton Malware exploited a Zero-Day flaw in Schneider Triconex SIS controllers
20.1.2018 securityaffairs

The industrial giant Schneider discovered that the Triton malware exploited a zero-day vulnerability in Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.
In December 2017, a new malicious code dubbed Triton malware (aka Trisis) was discovered by researchers at FireEye, it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.


The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Initial analysis conducted by Schneider excluded that hackers may have leveraged any vulnerabilities in the target products, but now the vendor has discovered that Triton malware exploited a flaw in older versions of the Triconex Tricon system.

Schneider confirmed the presence of a flaw only in a small number of older versions and plans to release security updates that address it in the next weeks.

Schneider also announced that it is developing an application to detects the presence of the malware on a controller and removes it.

Anyway, Schneider pointed out that the root cause of the success of the Triton malware is that victims failed in implementing best practices and security procedures.

Just after the disclosure of the attack, Schneider published a security advisory to warn its customers and recommended to avoid leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

Schneider advised customers to implement the instructions in the “Security Considerations” section of the Triconex documentation.

Dridex Campaign Abuses FTP Servers
19.1.2018 securityweek
A recently observed email campaign is abusing compromised FTP servers as download locations for malicious documents and infecting users with the Dridex banking Trojan, Forcepoint has discovered.

Dridex has been one of the most prolific banking Trojans over the past several years, with the actors behind it constantly adopting new techniques and improving their malware for increased efficiency. The malware is focused on stealing user’s online banking credentials to perform financial fraud.

Malicious emails distributed as part of the new campaign were observed on January 17, 2018, primarily sent to .com top level domains (TDLs). Analysis of the top affected TDLs revealed that major regional targets included France, the UK, and Australia.

The emails were sent from compromised accounts, where the sender names were rotated around a list of names, in an attempt to make the emails look more convincing to unsuspecting recipients, Forcepoint reveals.

The malicious actor(s) behind the attack used two types of malicious documents as delivery mechanisms, namely a Word document abusing Dynamic Data Exchange (DDE) for malware execution, and a XLS file with macro code to fetch the banking Trojan.

The compromised servers abused in this campaign don’t appear to be running the same FTP software, and the security researchers believe that the attackers obtained the login credentials as part of other attacks.

“The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable,” Forcepoint notes.

The emails sent in this campaign appear to come from the Necurs botnet, currently considered the largest spam botnet out there. The domains used for distribution were associated with other Necurs campaigns and the document downloaders are similar to those used by the botnet before. Furthermore, Necurs is known to have distributed Dridex for a long time.

What Forcepoint noticed regarding this campaign, however, was that the spam volume was very low compared to typical Necurs campaigns. Only around 9,500 emails were observed in this attack, while normal Necurs campaigns involve millions of emails. The use of FTP servers for download is also new.

“Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations. The presence of FTP credentials in the emails highlights the importance of regularly updating passwords,” Forcepoint notes.

Experts uncovered a new campaign abusing FTP servers to deliver Dridex Banking Trojan
19.1.2018 securityaffairs

Security researchers at Forcepoint have spotted a new spam campaign that is abusing compromised FTP servers as a repository for malicious documents and infecting users with the Dridex banking Trojan.
The Dridex banking Trojan is a long-running malware that has been continuously improved across the years.

The malicious email campaign was first noticed by Forcepoint on January 17, 2018, the messages were primarily sent to .com top level domains (TDLs) most of them in France, the UK, and Australia.

“The sender domains used are observed to be compromised accounts. The sender names rotated around the following names, perhaps to make the emails look more convincing to unsuspecting recipients: admin@, billing@, help@, info@, mail@, no-reply@, sale@, support@, ticket@.” reads the analysis published by Forcepoint.

Attackers used at least two types of weaponized documents, one of them is a Word document abusing DDE protocol for malware execution, and an XLS file with macro code that download the Dridex banking Trojan from a compromised server.


According to the experts, the attackers obtained in some way the login credentials to compromise the servers used in this campaign.

“The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way.” states Forcepoint.

“The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable,”

The experts believe the campaign is leveraging the infamous Necurs botnet to send out spam messages, researchers noticed that downloaders used by attackers are similar to those used by the botnet before.

Forcepoint highlighted that the spam volume associated with this campaign was very low compared to other Necurs campaigns, attackers sent only 9,500 emails, it is very low respect millions of emails sent through the botnet in other campaigns.

Another peculiarity of this campaign is the use of FTP servers for download the malware.

“Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations. The presence of FTP credentials in the emails highlights the importance of regularly updating passwords,” Forcepoint concluded.

Forcepoint report included IoCs for this campaign.

Triton Malware Exploited Zero-Day in Schneider Electric Devices
19.1.2018 securityweek
The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.

The malware, designed to target industrial control systems (ICS), was discovered after it caused a shutdown at an organization in the Middle East. Both FireEye and Dragos published detailed reports on the threat.

Triton is designed to target Schneider Electric Triconex SIS devices, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation. The malware uses the TriStation proprietary protocol to interact with SIS controllers, including read and write programs and functions.

Schneider initially believed that the malware had not leveraged any vulnerabilities in its product, but the company has now informed customers that Triton did in fact exploit a flaw in older versions of the Triconex Tricon system.

The company says the flaw affects only a small number of older versions and a patch will be released in the coming weeks. Schneider is also working on a tool – expected to become available next month – that detects the presence of the malware on a controller and removes it.

Schneider has highlighted, however, that despite the existence of the vulnerability, the Triton malware would not have worked had the targeted organization followed best practices and implemented security procedures.

Specifically, the Triton malware can only compromise a SIS device if it’s set to PROGRAM mode. The vendor recommends against keeping the controller in this mode when it’s not actively configured. Had the targeted critical infrastructure organization applied this recommendation, the malware could not have compromised the device, even with the existence of the vulnerability, which Schneider has described as only one element in a complex attack scenario.

The company noted that its product worked as designed – it shut down systems when it detected a potentially dangerous situation – and no harm was incurred by the customer or their environment.

In its advisory, Schneider also told customers that the malware is capable of scanning and mapping systems.

“The malware has the capability to scan and map the industrial control system to provide reconnaissance and issue commands to Tricon controllers. Once deployed, this type of malware, known as a Remotely Accessible Trojan (RAT), controls a system via a remote network connection as if by physical access,” Schneider said.

The industrial giant has advised customers to always implement the instructions in the “Security Considerations” section of the Triconex documentation. The guide recommends keeping the controllers in locked cabinets and even displaying an alarm whenever they are set to “PROGRAM” mode.

While it’s unclear who is behind the Triton/Trisis attack, researchers agree that the level of sophistication suggests the involvement of a state-sponsored actor. Industrial cybersecurity and threat intelligence firm CyberX believes, based on its analysis of Triton, that the malware was developed by Iran and the targeted organization was in Saudi Arabia.

Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware

18.1.2018 thehackernews Virus

Security researchers have spotted a new malware campaign in the wild that spreads an advanced botnet malware by leveraging at least three recently disclosed vulnerabilities in Microsoft Office.
Dubbed Zyklon, the fully-featured malware has resurfaced after almost two years and primarily found targeting telecommunications, insurance and financial services.
Active since early 2016, Zyklon is an HTTP botnet malware that communicates with its command-and-control servers over Tor anonymising network and allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers and email clients.
Zyklon malware is also capable of executing additional plugins, including secretly using infected systems for DDoS attacks and cryptocurrency mining.
Different versions of the Zyklon malware has previously been found being advertised on a popular underground marketplace for $75 (normal build) and $125 ( Tor-enabled build).
According to a recently published report by FireEye, the attackers behind the campaign are leveraging three following vulnerabilities in Microsoft Office that execute a PowerShell script on the targeted computers to download the final payload from its C&C server.
1) .NET Framework RCE Vulnerability (CVE-2017-8759)—this remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input, allowing an attacker to take control of an affected system by tricking victims into opening a specially crafted malicious document file sent over an email. Microsoft already released a security patch for this flaw in September updates.
2) Microsoft Office RCE Vulnerability (CVE-2017-11882)—it’s a 17-year-old memory corruption flaw that Microsoft patched in November patch update allows a remote attacker to execute malicious code on the targeted systems without requiring any user interaction after opening a malicious document.
3) Dynamic Data Exchange Protocol (DDE Exploit)—this technique allows attackers to leverage a built-in feature of Microsoft Office, called DDE, to perform code execution on the targeted device without requiring Macros to be enabled or memory corruption.
As explained by the researchers, attackers are actively exploiting these three vulnerabilities to deliver Zyklon malware using spear phishing emails, which typically arrives with an attached ZIP file containing a malicious Office doc file.
Once opened, the malicious doc file equipped with one of these vulnerabilities immediately runs a PowerShell script, which eventually downloads the final payload, i.e., Zyklon HTTP malware, onto the infected computer.
"In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded," the FireEye researchers said.
"The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode."
"The injected code is responsible for downloading the final payload from the server. The final stage payload is a PE executable compiled with .Net framework."
Interestingly, the PowerShell script connects to a dotless IP address (example: http://3627732942) to download the final payload.
What is Dotless IP Address? If you are unaware, dotless IP addresses, sometimes referred as 'Decimal Address,' are decimal values of IPv4 addresses (represented as dotted-quad notation). Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address when opened with "http://" following the decimal value.
For example, Google's IP address can also be represented as http://3627732942 in decimal values (Try this online converter).
The best way to protect yourself and your organisation from such malware attacks are always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.
Most importantly, always keep your software and systems up-to-date, as threat actors incorporate recently discovered, but patched, vulnerabilities in popular software—Microsoft Office, in this case—to increase the potential for successful infections.

KillaMuvz, the creator of the Cryptex tool family pleads guilty to running malware services
18.1.2018 securityaffairs

The Briton Goncalo Esteves (24), also known as KillaMuvz, has pleaded guilty to charges related to creating and running malware services.
The Briton Goncalo Esteves (24) has pleaded guilty to charges related to creating and running malware services.

Such kind of platforms allows crooks to improve the development of their malicious codes. The malware created with the Esteves’ malware services would not be detected by antivirus software.

Esteves that was used the moniker ‘KillaMuvz’ is the creator of Cryptex tool commonly used by vxers to encrypt their files in an effort to avoid the detection. The first version of Cryptex was released in October 2011 and was continuously improved.

According to the NCA, Esteves has pleaded guilty to two computer misuse charges and one count of money laundering, the sentence is planned for February 12.

“A cyber criminal has admitted running a product-testing service for hackers following a joint investigation by the National Crime Agency (NCA) and cyber security firm Trend Micro.

Goncalo Esteves, 24, of Cape Close, Colchester, Essex, ran the website reFUD.me, which allowed offenders to test, for a fee, whether their malicious cyber tools could beat anti-virus scanners.” reads the announcement published by the NCA.

“Under the pseudonym KillaMuvz, he also sold custom-made malware-disguising products and offered technical support to users.

He pleaded guilty to two computer misuse offences and a count of money laundering at Blackfriars Crown Court.”

Cryptex Reborn allowed vxers to encrypt the malware files in an effort to make them “Fully UnDetectable” (FUD).

Esteves sold Crypters for use in packages which varied in price according to the length of the licence. A month of Cryptex Lite cost $7.99 ( about £5 at the time of offending) while a lifetime licence for Cryptex Reborn cost $90 (about £60). The man also provided customer support via a dedicated Skype account and accepted payment either in conventional currency, in the cryptocurrency Bitcoin or in Amazon vouchers.

One of Esteves’ services was a website called reFUD.me that was launched in February 2015. It has been observed that the service was used to conduct at least 1.2 million scans.

An investigation conducted by the UK’s National Crime Agency (NCA) with the help of Trend Micro resulted in the arrest of Esteves and a woman.

Law enforcement shut down both service after the arrest, Esteves always denied that the software was created for malicious purposes.

According to the NCA, Esteves has pleaded guilty to two computer misuse charges and one count of money laundering, the sentence is planned for February 12.

“A cyber criminal has admitted running a product-testing service for hackers following a joint investigation by the National Crime Agency (NCA) and cyber security firm Trend Micro.

Goncalo Esteves, 24, of Cape Close, Colchester, Essex, ran the website reFUD.me, which allowed offenders to test, for a fee, whether their malicious cyber tools could beat anti-virus scanners.” reads the announcement published by the NCA.

“Under the pseudonym KillaMuvz, he also sold custom-made malware-disguising products and offered technical support to users.

He pleaded guilty to two computer misuse offences and a count of money laundering at Blackfriars Crown Court.”

Esteves advertised his service on the hackforums.net website, a well-known crime messageboard.

“A free service that offers fast and reliable file scanning to ensure that your files remain fully undetectable to anti-malware software.” reads the ad.

The NCA reported that Esteves made £32,000 from more than 800 Paypal transactions between 2011 and 2015.

There are no other information about the transactions made in Bitcoins and using Amazon vouchers.

Briton Pleads Guilty to Running Malware Services
18.1.2018 securityweek
Goncalo Esteves, a 24-year-old man from the United Kingdom, has pleaded guilty to charges related to creating and running services designed to help cybercriminals develop malware that would not be detected by antivirus products.

One of Esteves’ services was a website called reFUD.me. Created in February 2015, the site allowed cybercriminals to learn if their malware samples would be detected by antiviruses from various vendors. When it was shut down several months later, the service claimed that it had been used to conduct 1.2 million scans.

The man, known online as KillaMuvz also created Cryptex, a tool that allowed malware developers to encrypt their files in an effort to make them more difficult to detect. Cryptex had been available since October 2011, but it had been improved over time.

Use of the reFUD and Cryptex tools was not free. For example, users had to pay $8 per month for the lite version of Cryptex or $90 for a lifetime license for Cryptex Reborn, which experts described as highly sophisticated.

Esteves and a woman were arrested in November 2015 as a result of an investigation conducted by Trend Micro and the UK’s National Crime Agency (NCA). Both services were shut down around the time of their arrest.

A local news site reported in March 2017 that Esteves had pleaded not guilty to four charges of computer misuse and one charge of obtaining money under the Proceeds of Crime Act 2002. The man insisted at the time that his software was designed for legitimate use.

However, the NCA announced this week that Esteves has pleaded guilty to two computer misuse charges and one count of money laundering. He will be sentenced on February 12.

Authorities said Esteves received roughly £32,000 ($44,000) for his services between 2011 and 2015. However, this only represents payments made through PayPal; the actual profit is likely much higher since he also accepted payment in bitcoins and Amazon vouchers.

Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely
17.1.2018 thehackernews

A critical vulnerability has been discovered in the widely used Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users' computers and take control of them.
The vulnerability has been uncovered by Google's Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack—just 40 days after the initial report.
Usually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch.
However, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago.
"I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see," Ormandy said in a public report published Tuesday.
Proof-of-Concept Exploit Made Publicly Available
The PoC attack published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser.
Ormandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack.
Transmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally.
The daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests.
Ormandy found that a hacking technique called the "domain name system rebinding" attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on user's computer remotely with the help of installed daemon service.
Here's How the Attack Works:
The loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites.
"I regularly encounter users who do not accept that websites can access services on localhost or their intranet," Ormandy wrote in a separate post, which includes the patch.
"These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website "transfers" execution somewhere else. It does not work like that, but this is a common source of confusion."
Attackers can exploit this loophole by simply creating a DNS name they're authorized to communicate with and then making it resolve to the vulnerable computer's localhost name. Here's how the attack works:

A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.
The attacker configures their DNS server to respond alternately with and (an address controlled by the attacker) with a very low TTL.
When the browser resolves to, it serves HTML that waits for the DNS entry to expire (or force it to terminate by flooding the cache with lookups), then it has permission to read and set headers.
Ormandy said the vulnerability (CVE-2018-5702) was the "first of a few remote code execution flaws in various popular torrent clients," though he did not name the other torrent apps due to the 90-day disclosure timeline.
A fix is expected to be released as soon as possible, a development official with Transmission told ArsTechnica, without specifying an actual date.

New KillDisk variant targets Windows machines in financial organizations in Latin America
17.1.2018 securityaffairs

A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro while targeting financial organizations in Latin America.
A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro. This variant of KillDisk, tracked as TROJ_KILLDISK.IUB, was involved in cyber attacks against financial organizations in Latin America, it is delivered by a different piece of malware or it may be part of a bigger attack.

“We came across a new variant of the disk-wiping KillDisk targeting financial organizations in Latin America.” reads a preliminary analysis published by TrendMicro.

“Because KillDisk overwrites and deletes files (and doesn’t store the encryption keys on disk or online), recovering the scrambled files was out of the question.”

KillDisk and the ICS-SCADA malware BlackEnergy, were used in the attacks that caused the power outage in Ukraine in December 2015.

It was used in the same period also against mining companies, railways, and banks in Ukraine. The malware was later included in other malicious codes, including Petya.

In December 2016, researchers at security firm CyberX discovered a variant of the KillDisk malware that implemented ransomware features.

This latest variant targets Windows machines deleting any file stored on drives, except for system files and folders.

“The malware attempts to wipe \\.\PhysicalDrive0 to \\.\PhysicalDrive4. It reads the Master Boot Record (MBR) of every device it successfully opens and proceeds to overwrite the first 0x20 sectors of the device with “0x00”. It uses the information from the MBR to do further damage to the partitions it lists.” states Trend Micro. “If the partition it finds is not an extended one, it overwrites the first 0x10 and last sectors of the actual volume. If it finds an extended partition, it will overwrite the Extended Boot Record (EBR) along with the two extra partitions it points to.”

Once the malware has deleted and overwritten files and folders it attempts to terminate several processes to force the machine reboots.

The processed targeted by the malware are:

Client/server run-time subsystem (csrss.exe)
Windows Start-Up Application (wininit.exe)
Windows Logon Application (winlogon.exe)
Local Security Authority Subsystem Service (lsass.exe)
Trend Micro is still investigating this news KillDisk variant, meantime it is inviting companies to adopt a “defense in depth” approach securing the perimeters from gateways, endpoints, and networks to servers.

Four malicious Chrome extensions affected over half a million users and global businesses
17.1.2018 securityaffairs

Four malicious Chrome extensions may have impacted more than half million users likely to conduct click fraud or black search engine optimization.
More than half million users may have been infected by four malicious Chrome extensions that were likely used to conduct click fraud or black search engine optimization.

According to ICEBRG, the malicious extensions also impacted employees of major organizations, potentially allowing attackers to gain access to corporate networks.

“Recently, ICEBRG detected a suspicious spike in outbound network traffic from a customer workstation which prompted an investigation that led to the discovery of four malicious extensions impacting a total of over half a million users, including workstations within major organizations globally.” states the analysis published by ICEBRG. “Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information.”

The researchers noticed an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider. The analysis of the HTTP traffic revealed it was to the domain ‘change-request[.]info’ and was generated from a Chrome extension with ID ‘ppmibgfeefcglejjlpeihfdimbkfbbnm’ named Change HTTP Request Header that was available via Google’s Chrome Web Store.


The extension does not contain any malicious code, but the combination of “two items of concern that” could allow attackers to inject and execute an arbitrary JavaScript code via the extension.

The experts highlighted that Chrome extensions are not allowed to retrieve JSON from an external source and execute JavaScript code they contain, but need to explicitly request its use via the Content Security Policy (CSP).

Once enable the ‘unsafe-eval’ (Figure 3) permission to retrieve the JSON from an external source the attacker can force the browser to execute malicious code.

“When an extension does enable the ‘unsafe-eval’ (Figure 3) permission to perform such actions, it may retrieve and process JSON from an externally-controlled server.” “This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request.” continues the analysis.

The Change HTTP Request Header extension is able to download obfuscated JSON files from an external source (‘change-request[.]info’), by invoking the ‘update_presets()’ function.

The Chrome extension implemented an anti-analysis technique to avoid detection.

The extension checks the JavaScript for the presence of native Chrome debugging tools (chrome://inspect/ and chrome://net-internals/), and if detected, halts the injection of malicious code segment. The Chrome extension implemented an anti-analysis technique to avoid detection.

Once injected the code, the JavaScript creates a WebSocket tunnel with ‘change-request[.]info’ and uses it to proxy browsing traffic via the victim’s browser.

During the analysis, the experts observed that this feature was observed by threat actors for visiting advertising related domains likely to conduct click fraud scams.

“The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.” continues the analysis.

The security experts discovered other Chrome extensions with a similar behavior and using the same C&C server.

Nyoogle – Custom Logo for Google
Lite Bookmarks
Stickies Chrome’s Post-it Notes

Backdoor Found in Lenovo, IBM Switches
17.1.2018 securityweek

A high severity vulnerability described as a backdoor has been patched in several Flex System, RackSwitch and BladeCenter switches from Lenovo and IBM.

The flaw, tracked as CVE-2017-3765, affects the Enterprise Network Operating System (ENOS) running on affected devices. The vulnerability allows an attacker to gain access to the management interface of a switch.

“An authentication bypass mechanism known as ‘HP Backdoor’ was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions,” Lenovo said in its advisory.

“This bypass mechanism can be accessed when performing local authentication under specific circumstances using credentials that are unique to each switch. If exploited, admin-level access to the switch is granted,” the company added.

ENOS is the operating system that powers Lenovo’s RackSwitch and Flex System embedded switches. ENOS was initially developed by Nortel’s Blade Server Switch Business Unit (BSSBU), which spun off in 2006 to become BLADE Network Technologies (BNT). IBM acquired BNT in 2010 and in 2014 sold it to Lenovo.

The problematic feature, introduced by Nortel in 2004 at the request of a customer, can be found in Lenovo devices and IBM Flex System, BladeCenter and RackSwitch switches that still use the ENOS firmware.

Lenovo patched the security hole with the release of ENOS and also provided workarounds. The company says devices running the CNOS (Cloud Network Operating System) firmware are not vulnerable. IBM has also released firmware updates to fix the vulnerability in impacted switches.

Lenovo pointed out that the backdoor can only be exploited under specific circumstances.

“Lenovo is not aware of this mechanism being exploited, but we assume that its existence is known, and customers are advised to upgrade to firmware which eliminates it,” Lenovo said.

Fake Meltdown/Spectre Patch Installs Malware
17.1.2018 securityweek

Cybercriminals are already taking advantage of the massive attention the recently detailed Meltdown and Spectre CPU flaws have received, in an attempt to trick users into installing malware instead, Malwarebytes warns.

Made public in early January, Meltdown and Spectre are two new side-channel attack methods against modern processors and are said to impact billions of devices. Based on vulnerabilities at the CPU level, the flaws allow malicious apps to access data as it is being processed, including passwords, photos, documents, emails, and the like.

Chip makers and vendors were alerted on the bugs last year, and some started working on patches for their users several months ago, but waited for a coordinated public disclosure set for last week. Apple, Microsoft, Google, Canonical, and IBM are just a few of the vendors that have already deployed patches.

Soon after the patches began rolling out, however, attacks taking advantage of the Meltdown/Spectre fever surfaced. One of them, Malwarebytes reports, is targeting German users with the SmokeLoader malware.

The attack was spotted soon after the German authorities issued a warning on phishing emails trying to take advantage of infamous bugs started to appear.

The emails appeared to come from the German Federal Office for Information Security (BSI), and Malwarebytes discovered a domain that also posed as the BSI website. Recently registered, the SSL-enabled phishing site isn’t affiliated with a legitimate or official government entity, but attempts to trick users into installing malware.

The website is offering an information page that supposedly provides links to resources about Meltdown and Spectre, bug also links to a ZIP archive (Intel-AMD-SecurityPatch-11-01bsi.zip) that contains malware instead of the promised security patch.

Once a user downloads and runs the file, the SmokeLoader malware, which is capable of downloading and running additional payloads, is installed. The security researchers have observed the threat attempting to connect to various domains and sending encrypted information.

By analyzing the SSL certificate used by the fraudulent domain, the security researchers discovered other properties associated with the .bid domain, including a German template for a fake Adobe Flash Player update.

The security researchers have already contacted Comodo and CloudFlare to report the fraudulent website, and the domain stopped resolving within minutes after CloudFlare was informed on the issue.

“Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise,” Malwarebytes concludes.

"PowerStager" Tool Employs Unique Obfuscation
17.1.2018 securityweek

A malicious tool that has managed to fly under the radar since April 2017 is showing great focus on obfuscation, in an attempt to evade detection, Palo Alto Networks warns.

Dubbed PowerStager, the tool has shown an uptick in usage for in-the-wild attacks around December 2017. Developed as a Python script that generates Windows executables using C source code, it uses multiple layers of obfuscation to launch PowerShell scripts to execute a shellcode payload.

PowerStager uses a unique obfuscation technique for PowerShell segments, while also offering increased flexibility, due to multiple configuration options.

Some of these options include the ability to target both x86 and x64 platforms, support for additional obfuscation on top of defaults, support for customized error messages/executable icon for social engineering, and the ability to use Meterpreter or other built-in shellcode payloads. The tool can also fetch remote payloads or embed them into the executable and can escalate privileges using UAC.

Analysis of executables created with the help of this tool revealed that they were being generated programmatically and that an embedded string for the file that gets created was included in each executable, Palo Alto’s Jeff White explains. The filename is also randomized between samples.

White discovered seven total PowerShell scripts that can be generated from the script.

As of late December 2017, Palo Alto has observed 502 unique samples of PowerStager, mainly targeting Western European media and wholesale organizations. A large number of samples, however, were being used for testing and sales proof-of-concepts demonstrations, the researcher says.

White also discovered that certain attributes that PowerStager defines when building the samples can be used to track them. There are also a series of characteristics specific to the generated samples. Although they are usually different between samples, they can prove useful for identification, especially when coupled with said unique obfuscation and PowerShell methods during dynamic analysis.

“While it’s not the most advanced toolset out there, the author has gone through a lot of trouble in attempting to obfuscate and make dynamic detection more difficult. PowerStager has covered a lot of the bases in obfuscation and flexibility well, but it hasn’t seen too much usage as of yet; however, it is on the rise and another tool to keep an eye on as it develops,” White concludes.

New KillDisk Variant Spotted in Latin America
17.1.2018 securityweek

A new variant of the disk-wiper malware known as KillDisk has been spotted by Trend Micro researchers in attacks aimed at financial organizations in Latin America.

The security firm is in the process of examining the new variant and the attacks, but an initial analysis showed that the Trojan appears to be delivered by a different piece of malware or it may be part of a bigger attack.

Early versions of KillDisk were designed to wipe hard drives in an effort to make systems inoperable. The malware was used by the Russia-linked threat actor BlackEnergy in the 2015 attack aimed at Ukraine’s energy sector.

Roughly one year after the Ukraine attack, researchers reported that its developers had turned KillDisk into file-encrypting ransomware. However, the samples analyzed at the time used the same encryption key for all instances, making it possible for victims to recover files.

Experts later reported seeing a KillDisk ransomware designed to target Linux machines, but the malware did not save encryption keys anywhere, making it impossible to recover files.

Some links have also been found between KillDisk and the NotPetya malware, which initially appeared to be a piece of ransomware but later turned out to be a disk wiper. NotPetya hit machines in more than 65 countries and major companies reported losing hundreds of millions of dollars as a result of the attack.

The latest variant, which Trend Micro tracks as TROJ_KILLDISK.IUB, goes back to its roots and focuses on deleting files and wiping the disk. The malware, designed to target Windows systems, goes through all drives in order to delete files, except for system files and folders.

It then proceeds to wipe the disk, which includes reading the master boot record (MBR) and overwriting the extended boot record (EBR). The file removal and disk wiping procedures involve overwriting files and disk sectors in order to make recovery more difficult.

Once files and partitions have been deleted and overwritten, the malware attempts to terminate several processes in an effort to reboot the infected machine. By targeting processes associated with the client/server runtime subsystem (csrss.exe), Windows start-up (wininit.exe), Windows logon (winlogon.exe), and the Local Security Authority Subsystem Service (lsass.exe), the malware can force a blue screen of death (BSOD), a logout, or a restart.

Trend Micro has promised to share more information on the new KillDisk variant as its investigation continues.

Half Million Impacted by Four Malicious Chrome Extensions
17.1.2018 securityweek

Four malicious Chrome extensions managed to infect over half a million users worldwide, including employees of major organizations, ICEBRG reports.

The extensions were likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, but they could have also been used by threat actors to gain access to corporate networks and user information, the security company warns.

The malicious extensions were discovered after observing an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG reveals. The HTTP traffic was associated with the domain ‘change-request[.]info’ and was generated from a Chrome extension named Change HTTP Request Header.

While the extension itself does not contain “any overtly malicious code,” the researchers discovered the combination of “two items of concern that” could result in the injection and execution of arbitrary JavaScript code via the extension.

Chrome can execute JavaScript code contained within JSON but, due to security concerns, extensions aren’t allowed to retrieve JSON from an external source, but need to explicitly request its use via the Content Security Policy (CSP).

When the permission is enabled, however, the extension can retrieve and process JSON from an externally-controlled server, which allows extension authors to inject and execute arbitrary JavaScript code when the update server receives a request.

What ICEBRG researchers discovered was that the Change HTTP Request Header extension could download obfuscated JSON files from ‘change-request[.]info’, via an ‘update_presets()’ function. The obfuscated code was observed checking for native Chrome debugging tools and halting the execution of the infected segment if such tools were detected.

After injection, the malicious JavaScript creates a WebSocket tunnel with ‘change-request[.]info’ and uses it to proxy browsing traffic via the victim’s browser.

“During the time of observation, the threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing. Click fraud campaigns enable a malicious party to earn revenue by forcing victim systems to visit advertising sites that pay per click (PPC),” ICEBRG reports.

The capability, however, can also be used by the threat actor to browse internal sites of victim networks, thus effectively bypassing perimeter controls.

The security researchers also discovered that Change HTTP Request Header wasn’t the only Chrome extension designed to work in this manner. Nyoogle - Custom Logo for Google, Lite Bookmarks, and Stickies - Chrome's Post-it Notes show similar tactics, techniques, and procedures (TTPs) and feature the same command and control (C&C).

The Stickies extension was also observed using a different code injection pathway, but injecting JavaScript code nearly identical to that of other malicious extensions. It appears that the extension has a history of malicious behavior, as it was observed in early 2017 to be using the new code injection technique following an update.

“The inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks,” ICEBRG notes.

Considering the total installed user base of these malicious Chrome extensions, the malicious actor behind them has a substantial pool of resources to use for financial gain. Google, the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), and customers who were directly impacted have been alerted on the issue.

CSE Malware ZLab – Double Process Hollowing -The stealth process injection of the new Ursnif malware
11.1.2018 securityaffairs

A new variant of the infamous Ursnif malware spread in the wild and adopts a new advanced evasion technique dubbed Double Process Hollowing.
Whereas the malware LockPos, famous for its new incredibly advanced and sophisticated evasion technique, spread and affected many Points of Sale, another variant spread in the wild and adopts a similar but not identical advanced evasion trick. It is likely a new variant of “ursnif v3”, another evolution of an old banking trojan that was spreading since November 2017. Moreover, the command and control of this new malware, oretola[.]at has been sinkholed by authorities, so it is difficult to reconstruct the entire behavior and the real purpose of this malware.

However, it is very interesting to analyze its stealth evasion technique that allows it to be invisible to many modern antivirus software. In fact, its final stage is to hide itself as a thread of “explorer.exe” process and this make the analysis very difficult. To reach its goal, the malware uses a sort of “double process hollowing” technique based on Windows Native API, leveraging the “svchost.exe” system process as a way to make privilege escalation and to get to inject malicious code in “explorer.exe”.

Only after the concealment in “explorer.exe” it starts to make its malicious operations that consist of contacting a series of compromised sites the host encrypted additional payloads. The final step of its malicious behavior is to periodically communicate with its C2C, “oretola[.]at”, where it sends information about the victim host.

This malware probably spreads up through spam mails, the message contains an URL that points to a compromised site on which the sample is hosted. We discovered the malware sample just on one of these compromised sites, in particular it is an Italian blog dedicated to dolls “marinellafashiondolls[.]com/_private/php3.exe”.

Process Hollowing evasion technique

The malware uses almost exclusively the Native API of Windows with also its undocumented functions. The use of them causes a more difficult monitoring by antiviruses.

Once the php3.exe file is executed, it deletes itself from the original path and recopy itself in “%APPDATA%\Roaming\Microsoft\Brdgplua\ddraxpps.exe” path.

Once completed this operation, the malware starts its malicious behavior.

The full report published by researchers at ZLAb details step by step the technique implemented by the malware.

New Malware Dubbed LockPos Introduces New Injection Technique To Avoid Detection
11.1.2018 securityaffairs

Security Researchers from Cyberbit have discovered a new malware injection technique being used by a variant of Flokibot malware named LockPoS.
A Point of Sale (PoS) malware is a malicious application that steals credit card data from the memory of computers connected to credit card equipment. Once infected the system, the LockPoS malware tries to gain access and read the memory of the current process in use and begin to search for data that have the pattern of credit card information to send to its command and control server.

“Cyberbit malware researchers recently discovered a stealthy new malware injection technique being used by LockPoS that appears to be a new variant of that used by Flokibot.” reads the analysis published by CyberBit.

“LockPoS is a Point-of-Sale (PoS) malware that steals credit card data from the memory of computers attached to point of sale credit card scanners. LockPos reads the memory of currently running processes on the system, searching for data that looks like credit card information and then sends them to the C&C.”

The same botnet associated with the propagation of Flokibot is being used by LockPoS and its source code have some similarities. In that regard, it is important to notice that the malware has some stages to unpack and decryption with different techniques and routines to call the API for injection-related with Flokibot.

There are three main routines used by PoS malware discovered by CyberBit to inject code in the remote process: NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx. A core dll file native to Windows System, ntdll.dll, is used in the injection technique. The routines related with ntdll that have a “NT” prefix are associated with Windows API that separates user space from kernel space. The injection technique involves the creation of a section object in the kernel with the use of NtCreateSection to call NtMapViewOfSection as a map to view the section in other process and then copy the code into the section and create a remote thread by using NtCreateThreadEx or CreateRemoteThread to execute the code.

Once a routine from ntdll is called the hexadecimal value of the system call is copied to the EAX register, where a instruction is called to make the thread jump to the kernel mode. The kernel then executes the routine based on the value of EAX register. The parameters from the user stack are copied to the kernel stack and executed.

The malware does not call the routines from ntdll to inject code avoiding Anti Virus detection, instead, it maps the routines from ntdll on the disk to its own virtual address space. By doing so the malware maintains a clean copy of dll that is not detected by anti-virus software.

Also, as Cyberbit researchers noticed, a call to NtMapViewOfSection is handled by the malware for the process of explorer.exe.

“One LockPoS malware injection technique involves creating a section object in the kernel using NtCreateSection, calling NtMapViewOfSection to map a view of that section into another process, copying code into that section and creating a remote thread using NtCreateThreadEx or CreateRemoteThread to execute the mapped code.” continues the analysis.


The security researchers report also notice that improving memory analysis is the only effective way to detection since Windows 10 kernel functions can’t be monitored.



How Antivirus Software Can be the Perfect Spying Tool
10.1.2018 securityweek
Your antivirus product could be spying on you without you having a clue. It might be intentional but legitimate behavior, yet (malicious) intent is the one step separating antivirus software from a cyber-espionage tool. A perfect one, experts argue.

Because we trust the antivirus to keep us safe from malware, we let it look at all of our files, no questions asked. Regardless of whether personal files or work documents, the antivirus has access to them all, which allows it to work as needed.

We do expect a security product to work in this manner, as most of them have been designed to scan all files on the system to detect any possible threats, and we accept this behavior as being part of our computer’s protection mechanism.

What if the very same features that are meant to protect us from threats become the threats themselves? Would it be possible for an antivirus application to be used as a spying tool, to flag documents of interest and exfiltrate them instead of keeping our files safe? The answer appears to be “Yes!”

"In order for AV to work correctly, it has to be plumbed into the system in such a way that it can basically see and control anything the system can do. Memory allocation, disk reads and writes, communication, etc... This means that it is essentially in the middle of all transactions within the OS. Therefore, it makes a pretty good candidate for take over and compromise,” Jason Kent, CTO at AsTech, told SecurityWeek via email.

In some cases, the data exfiltration, which is legitimate behavior, could result in unintended leakage, as would be the case with security programs that upload binaries to cloud-based multiscanners like Google’s VirusTotal. In an attempt to better assess whether files are malicious or not, these security tools end up leaking data if the analyzed files are accessible to the multiscanner’s subscribers.

But what if your antivirus was intentionally turned into a tool that could spy on you? Would that be possible without modifying the program itself? According to security researcher Patrick Wardle, it is possible.

To prove this and using the "Antivirus Hacker's Handbook" (Joxean Koret) as base for an experiment, he tampered with the virus signatures for Kaspersky Lab’s Internet Security for macOS and modified one of the signatures to automatically detect classified documents and mark them for collection. By modifying signatures instead of the antivirus engine, he didn’t alter the security application’s main purpose.

Wardle conducted his experiment on a Kaspersky product for an obvious reason: last year, reports suggested that the Russian-based security company’s software had been used to steal classified documents from a National Security Agency (NSA) contractor’s computer. The contractor took home sensitive data, including NSA exploits, and was apparently targeted by hackers after a Kaspersky product on his home computer flagged the files as malicious and sent them to the company’s server for further analysis.

In December 2017, the NSA contractor, Vietnam-born Nghia Hoang Pho, agreed to plead guilty to removing and retaining top-secret documents from the agency. Last week, another NSA contractor agreed to plead guilty after being accused of hoarding around 50 terabytes of NSA data and documents in his home and car over a 20-year period.

In September 2017, the United States Department of Homeland Security (DHS) ordered government departments and agencies to stop using Kaspersky products due to concerns regarding the company’s ties to Russian intelligence. Last month, Lithuania said it would ban Kaspersky Lab's products from computers managing key energy, finance and transport systems due to security concerns.

The anti-virus maker has continually denied any connections to the Russian government and even launched a new transparency initiative to clear its name. In December, the company sued the U.S. government over the product ban.

So far, no evenidence has been presented that shows any inappropriate connections between Kaspersky Lab and the Russian government.

In a technical analysis published last year, Kaspersky suggested the report might be referring to a 2014 incident where its antivirus worked as intended by flagging what appeared to be suspected Equation malware source code on a personal computer. The company said it had deleted the files from its servers but couldn’t confirm the NSA contractor was involved in the incident.

What Wardle decided to do was to find out whether the Moscow-based security company’s products can indeed be used to flag and exfiltrate classified documents. He successfully managed to modify a signature for his security product, despite the complex process Kaspersky employs for updating and deploying virus signatures onto the users’ computers.

And while he made the modifications locally, his experiment demonstrated that it is indeed possible to abuse anti-virus programs to spy on users. By modifying their signatures, antivirus programs can become “the absolute perfect cyber-espionage collection” tools. And this isn’t true about Kaspersky’s products only.

“Of course if an anti-virus company wanted to (or was forced to) they'd simply deploy a new signature likely to select clients (targets), in order to persistently detect such documents […]. I am confident without a doubt that any anti-virus product with collection capabilities could arbitrarily collect (exfiltrate) files flagged by their product,” Wardle noted.

The file collection capability is, of course, designed to support legitimate functionality of the product. Thus, for an antivirus product to become a spying tool, it would have to have an actor with malicious intent behind it.

“A malicious or willing insider within any anti-virus company, who could tactically deploy such a signature, would likely remain undetected. And of course, in a hypothetical scenario; any anti-virus company that is coerced to, or is willing to work with a larger entity (such as a government) would equally be able to stealthily leverage their product to detect and exfilitrate any files of interest,” Wardle concluded.

The researcher’s findings aren’t surprising and Kaspersky themselves said last week that “any malicious actor who gains administrative access to a computer could theoretically engage in file searching activity on the computer or subvert almost any application running on it (which is the type of activity that Kaspersky Lab products are designed to detect and prevent).”

SecurityWeek contacted Kaspersky for comment, but they redirected us to last week’s statement, saying that that is their official position.

Security experts contacted by SecurityWeek for perspective agree that antivirus products could potentially be used for nefarious purposes, if a malicious actor was involved. While the general consensus is that users wouldn’t even know if their antivirus was spying on them, it doesn’t mean that antivirus companies engage in such practices. Only that it would be possible to use their products in such a manner.

“AV vendors must be very careful to ensure they are never compromised. Imagine if I could control all of the AV installations at an enterprise. It would be possible to make all of those machines participate in a botnet or use the AV system to load additional code, such as Ransomware. This is conceptually possible as the engine and signatures are designed to be changed via an update process. Compromise there would be a very interesting thing for sure,” Kent told us.

Chris Morales, head of security analytics at San Jose, California-based Vectra Networks, agrees that antivirus products could be manipulated to find and exfiltrate sensitive documents. He also agrees that this could be the act of a malicious or willing insider at any antivirus company.

“AV vendors, as do many security vendors who perform malware scanning on the network and endpoint, have administrative level access to systems to scan files for malicious code. This scanning engine could be manipulated to look for sensitive documents and then upload them to the cloud analysis engine. This would most likely be someone at the vendor with malicious intent,” Morales told SecurityWeek in an emailed comment.

“Security vendors who perform cloud based analysis have to walk a very thin line and it is important that these vendors implement the proper controls to ensure they do not create the security hole for customers. I would say most vendors do a very good job of ensuring their processes are secure and would not cause a problem for the client. This does mean there is a level of trust in security vendors that clients need to validate and should be asking for a description of how their detection processes work,” Morales continued.

Chris Roberts, chief security architect at Santa Clara, Calif.-based threat protection firm, told SecurityWeek that it is a known fact that “Kaspersky is not the only tool that’s built into enterprises to be used against themselves for the fortunes of malicious intent.” Over the past couple of years, several endpoint detection tools have been revealed to have issues identifying problems and to include management techniques that can be turned against enterprises.

“So, yes, Kaspersky software can be used against the intended targets, we have established that. The mechanism is there, however, the INTENT is the issue. The analysis into IS it being used against organizations is the factor that is obviously in dispute. Late last year, the UK took the step to warn all agencies against deploying Kaspersky. The US has already taken that step, but in all honesty, IF we were to look at the plethora of endpoint detection/manipulation/management tools out there, we’d better remove 50% of them for the same insecurities and inabilities to protect the very end-users we’re trying to save,” Roberts says.

He also points out that most security software out there requires access to everything stored on a computer, not only one single product. “The others all being carefully kept out of the news in the hope we don’t all suddenly wake up and realize that everything designed to keep us safe is also designed to access our darkest secrets… and scour them for whatever we hope it’s meant to be finding… or what it WANTS to find,” Roberts continued.

Of course, there’s no proof that an antivirus program has been used for malicious intent, although it is clear that they could be used in such a manner. As Wardle puts it: “Please avoid jumping to the conclusion that this [is] something Kaspersky, or any other anti-virus company actually did!”

Kaspersky Lab has continually denied any inappropriate ties to the Russian intelligence services; and there is no public evidence to suggest otherwise. Unfortunately, for the Moscow-based security company, this is a restult of the effect of geopolitics on cybersecurity.

VirusTotal announced the availability of a visualization tool, dubbed VirusTotal Graph, designed to help with malware analysis.

10.1.2018 securityweek Virus
The VirusTotal Graph should allow investigators working with multiple reports at the same time, to try to pivot between multiple data points (files, URLs, domains and IP addresses). The observation of the connections across different samples of malware could allow investigators to collect more events from different cases.

“VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities.” states VirusTotal.

“It is common to pivot over many data points (files, URLs, domains and IP addresses) to get the full picture of your investigation, and this usually involves looking at multiple reports at the same time. We know this can be complicated when you have many open tabs, therefore, we’ve developed VirusTotal Graph.”

The tool VirusTotal Graph is based on VirusTotal’s data set and was designed to visualize them in a single graphical interface relationship between files, URLs, domains and IP addresses. The graph is navigable, making easier for malware researchers the investigation of malicious codes.


Analysts can build their own network by exploring and expanding each of the nodes in the graph.

The tool includes a search box, node summary section, node expansion section that allows correlation of the information from more entities, node action menu, detection dropdown, and a node list.

VirusTotal also allows users to save the graphs they generated, as well as to share their findings with other users. All saved graphs are public and also linked in VirusTotal public reports of files, URLs, IP addresses or domains that appear in the graph.

“We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution — expect to see some news around it soon,” VirusTotal concludes.

The complete documentation is available at
Virus Total also published two videos that shows main features implemented in the tool.

Experts found a strain of the Zeus banking Trojan spread through a legitimate developer’s website
8.1.2017 securityaffairs

Malware researchers at Talos group have discovered a strain of Zeus banking Trojan that abuses the legitimate website of the Ukraine-based accounting software developer Crystal Finance Millennium (CFM).
The experts discovered that the version of the ZeuS banking Trojan used in this attack is the that was leaked in 2011.

The attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine, but researchers from Talos disclosed details of the attack online now.

Experts found many similarities with the attack vector used in the NotPetya case, hackers. While in the NotPetya attack hackers compromised the supply chain of the software fir M.E.Doc to distribute the malware, in the case of the Zeus banking Trojan threat actors relied on accounting software maker CFM’s website being used to distribute malware fetched by downloaders delivered as attachments in an email spam campaign.

Researchers from Talos were able to register and sinkhole one of the Command and Control (C2) domains used by the attackers, in this way they were able to gather information about the number and the nature of the infected systems.

Attackers used spam emails with a ZIP archive containing a JavaScript file, which was used a downloader. The researchers discovered that one of the domains used to host the malware payload was associated with CFM’s website, attackers used it also to distribute PSCrypt ransomware.

The analysis of the infection process revealed that once executed the malware would first perform a long list of anti-VM checks to determine whether it runs in a virtualized environment. If not, the malicious code achieves persistence by creating a registry entry to ensure execution at system startup.

Then the malware attempts to connect to several C&C servers and experts from Talos discovered that one of them was not registered at the time of the analysis … a gift for the researchers that used it to sinkhole the botnet.

Most of the infected systems were located in Ukraine, followed by the United States.

“Interestingly, most of the systems which beaconed to our sinkhole server were located in Ukraine with United States being the second most affected region. A graph showing the ISPs that were most heavily affected is below:”


“As can be seen in the graph above, PJSC Ukrtelecom was by far the most heavily affected. This ISP is the company governed by the Ministry of Transportation and Communications in Ukraine. In total, our sinkhole logged 11,925,626 beacons from 3,165 unique IP address” states the analysis from Talos.

According to Talos hackers are refining their attack techniques and are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers.

ZeuS Variant Abuses Legitimate Developer’s Website
8.1.2018 securityweek
The official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM) was abused for the distribution of a variant of the ZeuS banking Trojan, Talos reports.

The vector is similar to that used in the NotPetya attack in the summer of 2017, when a malicious actor abused the update server of tax software company M.E.Doc to distribute the destructive wiper.

Unlike the NotPetya attack, however, the distribution the ZeuS variant didn’t leverage a compromised server. Instead, the attack relied on accounting software maker CFM's website being used to distribute malware fetched by downloaders delivered as attachments in an email spam campaign.

The attack happened in August 2016, when information on the malware infection process were made public. Now, Talos has decided to share details on the scope of the attack and associated victims, including the geographic regions affected, based on information the company gathered after it managed to sinkhole command and control (C&C) domains.

The spam emails used in this attack contained a ZIP archive with a JavaScript file inside, which acted as a downloader. One of the domains used to host the malware payload was associated with CFM's website, which has been also observed distributing PSCrypt ransomware, the researchers say.

The malware used in this attack reused code from the version of the ZeuS banking Trojan, which was leaked in 2011 and already spawned numerous other threats.

The malware would first check whether it runs in a virtualized sandbox environment and would enter an infinite sleep function if virtualization was detected. If not, it would then move to achieve persistence by creating a registry entry to ensure execution at system startup.

After infection, the malware attempts to connect to different C&C servers, one of which hadn’t been registered when Talos first started investigating the attack. The researchers then registered the domain, which provided them with insight into the malware’s C&C communications.

Talos discovered that most of the systems beaconing to the sinkhole server were located in Ukraine, with the United States emerging as the second most affected country. They also found out that PJSC Ukrtelecom, a company governed by the Ministry of Transportation and Communications in Ukraine, was the most affected ISP.

A total of 11,925,626 beacons from 3,165 unique IP addresses were logged by the sinkhole server, the researchers reveal.

“Attackers are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers as a means of obtaining a foothold within the environments they are targeting. As organizations deploy more effective security controls to protect their network environments attackers are continuing to refine their methodologies,” Talos concluded.

Google Apps Script Allowed Hackers to Automate Malware Downloads
5.1.2018 securityweek
Researchers at Proofpoint discovered recently that Google Apps Script could have been abused by malicious hackers to automatically download malware hosted on Google Drive to targeted devices.

Google Apps Script is a JavaScript-based scripting language that allows developers to build web applications and automate tasks. Experts noticed that the service could have been leveraged to deliver malware by using simple triggers, such as onOpen or onEdit.

In an attack scenario described by Proofpoint, attackers uploaded a piece of malware to Google Drive and created a public link to it. They then used Google Docs to send the link to the targeted users. Once victims attempted to edit the Google Docs file, the Apps Script triggers would cause the malware to be automatically downloaded to their devices. Researchers said attackers could have used social engineering to convince the target to execute the malware.

Google has implemented new restrictions for simple triggers in an effort to block malware and phishing attacks triggered by opening a document.

While there is no evidence that this method has been exploited in the wild, malicious actors abusing Google Apps Script is not unheard of. A cybercrime group using the infamous Carbanak malware at one point leveraged the service for command and control (C&C) communications.

“SaaS platforms remain a ‘Wild West’ for threat actors and defenders alike. New tools like Google Apps Script are rapidly adding functionality while threat actors look for novel ways of abusing these platforms. At the same time, few tools exist that can detect threats generated by or distributed via legitimate software-as-a-service (SaaS) platforms,” explained Maor Bin, security research lead of Threat Systems Products at Proofpoint.

“This creates considerable opportunities for threat actors who can leverage newfound vulnerabilities or use ‘good for bad’: making use of legitimate features for malicious purposes,” he added.

A few months ago, Google announced the introduction of new warnings for potentially risky web apps and Apps Scripts.

LockPoS Adopts New Injection Technique
4.1.2018 securityweek
The LockPoS Point-of-Sale (PoS) malware has been leveraging a new code injection technique to compromise systems, Cyberbit researchers say.

First detailed in July this year, LockPoS steals credit card data from the memory of computers attached to PoS credit card scanners. The malware was designed to read the memory of running processes and collect credit card data that is then sent to its command and control (C&C) server.

Previous analysis revealed that the threat used a dropper that injects it directly into the explorer.exe process. After execution, the dropper extracts a resource file from itself and injects various components that load the final LockPoS payload.

The malware is now employing an injection method that appears to be a new variant of a technique previously employed by the Flokibot PoS malware. With LockPoS distributed from the Flokibot botnet, and with the two threats sharing similarities, this doesn’t come as a surprise.

One of the injection techniques employed by LockPoS involves creating a section object in the kernel, calling a function to map a view of that section into another process, then copying code into the section and creating a remote thread to execute the mapped code, Cyberbit says.

LockPoS was observed using 3 main routines to inject code into a remote process, namely NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx, all three exported from ntdll.dll, a core Dynamic-link library (DLL) file in the Windows operating system.

Instead of calling said routines, the malware maps ntdll.dll from the disk to its own virtual address space, which allows it to maintain a “clean” copy of the DLL file. LockPoS also allocates a buffer for saving the system calls number, copies malicious code to the shared mapped section, then creates a remote thread in explorer.exe to execute its malicious code.

By using this “silent” malware injection method, the malware can avoid any hooks that anti-malware software might have installed on ntdll.dll, thus increasing the chances of a successful attack.

“This new malware injection technique suggests a new trend could be developing of using old sequences in a new way that makes detection difficult,” Hod Gavriel, malware analyst at Cyberbit, explains.

While most endpoint detection and response (EDR) and next-gen antivirus products already monitor the Windows functions in user mode, kernel functions can’t be monitored in Windows 10, where the kernel space is still guarded. To ensure successful detection, improved memory analysis should be employed, the researcher says.

Travle aka PYLOT backdoor hits Russian-speaking targets
22.12.2017 Kaspersky
At the end of September, Palo Alto released a report on Unit42 activity where they – among other things – talked about PYLOT malware. We have been detecting attacks that have employed the use of this backdoor since at least 2015 and refer to it as Travle. Coincidentally, KL was recently involved in an investigation of a successful attack where Travle was detected, during which we conducted a deep analysis of this malware. So, with this intelligence ready we are sharing our findings in this blog to supplement Palo Alto’s research with additional details.

Technical Details
7643335D06BAEC5A14C95A393592EA3F 164352 11.0 2016-10-14 06:21:07
The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.

First of all, we detected numerous malicious documents being used in spear-phishing attacks with file names suggesting Russian-speaking targets with executables maintained in encrypted form:

This encryption method has been well known for a long time – it was first used in exploit documents to conceal Enfal, then we discovered this backdoor – Travle. Later documents with such encryption started maintaining another one APT family – Microcin. Travle C2 domains often overlap with those of Enfal. In regard to NetTraveler, at some point Enfal samples started using the same encryption method for maintaining the C2 URL as was used in NetTraveler:

Enfal sample with NetTraveler-like C2 string encryption

So, clearly these backdoors – Enfal, NetTraveler, Travle and Microcin – are all related to each other and are believed to have Chinese-speaking origins. And after finding the string “Travel path failed!” we believe that the Travle backdoor could be intended as a successor to the NetTraveler malware.

The malware starts by initializing the following variables:

%TEMP%\KB287640\ – local malware drop-zone
%TEMP%\KB887209\ – plugins storage
<malware install path>\~KB178495.DAT – configuration file path

Surprisingly, these paths remain the same in all samples of this family. If no configuration file is found, Travle reads the default settings from its resource “RAW_DATA“. Settings are maintained in an encrypted form. Here is the code for decryption:

for (i = size – 1; i > 1; –i)
buf[i] ^= buf[i – 2]

The storage format for the configuration block is as follows:

Offset Size Value
0 0x81 C2 domain
0x102 0x81 C2 URL path
0x204 2 C2 port (not used)
0x206 0xB not used
0x21C 0xB Sample ID
0x232 0x401 Bot’s first RC4 key
0xA34 0x401 Bot’s second RC4 key
0x1238 2 not used
The described sample maintains the following configuration data:

Field Value
C2 domain remember123321.com
C2 URL path /zzw/ash.py
Sample ID MjdfS0584
1st RC4 key mffAFe4bgaadbAzpoYRf
2nd RC4 key mffAFe4bgaadbAzpoYRf
The Travle backdoor starts its communication with the C2 by sending gathered information about the target operating system in an HTTP POST request to a URL built using the C2 domain and the path specified in the settings. The information sent includes the following data:

UserID – based on the computer name and IP-address
Computer name
Keyboard layout
OS version
Once the C2 receives the first packet, it responds with a block of data containing the following information:

URL path for receiving commands
URL path for reporting on command execution results
URL path for downloading files from C2
URL path for uploading files to C2
C2 second RC4 key
C2 first RC4 key
After this packet has been received, Travle waits for additional commands from the server.

Communication encryption
The ciphering algorithm depends on the type of transmitted object. There are three possible variants:

Data is ciphered with Base64
The resulting string is appended to the header with a size of 0x58 bytes
The resulting buffer is ciphered by RC4 with the C2 first RC4 key
The resulting buffer is ciphered with Base64
List of strings
Each line is ciphered by RC4 with the C2 second RC4 key
The resulting buffer is ciphered with Base64
All the previously Base64-ciphered strings are merged in one delimited with \r\n”
The resulting string is appended to the header with a size of 0x54 bytes
The resulting buffer is ciphered by RC4 with the C2 first RC4 key
The resulting buffer is ciphered with Base64
Compressed with LZO
The resulting archive is ciphered with the C2 second RC4 key
Messages format
The header for the transmitted data is as follows:

Offset (bytes) Size (bytes) Description
0 0x14 Random set of bytes
0x14 4 Data type / Command ordinal
0x18 4 NULL / Command ID
0x1C 4 Size of data
0x20 0x14 Sample ID
0x34 0x24 User ID
0x58 Size of data Data
The file is transferred to the C2 in a POST request as a multipart content type with boundary “kdncia987231875123nnm“. All samples of Travle we have discovered use this value.

Message types – from bot to C2
The command ID is specified at offset 0x18 in the header.

Technical messages are as follows:

ID Description Data content
1 Information about OS Information about OS
2 Request for the first command NULL
3 Request for the list of commands NULL
4 Command is successfully executed Information about command execution or the name of transmitted file
5 Command execution failed Information about an error
Operational messages are as follows:

ID Description Data content
1 Bot sends the list of files in the requested directory The list of files
11 Bot sends the content of the requested file The content of the file
Message types – from C2 to bot
In case of bot sending POST request C2 responses with data of following format:

ID Description Data content
0 Information about C2 The list of C2 parameters
1 Commands The list of commands
Bot also may send GET request for retrieving a specific file from the server. In this case, C2 responses with the requested file.

General communication between bot and C2
Interaction with C2 includes two stages:

1st (automatic – carried out with no operator actions). It consists of:

Sending information about the OS
Receiving information about C2
Sending a request for the first command
Receiving the command with ordinal 1 and first argument “*”
Sending the request for the next command
2nd (carried out by operators). It consists of:

Sending commands to the bot
Sending files to the bot
Sending results of the executed commands to the C2
Commands – general bot functionality
Ordinal Arguments Action
Scan File System
1 Path In case of “Path” is not “*”, the bot collects the list of files and folders in the specified directory with creation date between specified values and files with an “Encrypted” attribute.
If the “Path” is “*”, the search for files and folders is done in complete file system.
In any case, the search is recursive.
Minimum date
Maximum date
Run Process
2 Path to the batch or executable file The bot executes specified batch file or application with passed arguments.
Command line arguments
File Presence Test
4 File name The bot examines if specified file exists.
Delete File
3 File name File deletion.
Rename File
5 Old file name File renaming.
New file name
Move File
6 Old path File moving.
New path
Create New Config
7 Content of the new configuration The bot creates the file with new configuration.
Process File With Batch
48 Batch script The bot sends GET request to the C2 for downloading a file specified in one command argument. Batch script received in another command argument is saved in the file and executed with a parameter – file name of the downloaded file.
File path
Run Batch
49 Batch script The bot receives a BAT-file and executes it.
Download File
16 File path The bot sends a GET request for downloading a file. The file is saved with the specified name and location.
Upload File
17 File path The bot sends the content of a requested file in a POST message.
Download And Run Plugin
32 Plugin name The bot sends a GET request for downloading Plugin (DLL). Plugin is saved in the file system and launched with the use of the LoadLibrary API function.
Plugin argument
Unload Plugin
33 Plugin name The bot unloads a plugin library from memory.
Delete Plugin
34 Plugin name The bot unloads a plugin from memory and deletes the plugin file.
Load And Run Plugin
35 Plugin name The bot loads a plugin in memory with a specified parameter.
Plugin argument
Unfortunately, we have been unable to receive plugins from any C2 found in examined Travle samples, but after analyzing the code of Travle we can briefly describe how they are handled.

Plugins are handled with the use of commands 32-35. From all the analyzed Travle samples, we found out that not every Travle sample is able to work with plugins.

Each plugin DLL is saved in a file and loaded with the use of the LoadLibrary API function. The DLL should export three functions: GetPluginInfo, Starting and FreeMemory. These functions are invoked one-by-one at the plugin DLL loading stage. When Travle has to unload the plugin DLL it calls the FreeLibrary API function.

In all analyzed Travle samples, plugins are saved in the same location: %TEMP%\KB887209\.

The actor or actors responsible for the Travle attack has been active during the last few years, apparently not worried about being tracked by AV companies. Usually, modifications and new additions to their arsenal are discovered and detected quite quickly. Still, the fact that they didn´t really need to change their TTPs during all these years seems to suggest that they don´t need to increase their sophistication level in order to fulfill their goals. What’s worse, according to subjects of decoy documents these backdoors are used primarily in the CIS region against government organizations, military entities and companies engaged in high-tech research, which indicates that even high-profile targets still have a long way to go to implement IT-sec best practices which efficiently resist targeted attacks.

We detect Travle samples with the following verdicts: